From 14509ce60103dab695cef4d4f31321bab27ab967 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 8 Apr 2024 18:41:28 +0200 Subject: Merging upstream version 1:9.18.24. Signed-off-by: Daniel Baumann --- CHANGES | 138 + ChangeLog | 138 + Makefile.in | 2 - NEWS | 138 + aclocal.m4 | 2 - bin/Makefile.in | 2 - bin/check/Makefile.in | 2 - bin/confgen/Makefile.in | 2 - bin/delv/Makefile.in | 2 - bin/dig/Makefile.in | 2 - bin/dig/dighost.c | 2 + bin/dnssec/Makefile.in | 2 - bin/dnssec/dnssec-signzone.c | 2 +- bin/named/Makefile.in | 2 - bin/named/config.c | 4 +- bin/named/os.c | 21 +- bin/named/server.c | 40 +- bin/nsupdate/Makefile.in | 2 - bin/nsupdate/nsupdate.c | 28 +- bin/plugins/Makefile.in | 2 - bin/rndc/Makefile.in | 2 - bin/rndc/rndc.rst | 4 +- bin/tests/Makefile.in | 2 - bin/tests/system/Makefile.am | 125 +- bin/tests/system/Makefile.in | 724 ++-- bin/tests/system/README | 35 +- bin/tests/system/_common/controls.conf.in | 22 + bin/tests/system/_common/rndc.conf | 21 + bin/tests/system/_common/rndc.key | 15 + bin/tests/system/_common/root.hint | 14 + bin/tests/system/acl/ns2/named1.conf.in | 2 +- bin/tests/system/acl/ns2/named2.conf.in | 2 +- bin/tests/system/acl/ns2/named3.conf.in | 2 +- bin/tests/system/acl/ns2/named4.conf.in | 2 +- bin/tests/system/acl/ns2/named5.conf.in | 2 +- bin/tests/system/acl/tests.sh | 159 +- bin/tests/system/additional/ns1/named1.conf.in | 2 +- bin/tests/system/additional/ns1/named2.conf.in | 2 +- bin/tests/system/additional/ns1/named3.conf.in | 2 +- bin/tests/system/additional/ns1/named4.conf.in | 2 +- bin/tests/system/additional/tests.sh | 518 +-- bin/tests/system/addzone/ns1/named.conf.in | 2 +- bin/tests/system/addzone/ns2/named1.conf.in | 4 +- bin/tests/system/addzone/ns2/named2.conf.in | 6 +- bin/tests/system/addzone/ns2/named3.conf.in | 8 +- bin/tests/system/addzone/ns3/named1.conf.in | 2 +- bin/tests/system/addzone/ns3/named2.conf.in | 2 +- bin/tests/system/addzone/tests.sh | 521 +-- bin/tests/system/addzone/tests_rndc_deadlock.py | 2 +- bin/tests/system/allow-query/ns2/named01.conf.in | 2 +- bin/tests/system/allow-query/ns2/named02.conf.in | 2 +- bin/tests/system/allow-query/ns2/named03.conf.in | 2 +- bin/tests/system/allow-query/ns2/named04.conf.in | 2 +- bin/tests/system/allow-query/ns2/named05.conf.in | 2 +- bin/tests/system/allow-query/ns2/named06.conf.in | 2 +- bin/tests/system/allow-query/ns2/named07.conf.in | 2 +- bin/tests/system/allow-query/ns2/named08.conf.in | 2 +- bin/tests/system/allow-query/ns2/named09.conf.in | 2 +- bin/tests/system/allow-query/ns2/named10.conf.in | 2 +- bin/tests/system/allow-query/ns2/named11.conf.in | 2 +- bin/tests/system/allow-query/ns2/named12.conf.in | 2 +- bin/tests/system/allow-query/ns2/named21.conf.in | 2 +- bin/tests/system/allow-query/ns2/named22.conf.in | 2 +- bin/tests/system/allow-query/ns2/named23.conf.in | 2 +- bin/tests/system/allow-query/ns2/named24.conf.in | 2 +- bin/tests/system/allow-query/ns2/named25.conf.in | 2 +- bin/tests/system/allow-query/ns2/named26.conf.in | 2 +- bin/tests/system/allow-query/ns2/named27.conf.in | 2 +- bin/tests/system/allow-query/ns2/named28.conf.in | 2 +- bin/tests/system/allow-query/ns2/named29.conf.in | 2 +- bin/tests/system/allow-query/ns2/named30.conf.in | 2 +- bin/tests/system/allow-query/ns2/named31.conf.in | 2 +- bin/tests/system/allow-query/ns2/named32.conf.in | 2 +- bin/tests/system/allow-query/ns2/named33.conf.in | 2 +- bin/tests/system/allow-query/ns2/named34.conf.in | 2 +- bin/tests/system/allow-query/ns2/named40.conf.in | 2 +- bin/tests/system/allow-query/ns2/named53.conf.in | 2 +- bin/tests/system/allow-query/ns2/named54.conf.in | 2 +- bin/tests/system/allow-query/ns2/named55.conf.in | 2 +- bin/tests/system/allow-query/ns2/named56.conf.in | 2 +- bin/tests/system/allow-query/ns2/named57.conf.in | 2 +- bin/tests/system/allow-query/ns3/named1.conf.in | 2 +- bin/tests/system/allow-query/ns3/named2.conf.in | 2 +- bin/tests/system/allow-query/ns3/named3.conf.in | 2 +- bin/tests/system/allow-query/ns3/named4.conf.in | 2 +- bin/tests/system/allow-query/setup.sh | 8 +- bin/tests/system/allow-query/tests.sh | 419 +- .../system/allow-query/tests_sh_allow_query.py | 14 + .../system/allow-query/tests_sh_allowquery.py | 14 - bin/tests/system/auth/tests.sh | 142 +- bin/tests/system/autosign/ns1/keygen.sh | 26 +- bin/tests/system/autosign/ns2/keygen.sh | 36 +- bin/tests/system/autosign/ns2/named.conf.in | 2 +- bin/tests/system/autosign/ns3/keygen.sh | 302 +- bin/tests/system/autosign/ns3/named.conf.in | 11 +- .../autosign/ns3/nsec3-to-nsec3.example.db.in | 26 + bin/tests/system/autosign/ns4/named.conf.in | 2 +- bin/tests/system/autosign/ns5/named.conf.in | 2 +- bin/tests/system/autosign/tests.sh | 1137 +++--- bin/tests/system/builtin/ns1/named.conf.in | 2 +- bin/tests/system/builtin/ns2/named.conf.in | 2 +- bin/tests/system/builtin/ns3/named.conf.in | 2 +- bin/tests/system/builtin/tests.sh | 147 +- bin/tests/system/cacheclean/ns2/named.conf.in | 2 +- bin/tests/system/cacheclean/tests.sh | 110 +- bin/tests/system/case/tests.sh | 58 +- bin/tests/system/catz/ns1/named.conf.in | 2 +- bin/tests/system/catz/ns2/named1.conf.in | 2 +- bin/tests/system/catz/ns2/named2.conf.in | 2 +- bin/tests/system/catz/ns3/named.conf.in | 2 +- bin/tests/system/catz/ns4/named.conf.in | 2 +- bin/tests/system/catz/tests.sh | 1855 +++++---- bin/tests/system/cds/setup.sh | 48 +- bin/tests/system/cds/tests.sh | 66 +- bin/tests/system/chain/ans3/ans.pl | 16 +- bin/tests/system/chain/ns2/sign.sh | 10 +- bin/tests/system/chain/ns5/named.conf.in | 2 +- bin/tests/system/chain/prereq.sh | 31 + bin/tests/system/chain/tests.sh | 258 +- bin/tests/system/checkconf/deprecated.conf | 3 + bin/tests/system/checkconf/tests.sh | 671 +-- bin/tests/system/checkds/ns1/setup.sh | 12 +- bin/tests/system/checkds/ns2/named.conf.in | 2 +- bin/tests/system/checkds/ns2/setup.sh | 21 +- bin/tests/system/checkds/ns3/named.conf.in | 2 +- bin/tests/system/checkds/ns5/named.conf.in | 2 +- bin/tests/system/checkds/ns5/setup.sh | 8 +- bin/tests/system/checkds/ns6/named.conf.in | 2 +- bin/tests/system/checkds/ns7/named.conf.in | 2 +- bin/tests/system/checkds/ns9/named.conf.in | 2 +- bin/tests/system/checkds/ns9/setup.sh | 52 +- bin/tests/system/checkds/setup.sh | 16 +- bin/tests/system/checknames/tests.sh | 94 +- bin/tests/system/checkzone/setup.sh | 2 +- bin/tests/system/checkzone/tests.sh | 178 +- bin/tests/system/ckdnsrps.sh | 123 +- bin/tests/system/cleanall.sh | 17 +- bin/tests/system/common/controls.conf.in | 22 - bin/tests/system/common/rndc.conf | 21 - bin/tests/system/common/rndc.key | 15 - bin/tests/system/common/root.hint | 14 - bin/tests/system/conf.sh.common | 14 +- bin/tests/system/conf.sh.in | 18 +- bin/tests/system/conftest.py | 1189 +++--- bin/tests/system/convert-junit-to-trs.py | 70 + bin/tests/system/cookie/prereq.sh | 21 + bin/tests/system/cookie/tests.sh | 417 +- bin/tests/system/custom-test-driver | 111 +- bin/tests/system/database/tests.sh | 21 +- bin/tests/system/dialup/tests.sh | 42 +- bin/tests/system/digdelv/ns2/named.conf.in | 2 +- bin/tests/system/digdelv/ns2/sign.sh | 10 +- bin/tests/system/digdelv/ns3/named.conf.in | 2 +- bin/tests/system/digdelv/prereq.sh | 26 + bin/tests/system/digdelv/tests.sh | 1278 +++--- bin/tests/system/dispatch/ns2/named.conf.in | 2 +- bin/tests/system/dlzexternal/driver/Makefile.in | 2 - bin/tests/system/dlzexternal/prereq.sh | 4 +- bin/tests/system/dlzexternal/setup.sh | 2 +- bin/tests/system/dlzexternal/tests.sh | 144 +- bin/tests/system/dns64/ns1/named.conf1.in | 2 +- bin/tests/system/dns64/ns1/named.conf2.in | 2 +- bin/tests/system/dns64/ns1/named.conf3.in | 2 +- bin/tests/system/dns64/ns1/sign.sh | 4 +- bin/tests/system/dns64/ns2/named.conf.in | 2 +- bin/tests/system/dns64/tests.sh | 972 +++-- bin/tests/system/dnssec/ns1/sign.sh | 20 +- bin/tests/system/dnssec/ns2/named.conf.in | 2 +- bin/tests/system/dnssec/ns2/sign.sh | 144 +- bin/tests/system/dnssec/ns3/named.conf.in | 2 +- bin/tests/system/dnssec/ns3/secure.example.db.in | 5 + bin/tests/system/dnssec/ns3/sign.sh | 325 +- bin/tests/system/dnssec/ns4/named1.conf.in | 2 +- bin/tests/system/dnssec/ns4/named2.conf.in | 2 +- bin/tests/system/dnssec/ns4/named3.conf.in | 2 +- bin/tests/system/dnssec/ns4/named4.conf.in | 2 +- bin/tests/system/dnssec/ns5/named1.conf.in | 2 +- bin/tests/system/dnssec/ns5/sign.sh | 12 +- bin/tests/system/dnssec/ns6/named.conf.in | 2 +- bin/tests/system/dnssec/ns6/sign.sh | 4 +- bin/tests/system/dnssec/ns7/named.conf.in | 2 +- bin/tests/system/dnssec/ns7/sign.sh | 6 +- bin/tests/system/dnssec/ns8/named.conf.in | 2 +- bin/tests/system/dnssec/prereq.sh | 26 + bin/tests/system/dnssec/setup.sh | 22 +- bin/tests/system/dnssec/tests.sh | 4306 ++++++++++---------- bin/tests/system/dnstap/ns2/named.conf.in | 2 +- bin/tests/system/dnstap/ns3/named.conf.in | 2 +- bin/tests/system/dnstap/ns4/named.conf.in | 2 +- bin/tests/system/dnstap/prereq.sh | 4 +- bin/tests/system/dnstap/tests.sh | 869 ++-- bin/tests/system/dnstap/tests_dnstap.py | 2 +- bin/tests/system/doth/ns1/named.conf.in | 27 +- bin/tests/system/doth/ns2/named.conf.in | 4 +- bin/tests/system/doth/ns3/named.conf.in | 4 +- bin/tests/system/doth/ns4/named.conf.in | 4 +- bin/tests/system/doth/ns5/named.conf.in | 83 + bin/tests/system/doth/prereq.sh | 4 +- bin/tests/system/doth/setup.sh | 15 +- bin/tests/system/doth/stress_http_quota.py | 4 +- bin/tests/system/doth/tests.sh | 677 +-- bin/tests/system/dsdigest/ns1/sign.sh | 6 +- bin/tests/system/dsdigest/ns2/named.conf.in | 2 +- bin/tests/system/dsdigest/ns2/sign.sh | 13 +- bin/tests/system/dsdigest/ns3/named.conf.in | 2 +- bin/tests/system/dsdigest/ns4/named.conf.in | 2 +- bin/tests/system/dsdigest/tests.sh | 22 +- bin/tests/system/dupsigs/ns1/reset_keys.sh | 7 +- bin/tests/system/dupsigs/setup.sh | 5 +- bin/tests/system/dupsigs/tests.sh | 39 +- bin/tests/system/dyndb/driver/Makefile.in | 2 - bin/tests/system/dyndb/prereq.sh | 6 +- bin/tests/system/dyndb/tests.sh | 150 +- bin/tests/system/ecdsa/ns1/sign.sh | 34 +- bin/tests/system/ecdsa/ns2/named.conf.in | 2 +- bin/tests/system/ecdsa/ns3/named.conf.in | 2 +- bin/tests/system/ecdsa/setup.sh | 8 +- bin/tests/system/ecdsa/tests.sh | 42 +- bin/tests/system/eddsa/ns1/sign.sh | 34 +- bin/tests/system/eddsa/ns2/named.conf.in | 2 +- bin/tests/system/eddsa/ns2/sign.sh | 13 +- bin/tests/system/eddsa/ns3/named.conf.in | 2 +- bin/tests/system/eddsa/ns3/sign.sh | 13 +- bin/tests/system/eddsa/prereq.sh | 4 +- bin/tests/system/eddsa/setup.sh | 16 +- bin/tests/system/eddsa/tests.sh | 100 +- bin/tests/system/ednscompliance/tests.sh | 143 +- bin/tests/system/emptyzones/tests.sh | 10 +- bin/tests/system/enginepkcs11/prereq.sh | 2 +- bin/tests/system/enginepkcs11/setup.sh | 163 +- bin/tests/system/enginepkcs11/tests.sh | 233 +- bin/tests/system/fetchlimit/prereq.sh | 21 + bin/tests/system/fetchlimit/tests.sh | 189 +- bin/tests/system/filter-aaaa/ns1/sign.sh | 8 +- bin/tests/system/filter-aaaa/ns4/sign.sh | 6 +- bin/tests/system/filter-aaaa/tests.sh | 1015 +++-- bin/tests/system/formerr/tests.sh | 24 +- bin/tests/system/forward/ns1/sign.sh | 6 +- bin/tests/system/forward/prereq.sh | 26 + bin/tests/system/forward/setup.sh | 4 +- bin/tests/system/forward/tests.sh | 318 +- bin/tests/system/genzone.sh | 5 +- bin/tests/system/geoip2/prereq.sh | 4 +- bin/tests/system/geoip2/setup.sh | 4 +- bin/tests/system/geoip2/tests.sh | 219 +- bin/tests/system/get_core_dumps.sh | 66 +- bin/tests/system/get_ports.sh | 43 +- bin/tests/system/glue/tests.sh | 2 +- bin/tests/system/hooks/driver/Makefile.in | 2 - bin/tests/system/host/tests.sh | 66 +- bin/tests/system/idna/tests.sh | 498 ++- bin/tests/system/ifconfig.sh.in | 392 +- bin/tests/system/include-multiplecfg/setup.sh | 2 +- bin/tests/system/include-multiplecfg/tests.sh | 23 +- bin/tests/system/inline/clean.sh | 26 +- bin/tests/system/inline/ns1/sign.sh | 4 +- bin/tests/system/inline/ns2/named.conf.in | 2 +- bin/tests/system/inline/ns3/named.conf.in | 2 +- bin/tests/system/inline/ns3/sign.sh | 77 +- bin/tests/system/inline/ns5/named.conf.post | 2 +- bin/tests/system/inline/ns5/named.conf.pre | 2 +- bin/tests/system/inline/ns6/named.conf.in | 4 +- bin/tests/system/inline/ns7/named.conf.in | 2 +- bin/tests/system/inline/ns8/named.conf.in | 2 +- bin/tests/system/inline/ns8/sign.sh | 9 +- bin/tests/system/inline/setup.sh | 20 +- bin/tests/system/inline/tests.sh | 1100 ++--- bin/tests/system/integrity/ns1/named.conf.in | 2 +- bin/tests/system/integrity/tests.sh | 72 +- bin/tests/system/isctest/__init__.py | 13 + bin/tests/system/isctest/check.py | 34 + bin/tests/system/isctest/query.py | 35 + bin/tests/system/ixfr/prereq.sh | 21 + bin/tests/system/ixfr/setup.sh | 32 +- bin/tests/system/ixfr/tests.sh | 185 +- bin/tests/system/journal/setup.sh | 2 +- bin/tests/system/journal/tests.sh | 106 +- bin/tests/system/kasp.sh | 1807 ++++---- bin/tests/system/kasp/clean.sh | 1 + bin/tests/system/kasp/ns3/named-fips.conf.in | 21 + bin/tests/system/kasp/ns3/setup.sh | 774 ++-- bin/tests/system/kasp/ns4/setup.sh | 13 +- bin/tests/system/kasp/ns5/setup.sh | 13 +- bin/tests/system/kasp/ns6/setup.sh | 375 +- bin/tests/system/kasp/setup.sh | 44 +- bin/tests/system/kasp/tests.sh | 2487 +++++------ bin/tests/system/keepalive/ns2/named.conf.in | 2 +- bin/tests/system/keepalive/ns3/named.conf.in | 2 +- bin/tests/system/keepalive/tests.sh | 40 +- bin/tests/system/keyfromlabel/prereq.sh | 2 +- bin/tests/system/keyfromlabel/setup.sh | 2 +- bin/tests/system/keyfromlabel/tests.sh | 118 +- bin/tests/system/keymgr2kasp/clean.sh | 1 - bin/tests/system/keymgr2kasp/ns3/setup.sh | 112 +- bin/tests/system/keymgr2kasp/ns4/setup.sh | 10 +- bin/tests/system/keymgr2kasp/setup.sh | 8 +- bin/tests/system/keymgr2kasp/tests.sh | 605 ++- bin/tests/system/legacy.run.sh.in | 309 +- bin/tests/system/legacy/ns6/sign.sh | 6 +- bin/tests/system/legacy/ns7/sign.sh | 8 +- bin/tests/system/legacy/tests.sh | 188 +- bin/tests/system/limits/tests.sh | 20 +- bin/tests/system/logfileconfig/named1.args | 2 +- bin/tests/system/logfileconfig/named2.args | 2 +- bin/tests/system/logfileconfig/tests.sh | 242 +- bin/tests/system/masterfile/ns2/named.conf.in | 2 +- bin/tests/system/masterfile/tests.sh | 10 +- bin/tests/system/masterformat/ns1/compile.sh | 22 +- bin/tests/system/masterformat/setup.sh | 2 +- bin/tests/system/masterformat/tests.sh | 235 +- bin/tests/system/metadata/setup.sh | 25 +- bin/tests/system/metadata/tests.sh | 80 +- bin/tests/system/mirror/ns1/sign.sh | 14 +- bin/tests/system/mirror/ns2/sign.sh | 70 +- bin/tests/system/mirror/ns3/named.conf.in | 2 +- bin/tests/system/mirror/setup.sh | 6 +- bin/tests/system/mirror/tests.sh | 388 +- bin/tests/system/mkeys/ns1/sign.sh | 24 +- bin/tests/system/mkeys/ns2/named.conf.in | 2 +- bin/tests/system/mkeys/ns3/named.conf.in | 2 +- bin/tests/system/mkeys/ns4/named.conf.in | 2 +- bin/tests/system/mkeys/ns4/sign.sh | 4 +- bin/tests/system/mkeys/ns5/named.conf.in | 2 +- bin/tests/system/mkeys/ns6/named.conf.in | 2 +- bin/tests/system/mkeys/ns6/setup.sh | 2 +- bin/tests/system/mkeys/ns7/named.conf.in | 4 +- bin/tests/system/mkeys/setup.sh | 10 +- bin/tests/system/mkeys/tests.sh | 515 +-- bin/tests/system/names/tests.sh | 25 +- bin/tests/system/notify/ns2/named.conf.in | 2 +- bin/tests/system/notify/ns3/named.conf.in | 2 +- bin/tests/system/notify/ns4/named.conf.in | 2 +- bin/tests/system/notify/tests.sh | 121 +- bin/tests/system/nsec3/ns3/setup.sh | 64 +- bin/tests/system/nsec3/setup.sh | 8 +- bin/tests/system/nsec3/tests.sh | 436 +- bin/tests/system/nslookup/tests.sh | 92 +- bin/tests/system/nsupdate/krb/setup.sh | 5 +- bin/tests/system/nsupdate/ns3/sign.sh | 6 +- bin/tests/system/nsupdate/prereq.sh | 21 + bin/tests/system/nsupdate/setup.sh | 53 +- bin/tests/system/nsupdate/tests.sh | 1906 +++++---- bin/tests/system/nzd2nzf/prereq.sh | 4 +- bin/tests/system/nzd2nzf/tests.sh | 44 +- bin/tests/system/padding/ns2/named.conf.in | 2 +- bin/tests/system/padding/ns3/named.conf.in | 2 +- bin/tests/system/padding/ns4/named.conf.in | 2 +- bin/tests/system/padding/tests.sh | 68 +- bin/tests/system/parallel.sh | 8 +- bin/tests/system/pending/ns1/sign.sh | 8 +- bin/tests/system/pending/ns2/named.conf.in | 2 +- bin/tests/system/pending/ns2/sign.sh | 16 +- bin/tests/system/pending/ns3/named.conf.in | 2 +- bin/tests/system/pending/ns4/named.conf.in | 2 +- bin/tests/system/pending/tests.sh | 37 +- bin/tests/system/pipelined/ns2/named.conf.in | 2 +- bin/tests/system/pipelined/ns3/named.conf.in | 2 +- bin/tests/system/pipelined/ns4/named.conf.in | 2 +- bin/tests/system/pipelined/tests.sh | 50 +- bin/tests/system/qmin/ns5/named.conf.in | 2 +- bin/tests/system/qmin/ns6/named.conf.in | 2 +- bin/tests/system/qmin/ns7/named.conf.in | 2 +- bin/tests/system/qmin/prereq.sh | 21 + bin/tests/system/qmin/tests.sh | 350 +- bin/tests/system/reclimit/ans7/ans.pl | 16 +- bin/tests/system/reclimit/prereq.sh | 26 + bin/tests/system/reclimit/tests.sh | 191 +- bin/tests/system/redirect/ns1/sign.sh | 8 +- bin/tests/system/redirect/ns2/named.conf.in | 2 +- bin/tests/system/redirect/ns3/sign.sh | 8 +- bin/tests/system/redirect/ns5/sign.sh | 16 +- bin/tests/system/redirect/setup.sh | 6 +- bin/tests/system/redirect/tests.sh | 382 +- bin/tests/system/resolver/ns6/keygen.sh | 10 +- bin/tests/system/resolver/prereq.sh | 21 + bin/tests/system/resolver/tests.sh | 1017 ++--- bin/tests/system/rndc/ns2/named.conf.in | 2 +- bin/tests/system/rndc/ns3/named.conf.in | 2 +- bin/tests/system/rndc/ns5/named.conf.in | 2 +- bin/tests/system/rndc/setup.sh | 16 +- bin/tests/system/rndc/tests.sh | 689 ++-- bin/tests/system/rndc/tests_cve-2023-3341.py | 57 + bin/tests/system/rootkeysentinel/ns1/sign.sh | 8 +- bin/tests/system/rootkeysentinel/ns2/sign.sh | 22 +- bin/tests/system/rootkeysentinel/tests.sh | 208 +- bin/tests/system/rpz/clean.sh | 41 +- bin/tests/system/rpz/qperf.sh | 10 +- bin/tests/system/rpz/setup.sh | 68 +- bin/tests/system/rpz/tests.sh | 1078 ++--- bin/tests/system/rpzextra/ns3/named.args | 2 +- bin/tests/system/rpzrecurse/ns3/named1.conf.in | 2 +- bin/tests/system/rpzrecurse/ns3/named2.conf.in | 2 +- bin/tests/system/rpzrecurse/ns3/named3.conf.in | 2 +- bin/tests/system/rpzrecurse/prereq.sh | 21 + bin/tests/system/rpzrecurse/setup.sh | 58 +- bin/tests/system/rpzrecurse/tests.sh | 330 +- bin/tests/system/rrchecker/tests.sh | 95 +- bin/tests/system/rrl/clean.sh | 2 +- bin/tests/system/rrl/tests.sh | 285 +- bin/tests/system/rrsetorder/ns3/named.conf.in | 2 +- bin/tests/system/rrsetorder/ns4/named.conf.in | 2 +- bin/tests/system/rrsetorder/ns5/named.conf.in | 2 +- bin/tests/system/rrsetorder/tests.sh | 452 +- bin/tests/system/rsabigexponent/ns1/sign.sh | 6 +- bin/tests/system/rsabigexponent/ns2/named.conf.in | 2 +- bin/tests/system/rsabigexponent/ns2/sign.sh | 9 +- bin/tests/system/rsabigexponent/ns3/named.conf.in | 2 +- bin/tests/system/rsabigexponent/tests.sh | 36 +- bin/tests/system/run.sh | 9 +- bin/tests/system/runall.sh | 66 +- bin/tests/system/runsequential.sh | 5 +- bin/tests/system/runtime/tests.sh | 212 +- bin/tests/system/serve-stale/ns1/root.db | 2 + bin/tests/system/serve-stale/ns3/named.conf.in | 51 + bin/tests/system/serve-stale/ns3/serve.stale.db | 18 + bin/tests/system/serve-stale/ns6/named.conf.in | 44 + bin/tests/system/serve-stale/ns6/serve.stale.db | 16 + bin/tests/system/serve-stale/ns6/stale.db | 17 + bin/tests/system/serve-stale/prereq.sh | 21 + bin/tests/system/serve-stale/setup.sh | 3 +- bin/tests/system/serve-stale/tests.sh | 2525 ++++++------ bin/tests/system/setup.sh | 17 +- bin/tests/system/sfcache/ns1/sign.sh | 10 +- bin/tests/system/sfcache/ns2/named.conf.in | 2 +- bin/tests/system/sfcache/ns2/sign.sh | 4 +- bin/tests/system/sfcache/ns5/named.conf.in | 2 +- bin/tests/system/sfcache/ns5/sign.sh | 2 +- bin/tests/system/sfcache/tests.sh | 80 +- bin/tests/system/shutdown/tests_shutdown.py | 4 +- bin/tests/system/smartsign/tests.sh | 311 +- bin/tests/system/sortlist/tests.sh | 18 +- bin/tests/system/spf/tests.sh | 25 +- bin/tests/system/start.pl | 21 +- bin/tests/system/staticstub/ns2/named.conf.in | 2 +- bin/tests/system/staticstub/ns3/sign.sh | 14 +- bin/tests/system/staticstub/ns4/sign.sh | 4 +- bin/tests/system/staticstub/setup.sh | 4 +- bin/tests/system/staticstub/tests.sh | 144 +- bin/tests/system/statistics/ns2/named.conf.in | 2 +- bin/tests/system/statistics/ns2/named2.conf.in | 2 +- bin/tests/system/statistics/prereq.sh | 21 + bin/tests/system/statistics/tests.sh | 198 +- bin/tests/system/statschannel/conftest.py | 14 +- bin/tests/system/statschannel/generic.py | 147 +- bin/tests/system/statschannel/generic_dnspython.py | 128 - bin/tests/system/statschannel/ns2/sign.sh | 20 +- bin/tests/system/statschannel/prereq.sh | 26 + bin/tests/system/statschannel/setup.sh | 2 +- bin/tests/system/statschannel/tests.sh | 583 ++- bin/tests/system/statschannel/tests_json.py | 11 +- bin/tests/system/statschannel/tests_xml.py | 11 +- bin/tests/system/stop.pl | 2 +- bin/tests/system/stopall.sh | 5 +- bin/tests/system/stress/prereq.sh | 21 + bin/tests/system/stress/tests_stress_update.py | 2 +- bin/tests/system/stub/ns2/named.conf.in | 2 +- bin/tests/system/stub/ns3/named.conf.in | 2 +- bin/tests/system/stub/ns5/named.conf.in | 2 +- bin/tests/system/stub/tests.sh | 104 +- bin/tests/system/synthfromdnssec/ns1/sign.sh | 30 +- bin/tests/system/synthfromdnssec/setup.sh | 4 +- bin/tests/system/synthfromdnssec/tests.sh | 1475 ++++--- bin/tests/system/tcp/ns2/named.conf.in | 2 +- bin/tests/system/tcp/ns3/named.conf.in | 2 +- bin/tests/system/tcp/ns4/named.conf.in | 2 +- bin/tests/system/tcp/ns5/named.conf.in | 2 +- bin/tests/system/tcp/tests.sh | 64 +- bin/tests/system/testcrypto.sh | 117 +- bin/tests/system/testsummary.sh | 46 +- bin/tests/system/timeouts/ns1/named.conf.in | 2 +- bin/tests/system/timeouts/prereq.sh | 20 +- bin/tests/system/timeouts/setup.sh | 2 +- bin/tests/system/tkey/tests.sh | 187 +- bin/tests/system/tools/tests.sh | 118 +- bin/tests/system/transport-acl/ns1/named.conf.in | 2 +- bin/tests/system/transport-acl/setup.sh | 2 +- bin/tests/system/transport-acl/tests.sh | 40 +- bin/tests/system/tsig/setup.sh | 5 +- bin/tests/system/tsig/tests.sh | 350 +- bin/tests/system/tsiggss/prereq.sh | 6 +- bin/tests/system/tsiggss/setup.sh | 2 +- bin/tests/system/tsiggss/tests.sh | 145 +- bin/tests/system/ttl/ns1/named.conf.in | 2 +- bin/tests/system/unknown/setup.sh | 5 +- bin/tests/system/unknown/tests.sh | 235 +- bin/tests/system/upforwd/prereq.sh | 21 + bin/tests/system/upforwd/setup.sh | 21 +- bin/tests/system/upforwd/tests.sh | 285 +- bin/tests/system/verify/tests.sh | 148 +- bin/tests/system/verify/zones/genzones.sh | 220 +- bin/tests/system/views/ns2/named1.conf.in | 2 +- bin/tests/system/views/ns2/named2.conf.in | 4 +- bin/tests/system/views/ns3/named1.conf.in | 2 +- bin/tests/system/views/ns3/named2.conf.in | 2 +- bin/tests/system/views/ns5/named.conf.in | 2 +- bin/tests/system/views/setup.sh | 12 +- bin/tests/system/views/tests.sh | 94 +- bin/tests/system/wildcard/ns1/sign.sh | 44 +- bin/tests/system/wildcard/ns2/named.conf.in | 2 +- bin/tests/system/wildcard/ns3/named.conf.in | 2 +- bin/tests/system/wildcard/ns5/named.conf.in | 2 +- bin/tests/system/wildcard/tests.sh | 214 +- bin/tests/system/xfer/ns1/named1.conf.in | 2 +- bin/tests/system/xfer/ns1/named2.conf.in | 2 +- bin/tests/system/xfer/ns1/named3.conf.in | 2 +- bin/tests/system/xfer/ns2/named.conf.in | 2 +- bin/tests/system/xfer/ns3/named.conf.in | 2 +- bin/tests/system/xfer/ns6/named.conf.in | 4 +- bin/tests/system/xfer/ns7/named.conf.in | 4 +- bin/tests/system/xfer/ns8/named.conf.in | 2 +- bin/tests/system/xfer/prereq.sh | 14 +- bin/tests/system/xfer/setup.sh | 6 +- bin/tests/system/xfer/tests.sh | 421 +- bin/tests/system/xferquota/ns2/named.conf.in | 2 +- bin/tests/system/xferquota/tests.sh | 38 +- bin/tests/system/zero/prereq.sh | 21 + bin/tests/system/zero/setup.sh | 2 +- bin/tests/system/zero/tests.sh | 162 +- bin/tests/system/zonechecks/setup.sh | 20 +- bin/tests/system/zonechecks/tests.sh | 253 +- bin/tests/wire_test.c | 2 +- bin/tools/Makefile.in | 2 - bin/tools/dnstap-read.c | 13 - configure | 228 +- configure.ac | 25 +- contrib/dlz/modules/common/dlz_dbi.c | 2 +- contrib/scripts/zone-edit.sh.in | 208 +- doc/Makefile.in | 2 - doc/arm/Makefile.in | 2 - doc/arm/conf.py | 39 + doc/arm/notes.rst | 5 + doc/arm/platforms.inc.rst | 17 +- doc/arm/reference.rst | 14 +- doc/arm/requirements.txt | 6 +- doc/arm/security.inc.rst | 50 + doc/dnssec-guide/introduction.rst | 2 +- doc/dnssec-guide/validation.rst | 2 +- doc/man/Makefile.in | 2 - doc/man/arpaname.1in | 2 +- doc/man/ddns-confgen.8in | 2 +- doc/man/delv.1in | 2 +- doc/man/dig.1in | 2 +- doc/man/dnssec-cds.1in | 2 +- doc/man/dnssec-dsfromkey.1in | 2 +- doc/man/dnssec-importkey.1in | 2 +- doc/man/dnssec-keyfromlabel.1in | 2 +- doc/man/dnssec-keygen.1in | 2 +- doc/man/dnssec-revoke.1in | 2 +- doc/man/dnssec-settime.1in | 2 +- doc/man/dnssec-signzone.1in | 2 +- doc/man/dnssec-verify.1in | 2 +- doc/man/dnstap-read.1in | 2 +- doc/man/filter-a.8in | 2 +- doc/man/filter-aaaa.8in | 2 +- doc/man/host.1in | 2 +- doc/man/mdig.1in | 2 +- doc/man/named-checkconf.1in | 2 +- doc/man/named-checkzone.1in | 2 +- doc/man/named-compilezone.1in | 2 +- doc/man/named-journalprint.1in | 2 +- doc/man/named-nzd2nzf.1in | 2 +- doc/man/named-rrchecker.1in | 2 +- doc/man/named.8in | 2 +- doc/man/named.conf.5in | 14 +- doc/man/nsec3hash.1in | 2 +- doc/man/nslookup.1in | 2 +- doc/man/nsupdate.1in | 2 +- doc/man/rndc-confgen.8in | 2 +- doc/man/rndc.8in | 6 +- doc/man/rndc.conf.5in | 2 +- doc/man/tsig-keygen.8in | 2 +- doc/misc/Makefile.in | 2 - doc/misc/options | 12 +- doc/notes/notes-9.18.1.rst | 8 +- doc/notes/notes-9.18.11.rst | 6 +- doc/notes/notes-9.18.16.rst | 4 +- doc/notes/notes-9.18.19.rst | 4 +- doc/notes/notes-9.18.20.rst | 44 + doc/notes/notes-9.18.21.rst | 31 + doc/notes/notes-9.18.22.rst | 19 + doc/notes/notes-9.18.23.rst | 20 + doc/notes/notes-9.18.24.rst | 65 + doc/notes/notes-9.18.3.rst | 2 +- doc/notes/notes-9.18.7.rst | 10 +- fuzz/Makefile.in | 2 - fuzz/dns_message_checksig.c | 4 +- lib/Makefile.in | 2 - lib/bind9/Makefile.in | 2 - lib/bind9/check.c | 4 + lib/dns/Makefile.in | 2 - lib/dns/adb.c | 10 +- lib/dns/catz.c | 16 + lib/dns/diff.c | 34 + lib/dns/dst_api.c | 29 +- lib/dns/include/dns/catz.h | 8 +- lib/dns/include/dns/dispatch.h | 2 +- lib/dns/include/dns/message.h | 40 +- lib/dns/include/dns/name.h | 37 +- lib/dns/include/dns/rbt.h | 13 + lib/dns/include/dns/rpz.h | 5 +- lib/dns/include/dns/stats.h | 2 +- lib/dns/include/dns/validator.h | 1 + lib/dns/include/dst/dst.h | 4 + lib/dns/master.c | 2 +- lib/dns/message.c | 375 +- lib/dns/name.c | 1 + lib/dns/ncache.c | 2 +- lib/dns/nsec3.c | 14 +- lib/dns/opensslrsa_link.c | 6 +- lib/dns/private.c | 8 +- lib/dns/rbt.c | 8 + lib/dns/rbtdb.c | 237 +- lib/dns/rdata.c | 2 +- lib/dns/resolver.c | 30 +- lib/dns/rootns.c | 53 +- lib/dns/stats.c | 10 +- lib/dns/tsig.c | 22 +- lib/dns/update.c | 53 +- lib/dns/validator.c | 67 +- lib/dns/xfrin.c | 19 +- lib/dns/zone.c | 89 +- lib/irs/Makefile.in | 2 - lib/isc/Makefile.in | 2 - lib/isc/hmac.c | 65 +- lib/isc/ht.c | 55 +- lib/isc/httpd.c | 6 +- lib/isc/include/isc/endian.h | 34 +- lib/isc/include/isc/net.h | 4 +- lib/isc/include/isc/netmgr.h | 3 + lib/isc/include/isc/radix.h | 2 +- lib/isc/include/isc/types.h | 10 +- lib/isc/mem.c | 11 + lib/isc/mem_p.h | 11 + lib/isc/netaddr.c | 2 +- lib/isc/netmgr/http.c | 19 +- lib/isc/netmgr/netmgr-int.h | 1 + lib/isc/netmgr/netmgr.c | 38 +- lib/isc/netmgr/tcp.c | 6 +- lib/isc/netmgr/tcpdns.c | 11 +- lib/isc/netmgr/tlsdns.c | 11 +- lib/isc/netmgr/tlsstream.c | 12 +- lib/isc/netmgr/udp.c | 10 +- lib/isc/netmgr/uv-compat.h | 2 +- lib/isc/stats.c | 25 +- lib/isc/trampoline.c | 5 +- lib/isc/url.c | 5 +- lib/isccc/Makefile.in | 2 - lib/isccc/cc.c | 18 +- lib/isccfg/Makefile.in | 2 - lib/isccfg/namedconf.c | 9 +- lib/ns/Makefile.in | 2 - lib/ns/client.c | 34 +- lib/ns/query.c | 46 +- lib/ns/xfrout.c | 2 +- m4/ax_perl_module.m4 | 32 - m4/ax_python_module.m4 | 33 - srcid | 2 +- tests/Makefile.in | 2 - tests/dns/Makefile.in | 2 - tests/irs/Makefile.in | 2 - tests/isc/Makefile.in | 2 - tests/isc/hmac_test.c | 212 +- tests/isc/ht_test.c | 50 + tests/isc/netmgr_test.c | 178 +- tests/isccfg/Makefile.in | 2 - tests/libtest/Makefile.in | 2 - tests/libtest/ns.c | 2 +- tests/ns/Makefile.in | 2 - tests/unit-test-driver.sh.in | 48 +- 669 files changed, 29467 insertions(+), 26387 deletions(-) create mode 100644 bin/tests/system/_common/controls.conf.in create mode 100644 bin/tests/system/_common/rndc.conf create mode 100644 bin/tests/system/_common/rndc.key create mode 100644 bin/tests/system/_common/root.hint create mode 100644 bin/tests/system/allow-query/tests_sh_allow_query.py delete mode 100644 bin/tests/system/allow-query/tests_sh_allowquery.py create mode 100644 bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in create mode 100644 bin/tests/system/chain/prereq.sh delete mode 100644 bin/tests/system/common/controls.conf.in delete mode 100644 bin/tests/system/common/rndc.conf delete mode 100644 bin/tests/system/common/rndc.key delete mode 100644 bin/tests/system/common/root.hint create mode 100755 bin/tests/system/convert-junit-to-trs.py create mode 100644 bin/tests/system/cookie/prereq.sh create mode 100644 bin/tests/system/digdelv/prereq.sh create mode 100644 bin/tests/system/dnssec/prereq.sh create mode 100644 bin/tests/system/doth/ns5/named.conf.in create mode 100644 bin/tests/system/fetchlimit/prereq.sh create mode 100644 bin/tests/system/forward/prereq.sh create mode 100644 bin/tests/system/isctest/__init__.py create mode 100644 bin/tests/system/isctest/check.py create mode 100644 bin/tests/system/isctest/query.py create mode 100644 bin/tests/system/ixfr/prereq.sh create mode 100644 bin/tests/system/nsupdate/prereq.sh create mode 100644 bin/tests/system/qmin/prereq.sh create mode 100644 bin/tests/system/reclimit/prereq.sh create mode 100644 bin/tests/system/resolver/prereq.sh create mode 100644 bin/tests/system/rndc/tests_cve-2023-3341.py create mode 100644 bin/tests/system/rpzrecurse/prereq.sh create mode 100644 bin/tests/system/serve-stale/ns3/named.conf.in create mode 100644 bin/tests/system/serve-stale/ns3/serve.stale.db create mode 100644 bin/tests/system/serve-stale/ns6/named.conf.in create mode 100644 bin/tests/system/serve-stale/ns6/serve.stale.db create mode 100644 bin/tests/system/serve-stale/ns6/stale.db create mode 100644 bin/tests/system/serve-stale/prereq.sh create mode 100644 bin/tests/system/statistics/prereq.sh delete mode 100644 bin/tests/system/statschannel/generic_dnspython.py create mode 100644 bin/tests/system/statschannel/prereq.sh create mode 100644 bin/tests/system/stress/prereq.sh create mode 100644 bin/tests/system/upforwd/prereq.sh create mode 100644 bin/tests/system/zero/prereq.sh create mode 100644 doc/notes/notes-9.18.20.rst create mode 100644 doc/notes/notes-9.18.21.rst create mode 100644 doc/notes/notes-9.18.22.rst create mode 100644 doc/notes/notes-9.18.23.rst create mode 100644 doc/notes/notes-9.18.24.rst delete mode 100644 m4/ax_perl_module.m4 delete mode 100644 m4/ax_python_module.m4 diff --git a/CHANGES b/CHANGES index 2f21454..9bd4f51 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,141 @@ + --- 9.18.24 released --- + +6343. [bug] Fix case insensitive setting for isc_ht hashtable. + [GL #4568] + + --- 9.18.23 released --- + +6322. [security] Specific DNS answers could cause a denial-of-service + condition due to DNS validation taking a long time. + (CVE-2023-50387) [GL #4424] + +6321. [security] Change 6315 inadvertently introduced regressions that + could cause named to crash. [GL #4234] + +6320. [bug] Under some circumstances, the DoT code in client + mode could process more than one message at a time when + that was not expected. That has been fixed. [GL #4487] + + --- 9.18.22 released --- + +6319. [func] Limit isc_task_send() overhead for RBTDB tree pruning. + [GL #4383] + +6317. [security] Restore DNS64 state when handling a serve-stale timeout. + (CVE-2023-5679) [GL #4334] + +6316. [security] Specific queries could trigger an assertion check with + nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] + +6315. [security] Speed up parsing of DNS messages with many different + names. (CVE-2023-4408) [GL #4234] + +6314. [bug] Address race conditions in dns_tsigkey_find(). + [GL #4182] + +6312. [bug] Conversion from NSEC3 signed to NSEC signed could + temporarily put the zone into a state where it was + treated as unsigned until the NSEC chain was built. + Additionally conversion from one set of NSEC3 parameters + to another could also temporarily put the zone into a + state where it was treated as unsigned until the new + NSEC3 chain was built. [GL #1794] [GL #4495] + +6310. [bug] Memory leak in zone.c:sign_zone. When named signed a + zone it could leak dst_keys due to a misplaced + 'continue'. [GL #4488] + +6306. [func] Log more details about the cause of "not exact" errors. + [GL #4500] + +6304. [bug] The wrong time was being used to determine what RRSIGs + where to be generated when dnssec-policy was in use. + [GL #4494] + +6302. [func] The "trust-anchor-telemetry" statement is no longer + marked as experimental. This silences a relevant log + message that was emitted even when the feature was + explicitly disabled. [GL #4497] + +6300. [bug] Fix statistics export to use full 64 bit signed numbers + instead of truncating values to unsigned 32 bits. + [GL #4467] + +6299. [port] NetBSD has added 'hmac' to libc which collides with our + use of 'hmac'. [GL #4478] + + --- 9.18.21 released --- + +6297. [bug] Improve LRU cleaning behaviour. [GL #4448] + +6296. [func] The "resolver-nonbackoff-tries" and + "resolver-retry-interval" options are deprecated; + a warning will be logged if they are used. [GL #4405] + +6294. [bug] BIND might sometimes crash after startup or + re-configuration when one 'tls' entry is used multiple + times to connect to remote servers due to initialisation + attempts from contexts of multiple threads. That has + been fixed. [GL #4464] + +6290. [bug] Dig +yaml will now report "no servers could be reached" + also for UDP setup failure when no other servers or + tries are left. [GL #1229] + +6287. [bug] Recognize escapes when reading the public key from file. + [GL !8502] + +6286. [bug] Dig +yaml will now report "no servers could be reached" + on TCP connection failure as well as for UDP timeouts. + [GL #4396] + +6282. [func] Deprecate AES-based DNS cookies. [GL #4421] + + --- 9.18.20 released --- + +6280. [bug] Fix missing newlines in the output of "rndc nta -dump". + [GL !8454] + +6277. [bug] Take into account local authoritative zones when + falling back to serve-stale. [GL #4355] + +6275. [bug] Fix assertion failure when using lock-file configuration + option together -X argument to named. [GL #4386] + +6274. [bug] The 'lock-file' file was being removed when it + shouldn't have been making it ineffective if named was + started 3 or more times. [GL #4387] + +6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381] + +6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and + 2801:1b8:10::b. [GL #4101] + +6267. [func] The timeouts for resending zone refresh queries over UDP + were lowered to enable named to more quickly determine + that a primary is down. [GL #4260] + +6265. [bug] Don't schedule resign operations on the raw version + of an inline-signing zone. [GL #4350] + +6261. [bug] Fix a possible assertion failure on an error path in + resolver.c:fctx_query(), when using an uninitialized + link. [GL #4331] + +6254. [cleanup] Add semantic patch to do an explicit cast from char + to unsigned char in ctype.h class of functions. + [GL #4327] + +6252. [test] Python system tests have to be executed by invoking + pytest directly. Executing them with the legacy test + runner is no longer supported. [GL #4250] + +6250. [bug] The wrong covered value was being set by + dns_ncache_current for RRSIG records in the returned + rdataset structure. This resulted in TYPE0 being + reported as the covered value of the RRSIG when dumping + the cache contents. [GL #4314] + --- 9.18.19 released --- 6246. [security] Fix use-after-free error in TLS DNS code when sending diff --git a/ChangeLog b/ChangeLog index 2f21454..9bd4f51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,141 @@ + --- 9.18.24 released --- + +6343. [bug] Fix case insensitive setting for isc_ht hashtable. + [GL #4568] + + --- 9.18.23 released --- + +6322. [security] Specific DNS answers could cause a denial-of-service + condition due to DNS validation taking a long time. + (CVE-2023-50387) [GL #4424] + +6321. [security] Change 6315 inadvertently introduced regressions that + could cause named to crash. [GL #4234] + +6320. [bug] Under some circumstances, the DoT code in client + mode could process more than one message at a time when + that was not expected. That has been fixed. [GL #4487] + + --- 9.18.22 released --- + +6319. [func] Limit isc_task_send() overhead for RBTDB tree pruning. + [GL #4383] + +6317. [security] Restore DNS64 state when handling a serve-stale timeout. + (CVE-2023-5679) [GL #4334] + +6316. [security] Specific queries could trigger an assertion check with + nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] + +6315. [security] Speed up parsing of DNS messages with many different + names. (CVE-2023-4408) [GL #4234] + +6314. [bug] Address race conditions in dns_tsigkey_find(). + [GL #4182] + +6312. [bug] Conversion from NSEC3 signed to NSEC signed could + temporarily put the zone into a state where it was + treated as unsigned until the NSEC chain was built. + Additionally conversion from one set of NSEC3 parameters + to another could also temporarily put the zone into a + state where it was treated as unsigned until the new + NSEC3 chain was built. [GL #1794] [GL #4495] + +6310. [bug] Memory leak in zone.c:sign_zone. When named signed a + zone it could leak dst_keys due to a misplaced + 'continue'. [GL #4488] + +6306. [func] Log more details about the cause of "not exact" errors. + [GL #4500] + +6304. [bug] The wrong time was being used to determine what RRSIGs + where to be generated when dnssec-policy was in use. + [GL #4494] + +6302. [func] The "trust-anchor-telemetry" statement is no longer + marked as experimental. This silences a relevant log + message that was emitted even when the feature was + explicitly disabled. [GL #4497] + +6300. [bug] Fix statistics export to use full 64 bit signed numbers + instead of truncating values to unsigned 32 bits. + [GL #4467] + +6299. [port] NetBSD has added 'hmac' to libc which collides with our + use of 'hmac'. [GL #4478] + + --- 9.18.21 released --- + +6297. [bug] Improve LRU cleaning behaviour. [GL #4448] + +6296. [func] The "resolver-nonbackoff-tries" and + "resolver-retry-interval" options are deprecated; + a warning will be logged if they are used. [GL #4405] + +6294. [bug] BIND might sometimes crash after startup or + re-configuration when one 'tls' entry is used multiple + times to connect to remote servers due to initialisation + attempts from contexts of multiple threads. That has + been fixed. [GL #4464] + +6290. [bug] Dig +yaml will now report "no servers could be reached" + also for UDP setup failure when no other servers or + tries are left. [GL #1229] + +6287. [bug] Recognize escapes when reading the public key from file. + [GL !8502] + +6286. [bug] Dig +yaml will now report "no servers could be reached" + on TCP connection failure as well as for UDP timeouts. + [GL #4396] + +6282. [func] Deprecate AES-based DNS cookies. [GL #4421] + + --- 9.18.20 released --- + +6280. [bug] Fix missing newlines in the output of "rndc nta -dump". + [GL !8454] + +6277. [bug] Take into account local authoritative zones when + falling back to serve-stale. [GL #4355] + +6275. [bug] Fix assertion failure when using lock-file configuration + option together -X argument to named. [GL #4386] + +6274. [bug] The 'lock-file' file was being removed when it + shouldn't have been making it ineffective if named was + started 3 or more times. [GL #4387] + +6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381] + +6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and + 2801:1b8:10::b. [GL #4101] + +6267. [func] The timeouts for resending zone refresh queries over UDP + were lowered to enable named to more quickly determine + that a primary is down. [GL #4260] + +6265. [bug] Don't schedule resign operations on the raw version + of an inline-signing zone. [GL #4350] + +6261. [bug] Fix a possible assertion failure on an error path in + resolver.c:fctx_query(), when using an uninitialized + link. [GL #4331] + +6254. [cleanup] Add semantic patch to do an explicit cast from char + to unsigned char in ctype.h class of functions. + [GL #4327] + +6252. [test] Python system tests have to be executed by invoking + pytest directly. Executing them with the legacy test + runner is no longer supported. [GL #4250] + +6250. [bug] The wrong covered value was being set by + dns_ncache_current for RRSIG records in the returned + rdataset structure. This resulted in TYPE0 being + reported as the covered value of the RRSIG when dumping + the cache contents. [GL #4314] + --- 9.18.19 released --- 6246. [security] Fix use-after-free error in TLS DNS code when sending diff --git a/Makefile.in b/Makefile.in index 06038e2..01d583f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/NEWS b/NEWS index 2f21454..9bd4f51 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,141 @@ + --- 9.18.24 released --- + +6343. [bug] Fix case insensitive setting for isc_ht hashtable. + [GL #4568] + + --- 9.18.23 released --- + +6322. [security] Specific DNS answers could cause a denial-of-service + condition due to DNS validation taking a long time. + (CVE-2023-50387) [GL #4424] + +6321. [security] Change 6315 inadvertently introduced regressions that + could cause named to crash. [GL #4234] + +6320. [bug] Under some circumstances, the DoT code in client + mode could process more than one message at a time when + that was not expected. That has been fixed. [GL #4487] + + --- 9.18.22 released --- + +6319. [func] Limit isc_task_send() overhead for RBTDB tree pruning. + [GL #4383] + +6317. [security] Restore DNS64 state when handling a serve-stale timeout. + (CVE-2023-5679) [GL #4334] + +6316. [security] Specific queries could trigger an assertion check with + nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] + +6315. [security] Speed up parsing of DNS messages with many different + names. (CVE-2023-4408) [GL #4234] + +6314. [bug] Address race conditions in dns_tsigkey_find(). + [GL #4182] + +6312. [bug] Conversion from NSEC3 signed to NSEC signed could + temporarily put the zone into a state where it was + treated as unsigned until the NSEC chain was built. + Additionally conversion from one set of NSEC3 parameters + to another could also temporarily put the zone into a + state where it was treated as unsigned until the new + NSEC3 chain was built. [GL #1794] [GL #4495] + +6310. [bug] Memory leak in zone.c:sign_zone. When named signed a + zone it could leak dst_keys due to a misplaced + 'continue'. [GL #4488] + +6306. [func] Log more details about the cause of "not exact" errors. + [GL #4500] + +6304. [bug] The wrong time was being used to determine what RRSIGs + where to be generated when dnssec-policy was in use. + [GL #4494] + +6302. [func] The "trust-anchor-telemetry" statement is no longer + marked as experimental. This silences a relevant log + message that was emitted even when the feature was + explicitly disabled. [GL #4497] + +6300. [bug] Fix statistics export to use full 64 bit signed numbers + instead of truncating values to unsigned 32 bits. + [GL #4467] + +6299. [port] NetBSD has added 'hmac' to libc which collides with our + use of 'hmac'. [GL #4478] + + --- 9.18.21 released --- + +6297. [bug] Improve LRU cleaning behaviour. [GL #4448] + +6296. [func] The "resolver-nonbackoff-tries" and + "resolver-retry-interval" options are deprecated; + a warning will be logged if they are used. [GL #4405] + +6294. [bug] BIND might sometimes crash after startup or + re-configuration when one 'tls' entry is used multiple + times to connect to remote servers due to initialisation + attempts from contexts of multiple threads. That has + been fixed. [GL #4464] + +6290. [bug] Dig +yaml will now report "no servers could be reached" + also for UDP setup failure when no other servers or + tries are left. [GL #1229] + +6287. [bug] Recognize escapes when reading the public key from file. + [GL !8502] + +6286. [bug] Dig +yaml will now report "no servers could be reached" + on TCP connection failure as well as for UDP timeouts. + [GL #4396] + +6282. [func] Deprecate AES-based DNS cookies. [GL #4421] + + --- 9.18.20 released --- + +6280. [bug] Fix missing newlines in the output of "rndc nta -dump". + [GL !8454] + +6277. [bug] Take into account local authoritative zones when + falling back to serve-stale. [GL #4355] + +6275. [bug] Fix assertion failure when using lock-file configuration + option together -X argument to named. [GL #4386] + +6274. [bug] The 'lock-file' file was being removed when it + shouldn't have been making it ineffective if named was + started 3 or more times. [GL #4387] + +6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381] + +6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and + 2801:1b8:10::b. [GL #4101] + +6267. [func] The timeouts for resending zone refresh queries over UDP + were lowered to enable named to more quickly determine + that a primary is down. [GL #4260] + +6265. [bug] Don't schedule resign operations on the raw version + of an inline-signing zone. [GL #4350] + +6261. [bug] Fix a possible assertion failure on an error path in + resolver.c:fctx_query(), when using an uninitialized + link. [GL #4331] + +6254. [cleanup] Add semantic patch to do an explicit cast from char + to unsigned char in ctype.h class of functions. + [GL #4327] + +6252. [test] Python system tests have to be executed by invoking + pytest directly. Executing them with the legacy test + runner is no longer supported. [GL #4250] + +6250. [bug] The wrong covered value was being set by + dns_ncache_current for RRSIG records in the returned + rdataset structure. This resulted in TYPE0 being + reported as the covered value of the RRSIG when dumping + the cache contents. [GL #4314] + --- 9.18.19 released --- 6246. [security] Fix use-after-free error in TLS DNS code when sending diff --git a/aclocal.m4 b/aclocal.m4 index d3f28df..6e826f5 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1970,11 +1970,9 @@ m4_include([m4/ax_check_openssl.m4]) m4_include([m4/ax_gcc_func_attribute.m4]) m4_include([m4/ax_jemalloc.m4]) m4_include([m4/ax_lib_lmdb.m4]) -m4_include([m4/ax_perl_module.m4]) m4_include([m4/ax_posix_shell.m4]) m4_include([m4/ax_prog_cc_for_build.m4]) m4_include([m4/ax_pthread.m4]) -m4_include([m4/ax_python_module.m4]) m4_include([m4/ax_restore_flags.m4]) m4_include([m4/ax_save_flags.m4]) m4_include([m4/ax_tls.m4]) diff --git a/bin/Makefile.in b/bin/Makefile.in index d2bb917..d13002c 100644 --- a/bin/Makefile.in +++ b/bin/Makefile.in @@ -96,11 +96,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in index 1f2d67a..7926d5f 100644 --- a/bin/check/Makefile.in +++ b/bin/check/Makefile.in @@ -105,11 +105,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in index 5589f9e..872f567 100644 --- a/bin/confgen/Makefile.in +++ b/bin/confgen/Makefile.in @@ -105,11 +105,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in index b86bfb5..c46fc52 100644 --- a/bin/delv/Makefile.in +++ b/bin/delv/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in index e5e09ba..9c9fa5d 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -111,11 +111,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 55f7bf2..a8ae79f 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -3249,6 +3249,7 @@ udp_ready(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { start_udp(next); check_if_done(); } else { + dighost_error("no servers could be reached\n"); clear_current_lookup(); } @@ -3654,6 +3655,7 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { start_tcp(next); check_if_done(); } else { + dighost_error("no servers could be reached\n"); clear_current_lookup(); } diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index 47c7352..879b86d 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -109,11 +109,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index f52457c..d67ac3d 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -99,7 +99,7 @@ static int nsec_datatype = dns_rdatatype_nsec; "dns_dbiterator_current()") #define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3) -#define OPTOUT(x) (((x)&DNS_NSEC3FLAG_OPTOUT) != 0) +#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0) #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index a38ce3b..2b60a43 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -125,11 +125,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/named/config.c b/bin/named/config.c index 7f318a2..f95e433 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -337,14 +337,14 @@ dnssec-policy \"insecure\" {\n\ "# END TRUST ANCHORS\n\ \n\ primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\ - 2001:500:200::b; # b.root-servers.net\n\ + 2801:1b8:10::b; # b.root-servers.net\n\ 2001:500:2::c; # c.root-servers.net\n\ 2001:500:2f::f; # f.root-servers.net\n\ 2001:500:12::d0d; # g.root-servers.net\n\ 2001:7fd::1; # k.root-servers.net\n\ 2620:0:2830:202::132; # xfr.cjr.dns.icann.org\n\ 2620:0:2d0:202::132; # xfr.lax.dns.icann.org\n\ - 199.9.14.201; # b.root-servers.net\n\ + 170.247.170.2; # b.root-servers.net\n\ 192.33.4.12; # c.root-servers.net\n\ 192.5.5.241; # f.root-servers.net\n\ 192.112.36.4; # g.root-servers.net\n\ diff --git a/bin/named/os.c b/bin/named/os.c index 7af4729..0222abb 100644 --- a/bin/named/os.c +++ b/bin/named/os.c @@ -552,17 +552,19 @@ cleanup_pidfile(void) { } static void -cleanup_lockfile(void) { +cleanup_lockfile(bool unlink_lockfile) { if (singletonfd != -1) { close(singletonfd); singletonfd = -1; } if (lockfile != NULL) { - int n = unlink(lockfile); - if (n == -1 && errno != ENOENT) { - named_main_earlywarning("unlink '%s': failed", - lockfile); + if (unlink_lockfile) { + int n = unlink(lockfile); + if (n == -1 && errno != ENOENT) { + named_main_earlywarning("unlink '%s': failed", + lockfile); + } } free(lockfile); lockfile = NULL; @@ -830,7 +832,7 @@ named_os_issingleton(const char *filename) { if (ret == -1) { named_main_earlywarning("couldn't create '%s'", filename); - cleanup_lockfile(); + cleanup_lockfile(false); return (false); } } @@ -842,7 +844,7 @@ named_os_issingleton(const char *filename) { singletonfd = open(filename, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (singletonfd == -1) { - cleanup_lockfile(); + cleanup_lockfile(false); return (false); } @@ -854,8 +856,7 @@ named_os_issingleton(const char *filename) { /* Non-blocking (does not wait for lock) */ if (fcntl(singletonfd, F_SETLK, &lock) == -1) { - close(singletonfd); - singletonfd = -1; + cleanup_lockfile(false); return (false); } @@ -866,7 +867,7 @@ void named_os_shutdown(void) { closelog(); cleanup_pidfile(); - cleanup_lockfile(); + cleanup_lockfile(true); } void diff --git a/bin/named/server.c b/bin/named/server.c index 2f21fc5..bfe6df3 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8407,8 +8407,8 @@ check_lockfile(named_server_t *server, const cfg_obj_t *config, (void)named_config_get(maps, "lock-file", &obj); if (!first_time) { - if (obj != NULL && !cfg_obj_isstring(obj) && - server->lockfile != NULL && + if (obj != NULL && cfg_obj_isstring(obj) && + server->lockfile != NULL && !named_g_forcelock && strcmp(cfg_obj_asstring(obj), server->lockfile) != 0) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, @@ -8422,31 +8422,25 @@ check_lockfile(named_server_t *server, const cfg_obj_t *config, } if (obj != NULL) { - if (cfg_obj_isvoid(obj)) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), - "skipping lock-file check "); - return (ISC_R_SUCCESS); - } else if (named_g_forcelock) { + if (named_g_forcelock) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING, "'lock-file' has no effect " "because the server was run with -X"); - server->lockfile = isc_mem_strdup( - server->mctx, named_g_defaultlockfile); - } else { + if (named_g_defaultlockfile != NULL) { + server->lockfile = isc_mem_strdup( + server->mctx, named_g_defaultlockfile); + } + } else if (cfg_obj_isvoid(obj)) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), + "skipping lock-file check"); + } else if (cfg_obj_isstring(obj)) { filename = cfg_obj_asstring(obj); server->lockfile = isc_mem_strdup(server->mctx, filename); } - - if (server->lockfile == NULL) { - return (ISC_R_NOMEMORY); - } - } - - if (named_g_forcelock && named_g_defaultlockfile != NULL) { - INSIST(server->lockfile == NULL); + } else if (named_g_forcelock && named_g_defaultlockfile != NULL) { server->lockfile = isc_mem_strdup(server->mctx, named_g_defaultlockfile); } @@ -15850,6 +15844,8 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, bool readonly, * If -dump was specified, list NTA's and return */ if (dump) { + size_t last = 0; + for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { @@ -15861,6 +15857,12 @@ named_server_nta(named_server_t *server, isc_lex_t *lex, bool readonly, continue; } + if (last != isc_buffer_usedlength(*text)) { + CHECK(putstr(text, "\n")); + } + + last = isc_buffer_usedlength(*text); + CHECK(dns_ntatable_totext(ntatable, view->name, text)); } CHECK(putnull(text)); diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in index ce9064d..2cda13d 100644 --- a/bin/nsupdate/Makefile.in +++ b/bin/nsupdate/Makefile.in @@ -107,11 +107,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index ae759be..980d543 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -369,13 +369,13 @@ reset_system(void) { } static bool -parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, +parse_hmac(const dns_name_t **hmacp, const char *hmacstr, size_t len, uint16_t *digestbitsp) { uint16_t digestbits = 0; isc_result_t result; char buf[20]; - REQUIRE(hmac != NULL && *hmac == NULL); + REQUIRE(hmacp != NULL && *hmacp == NULL); REQUIRE(hmacstr != NULL); if (len >= sizeof(buf)) { @@ -387,9 +387,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); if (strcasecmp(buf, "hmac-md5") == 0) { - *hmac = DNS_TSIG_HMACMD5_NAME; + *hmacp = DNS_TSIG_HMACMD5_NAME; } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { - *hmac = DNS_TSIG_HMACMD5_NAME; + *hmacp = DNS_TSIG_HMACMD5_NAME; result = isc_parse_uint16(&digestbits, &buf[9], 10); if (result != ISC_R_SUCCESS || digestbits > 128) { error("digest-bits out of range [0..128]"); @@ -397,9 +397,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha1") == 0) { - *hmac = DNS_TSIG_HMACSHA1_NAME; + *hmacp = DNS_TSIG_HMACSHA1_NAME; } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { - *hmac = DNS_TSIG_HMACSHA1_NAME; + *hmacp = DNS_TSIG_HMACSHA1_NAME; result = isc_parse_uint16(&digestbits, &buf[10], 10); if (result != ISC_R_SUCCESS || digestbits > 160) { error("digest-bits out of range [0..160]"); @@ -407,9 +407,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha224") == 0) { - *hmac = DNS_TSIG_HMACSHA224_NAME; + *hmacp = DNS_TSIG_HMACSHA224_NAME; } else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA224_NAME; + *hmacp = DNS_TSIG_HMACSHA224_NAME; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 224) { error("digest-bits out of range [0..224]"); @@ -417,9 +417,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha256") == 0) { - *hmac = DNS_TSIG_HMACSHA256_NAME; + *hmacp = DNS_TSIG_HMACSHA256_NAME; } else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA256_NAME; + *hmacp = DNS_TSIG_HMACSHA256_NAME; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 256) { error("digest-bits out of range [0..256]"); @@ -427,9 +427,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha384") == 0) { - *hmac = DNS_TSIG_HMACSHA384_NAME; + *hmacp = DNS_TSIG_HMACSHA384_NAME; } else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA384_NAME; + *hmacp = DNS_TSIG_HMACSHA384_NAME; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 384) { error("digest-bits out of range [0..384]"); @@ -437,9 +437,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha512") == 0) { - *hmac = DNS_TSIG_HMACSHA512_NAME; + *hmacp = DNS_TSIG_HMACSHA512_NAME; } else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA512_NAME; + *hmacp = DNS_TSIG_HMACSHA512_NAME; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 512) { error("digest-bits out of range [0..512]"); diff --git a/bin/plugins/Makefile.in b/bin/plugins/Makefile.in index b1d1bb8..535ef2e 100644 --- a/bin/plugins/Makefile.in +++ b/bin/plugins/Makefile.in @@ -103,11 +103,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in index 7fdcb83..2778f58 100644 --- a/bin/rndc/Makefile.in +++ b/bin/rndc/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst index 35a4f31..f34975b 100644 --- a/bin/rndc/rndc.rst +++ b/bin/rndc/rndc.rst @@ -428,6 +428,7 @@ Currently supported commands are: .. option:: zone [class [view]] If a zone is specified, this command reloads only the given zone. + If no zone is specified, the reloading happens asynchronously. .. program:: rndc @@ -594,7 +595,8 @@ Currently supported commands are: refused. If the zone has changed and the ``ixfr-from-differences`` option is in use, the journal file is updated to reflect changes in the zone. Otherwise, if the zone has changed, any existing - journal file is removed. + journal file is removed. If no zone is specified, the reloading happens + asynchronously. See also :option:`rndc freeze`. diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in index d8b1015..bb0b392 100644 --- a/bin/tests/Makefile.in +++ b/bin/tests/Makefile.in @@ -105,11 +105,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 72d464a..befd512 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -18,6 +18,8 @@ LDADD += \ $(LIBISC_LIBS) if HAVE_PERL +if HAVE_PYTHON +if HAVE_PYTEST noinst_PROGRAMS = \ feature-test \ @@ -81,23 +83,14 @@ tkey_keydelete_LDADD = \ $(LDADD) \ $(LIBDNS_LIBS) -TESTS = - -if HAVE_PERLMOD_TIME_HIRES -TESTS += serve-stale -endif HAVE_PERLMOD_TIME_HIRES - -if HAVE_PERLMOD_NET_DNS -TESTS += \ - rpzrecurse -endif HAVE_PERLMOD_NET_DNS - -if HAVE_LIBNGHTTP2 -TESTS += \ - doth -endif - -TESTS += \ +# Longer running tests are listed (and executed) first to take the most +# advantage of parallel execution. +TESTS = \ + rpz \ + rpzrecurse \ + serve-stale \ + timeouts \ + upforwd \ acl \ additional \ addzone \ @@ -109,13 +102,21 @@ TESTS += \ case \ catz \ cds \ + chain \ checkconf \ + checkds \ checknames \ checkzone \ + cookie \ database \ dialup \ + digdelv \ + dispatch \ dlzexternal \ dns64 \ + dnssec \ + dnstap \ + doth \ dsdigest \ dupsigs \ dyndb \ @@ -125,18 +126,23 @@ TESTS += \ emptyzones \ enginepkcs11 \ filter-aaaa \ + fetchlimit \ formerr \ + forward \ geoip2 \ glue \ idna \ include-multiplecfg \ inline \ integrity \ + ixfr \ hooks \ host \ journal \ + kasp \ keepalive \ keyfromlabel \ + keymgr2kasp \ legacy \ limits \ logfileconfig \ @@ -149,24 +155,35 @@ TESTS += \ notify \ nsec3 \ nslookup \ + nsupdate \ + nzd2nzf \ padding \ pending \ + pipelined \ + qmin \ + reclimit \ redirect \ + resolver \ rndc \ rootkeysentinel \ - rpz \ + rpzextra \ rrchecker \ rrl \ rrsetorder \ rsabigexponent \ runtime \ sfcache \ + shutdown \ smartsign \ sortlist \ spf \ staticstub \ + statistics \ + statschannel \ + stress \ stub \ synthfromdnssec \ + tcp \ tkey \ tools \ transport-acl \ @@ -177,62 +194,21 @@ TESTS += \ verify \ views \ wildcard \ + xfer \ xferquota \ + zero \ zonechecks -if HAVE_LMDB -TESTS += nzd2nzf -endif # HAVE_LMDB - -if HAVE_PERLMOD_NET_DNS - -TESTS += \ - fetchlimit \ - ixfr \ - nsupdate \ - resolver \ - statistics \ - stress \ - upforwd \ - zero - -if HAVE_DNSTAP -TESTS += dnstap -endif - -if HAVE_PERLMOD_FILE_FETCH -TESTS += statschannel -endif HAVE_PERLMOD_FILE_FETCH - -if HAVE_PERLMOD_DIGEST_HMAC -TESTS += xfer -endif HAVE_PERLMOD_DIGEST_HMAC - -if HAVE_PERLMOD_NET_DNS_NAMESERVER -TESTS += reclimit -endif HAVE_PERLMOD_NET_DNS_NAMESERVER - -endif HAVE_PERLMOD_NET_DNS - -if HAVE_PYTHON -TESTS += kasp keymgr2kasp tcp pipelined - -if HAVE_PYTEST -TESTS += checkds dispatch rpzextra shutdown timeouts -endif - -if HAVE_PYMOD_DNS -TESTS += qmin cookie -if HAVE_PERLMOD_NET_DNS -TESTS += digdelv dnssec forward -if HAVE_PERLMOD_NET_DNS_NAMESERVER -TESTS += chain -endif HAVE_PERLMOD_NET_DNS_NAMESERVER -endif HAVE_PERLMOD_NET_DNS -endif HAVE_PYMOD_DNS - -endif HAVE_PYTHON - +else !HAVE_PYTEST +check: + echo pytest is not available, no tests were ran + exit 1 +endif !HAVE_PYTEST +else !HAVE_PYTHON +check: + echo Python is not available, no tests were ran + exit 1 +endif !HAVE_PYTHON else !HAVE_PERL check: echo Perl is not available, no tests were ran @@ -247,12 +223,9 @@ LOG_DRIVER_V_1 = --verbose yes LOG_DRIVER = $(srcdir)/custom-test-driver AM_LOG_DRIVER_FLAGS = $(LOG_DRIVER_V) -LOG_COMPILER = $(builddir)/legacy.run.sh -AM_LOG_FLAGS = -r - -$(TESTS): legacy.run.sh +LOG_COMPILER = $(srcdir)/run.sh test-local: check clean-local:: - -find $(builddir) -maxdepth 1 -type d -name "*_*" | xargs rm -rf + -find -L . -mindepth 1 -maxdepth 1 -type d -name "*_*" -and -not -name "_common" -exec rm -rf {} \; diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in index eb62072..b907194 100644 --- a/bin/tests/system/Makefile.in +++ b/bin/tests/system/Makefile.in @@ -95,39 +95,14 @@ target_triplet = @target@ @HOST_MACOS_TRUE@am__append_1 = \ @HOST_MACOS_TRUE@ -Wl,-flat_namespace -@HAVE_PERL_TRUE@noinst_PROGRAMS = feature-test$(EXEEXT) \ -@HAVE_PERL_TRUE@ makejournal$(EXEEXT) \ -@HAVE_PERL_TRUE@ pipelined/pipequeries$(EXEEXT) \ -@HAVE_PERL_TRUE@ resolve$(EXEEXT) rndc/gencheck$(EXEEXT) \ -@HAVE_PERL_TRUE@ rpz/dnsrps$(EXEEXT) tkey/keycreate$(EXEEXT) \ -@HAVE_PERL_TRUE@ tkey/keydelete$(EXEEXT) -@HAVE_PERLMOD_TIME_HIRES_TRUE@@HAVE_PERL_TRUE@am__append_2 = serve-stale -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_3 = \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ rpzrecurse - -@HAVE_LIBNGHTTP2_TRUE@@HAVE_PERL_TRUE@am__append_4 = \ -@HAVE_LIBNGHTTP2_TRUE@@HAVE_PERL_TRUE@ doth - -@HAVE_LMDB_TRUE@@HAVE_PERL_TRUE@am__append_5 = nzd2nzf -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_6 = \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ fetchlimit \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ ixfr \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ nsupdate \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ resolver \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ statistics \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ stress \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ upforwd \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ zero - -@HAVE_DNSTAP_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_7 = dnstap -@HAVE_PERLMOD_FILE_FETCH_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_8 = statschannel -@HAVE_PERLMOD_DIGEST_HMAC_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_9 = xfer -@HAVE_PERLMOD_NET_DNS_NAMESERVER_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_10 = reclimit -@HAVE_PERL_TRUE@@HAVE_PYTHON_TRUE@am__append_11 = kasp keymgr2kasp tcp pipelined -@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@am__append_12 = checkds dispatch rpzextra shutdown timeouts -@HAVE_PERL_TRUE@@HAVE_PYMOD_DNS_TRUE@@HAVE_PYTHON_TRUE@am__append_13 = qmin cookie -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@@HAVE_PYMOD_DNS_TRUE@@HAVE_PYTHON_TRUE@am__append_14 = digdelv dnssec forward -@HAVE_PERLMOD_NET_DNS_NAMESERVER_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@@HAVE_PYMOD_DNS_TRUE@@HAVE_PYTHON_TRUE@am__append_15 = chain +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@noinst_PROGRAMS = feature-test$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ makejournal$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ pipelined/pipequeries$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ resolve$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rndc/gencheck$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rpz/dnsrps$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tkey/keycreate$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tkey/keydelete$(EXEEXT) subdir = bin/tests/system ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ @@ -136,11 +111,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ @@ -165,30 +138,40 @@ am__v_lt_0 = --silent am__v_lt_1 = makejournal_SOURCES = makejournal.c makejournal_OBJECTS = makejournal-makejournal.$(OBJEXT) -@HAVE_PERL_TRUE@makejournal_DEPENDENCIES = $(LDADD) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@makejournal_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) pipelined_pipequeries_SOURCES = pipelined/pipequeries.c am__dirstamp = $(am__leading_dot)dirstamp pipelined_pipequeries_OBJECTS = \ pipelined/pipequeries-pipequeries.$(OBJEXT) -@HAVE_PERL_TRUE@pipelined_pipequeries_DEPENDENCIES = $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@pipelined_pipequeries_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) resolve_SOURCES = resolve.c resolve_OBJECTS = resolve-resolve.$(OBJEXT) -@HAVE_PERL_TRUE@resolve_DEPENDENCIES = $(LIBISC_LIBS) $(LIBIRS_LIBS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@resolve_DEPENDENCIES = $(LIBISC_LIBS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBIRS_LIBS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) rndc_gencheck_SOURCES = rndc/gencheck.c rndc_gencheck_OBJECTS = rndc/gencheck.$(OBJEXT) rndc_gencheck_LDADD = $(LDADD) rndc_gencheck_DEPENDENCIES = $(LIBISC_LIBS) rpz_dnsrps_SOURCES = rpz/dnsrps.c rpz_dnsrps_OBJECTS = rpz/dnsrps-dnsrps.$(OBJEXT) -@HAVE_PERL_TRUE@rpz_dnsrps_DEPENDENCIES = $(LDADD) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@rpz_dnsrps_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) tkey_keycreate_SOURCES = tkey/keycreate.c tkey_keycreate_OBJECTS = tkey/keycreate-keycreate.$(OBJEXT) -@HAVE_PERL_TRUE@tkey_keycreate_DEPENDENCIES = $(LDADD) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keycreate_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) tkey_keydelete_SOURCES = tkey/keydelete.c tkey_keydelete_OBJECTS = tkey/keydelete-keydelete.$(OBJEXT) -@HAVE_PERL_TRUE@tkey_keydelete_DEPENDENCIES = $(LDADD) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keydelete_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -767,88 +750,181 @@ LIBBIND9_LIBS = \ EXTRA_DIST = . SUBDIRS = dyndb/driver dlzexternal/driver hooks/driver -@HAVE_PERL_TRUE@feature_test_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@makejournal_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@makejournal_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@pipelined_pipequeries_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@pipelined_pipequeries_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@resolve_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBISC_CFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBIRS_CFLAGS) - -@HAVE_PERL_TRUE@resolve_LDADD = $(LIBISC_LIBS) $(LIBIRS_LIBS) $(LIBDNS_LIBS) -@HAVE_PERL_TRUE@rpz_dnsrps_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@rpz_dnsrps_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@tkey_keycreate_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@tkey_keycreate_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@tkey_keydelete_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@tkey_keydelete_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@TESTS = $(am__append_2) $(am__append_3) \ -@HAVE_PERL_TRUE@ $(am__append_4) acl additional addzone \ -@HAVE_PERL_TRUE@ allow-query auth autosign builtin cacheclean \ -@HAVE_PERL_TRUE@ case catz cds checkconf checknames checkzone \ -@HAVE_PERL_TRUE@ database dialup dlzexternal dns64 dsdigest \ -@HAVE_PERL_TRUE@ dupsigs dyndb ecdsa eddsa ednscompliance \ -@HAVE_PERL_TRUE@ emptyzones enginepkcs11 filter-aaaa formerr \ -@HAVE_PERL_TRUE@ geoip2 glue idna include-multiplecfg inline \ -@HAVE_PERL_TRUE@ integrity hooks host journal keepalive \ -@HAVE_PERL_TRUE@ keyfromlabel legacy limits logfileconfig \ -@HAVE_PERL_TRUE@ masterfile masterformat metadata mirror mkeys \ -@HAVE_PERL_TRUE@ names notify nsec3 nslookup padding pending \ -@HAVE_PERL_TRUE@ redirect rndc rootkeysentinel rpz rrchecker \ -@HAVE_PERL_TRUE@ rrl rrsetorder rsabigexponent runtime sfcache \ -@HAVE_PERL_TRUE@ smartsign sortlist spf staticstub stub \ -@HAVE_PERL_TRUE@ synthfromdnssec tkey tools transport-acl tsig \ -@HAVE_PERL_TRUE@ tsiggss ttl unknown verify views wildcard \ -@HAVE_PERL_TRUE@ xferquota zonechecks $(am__append_5) \ -@HAVE_PERL_TRUE@ $(am__append_6) $(am__append_7) \ -@HAVE_PERL_TRUE@ $(am__append_8) $(am__append_9) \ -@HAVE_PERL_TRUE@ $(am__append_10) $(am__append_11) \ -@HAVE_PERL_TRUE@ $(am__append_12) $(am__append_13) \ -@HAVE_PERL_TRUE@ $(am__append_14) $(am__append_15) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@feature_test_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@makejournal_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@makejournal_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@pipelined_pipequeries_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@pipelined_pipequeries_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@resolve_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBISC_CFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBIRS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@resolve_LDADD = $(LIBISC_LIBS) $(LIBIRS_LIBS) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@rpz_dnsrps_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@rpz_dnsrps_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keycreate_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keycreate_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keydelete_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keydelete_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + + +# Longer running tests are listed (and executed) first to take the most +# advantage of parallel execution. +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@TESTS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rpz \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rpzrecurse \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ serve-stale \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ timeouts \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ upforwd \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ acl \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ additional \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ addzone \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ allow-query \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ auth \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ autosign \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ builtin \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ cacheclean \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ case \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ catz \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ cds \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ chain \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ checkconf \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ checkds \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ checknames \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ checkzone \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ cookie \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ database \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dialup \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ digdelv \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dispatch \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dlzexternal \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dns64 \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dnssec \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dnstap \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ doth \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dsdigest \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dupsigs \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dyndb \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ ecdsa \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ eddsa \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ ednscompliance \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ emptyzones \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ enginepkcs11 \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ filter-aaaa \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ fetchlimit \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ formerr \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ forward \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ geoip2 \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ glue \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ idna \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ include-multiplecfg \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ inline \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ integrity \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ ixfr \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ hooks \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ host \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ journal \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ kasp \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ keepalive \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ keyfromlabel \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ keymgr2kasp \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ legacy \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ limits \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ logfileconfig \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ masterfile \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ masterformat \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ metadata \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ mirror \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ mkeys \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ names \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ notify \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ nsec3 \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ nslookup \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ nsupdate \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ nzd2nzf \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ padding \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ pending \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ pipelined \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ qmin \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ reclimit \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ redirect \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ resolver \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rndc \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rootkeysentinel \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rpzextra \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rrchecker \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rrl \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rrsetorder \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rsabigexponent \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ runtime \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ sfcache \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ shutdown \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ smartsign \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ sortlist \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ spf \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ staticstub \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ statistics \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ statschannel \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ stress \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ stub \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ synthfromdnssec \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tcp \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tkey \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tools \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ transport-acl \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tsig \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tsiggss \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ ttl \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ unknown \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ verify \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ views \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ wildcard \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ xfer \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ xferquota \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ zero \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ zonechecks + LOG_DRIVER_V = $(LOG_DRIVER_V_@AM_V@) LOG_DRIVER_V_ = $(LOG_DRIVER_V_@AM_DEFAULT_V@) LOG_DRIVER_V_0 = --verbose no LOG_DRIVER_V_1 = --verbose yes LOG_DRIVER = $(srcdir)/custom-test-driver AM_LOG_DRIVER_FLAGS = $(LOG_DRIVER_V) -LOG_COMPILER = $(builddir)/legacy.run.sh -AM_LOG_FLAGS = -r +LOG_COMPILER = $(srcdir)/run.sh all: all-recursive .SUFFIXES: @@ -1369,9 +1445,9 @@ recheck: all am__force_recheck=am--force-recheck \ TEST_LOGS="$$log_list"; \ exit $$? -serve-stale.log: serve-stale - @p='serve-stale'; \ - b='serve-stale'; \ +rpz.log: rpz + @p='rpz'; \ + b='rpz'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -1383,9 +1459,23 @@ rpzrecurse.log: rpzrecurse --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -doth.log: doth - @p='doth'; \ - b='doth'; \ +serve-stale.log: serve-stale + @p='serve-stale'; \ + b='serve-stale'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +timeouts.log: timeouts + @p='timeouts'; \ + b='timeouts'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +upforwd.log: upforwd + @p='upforwd'; \ + b='upforwd'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -1467,6 +1557,13 @@ cds.log: cds --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +chain.log: chain + @p='chain'; \ + b='chain'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) checkconf.log: checkconf @p='checkconf'; \ b='checkconf'; \ @@ -1474,6 +1571,13 @@ checkconf.log: checkconf --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +checkds.log: checkds + @p='checkds'; \ + b='checkds'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) checknames.log: checknames @p='checknames'; \ b='checknames'; \ @@ -1488,6 +1592,13 @@ checkzone.log: checkzone --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +cookie.log: cookie + @p='cookie'; \ + b='cookie'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) database.log: database @p='database'; \ b='database'; \ @@ -1502,6 +1613,20 @@ dialup.log: dialup --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +digdelv.log: digdelv + @p='digdelv'; \ + b='digdelv'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +dispatch.log: dispatch + @p='dispatch'; \ + b='dispatch'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) dlzexternal.log: dlzexternal @p='dlzexternal'; \ b='dlzexternal'; \ @@ -1516,6 +1641,27 @@ dns64.log: dns64 --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +dnssec.log: dnssec + @p='dnssec'; \ + b='dnssec'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +dnstap.log: dnstap + @p='dnstap'; \ + b='dnstap'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +doth.log: doth + @p='doth'; \ + b='doth'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) dsdigest.log: dsdigest @p='dsdigest'; \ b='dsdigest'; \ @@ -1579,6 +1725,13 @@ filter-aaaa.log: filter-aaaa --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +fetchlimit.log: fetchlimit + @p='fetchlimit'; \ + b='fetchlimit'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) formerr.log: formerr @p='formerr'; \ b='formerr'; \ @@ -1586,6 +1739,13 @@ formerr.log: formerr --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +forward.log: forward + @p='forward'; \ + b='forward'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) geoip2.log: geoip2 @p='geoip2'; \ b='geoip2'; \ @@ -1628,6 +1788,13 @@ integrity.log: integrity --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +ixfr.log: ixfr + @p='ixfr'; \ + b='ixfr'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) hooks.log: hooks @p='hooks'; \ b='hooks'; \ @@ -1649,6 +1816,13 @@ journal.log: journal --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +kasp.log: kasp + @p='kasp'; \ + b='kasp'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) keepalive.log: keepalive @p='keepalive'; \ b='keepalive'; \ @@ -1663,6 +1837,13 @@ keyfromlabel.log: keyfromlabel --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +keymgr2kasp.log: keymgr2kasp + @p='keymgr2kasp'; \ + b='keymgr2kasp'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) legacy.log: legacy @p='legacy'; \ b='legacy'; \ @@ -1747,6 +1928,20 @@ nslookup.log: nslookup --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +nsupdate.log: nsupdate + @p='nsupdate'; \ + b='nsupdate'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +nzd2nzf.log: nzd2nzf + @p='nzd2nzf'; \ + b='nzd2nzf'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) padding.log: padding @p='padding'; \ b='padding'; \ @@ -1761,6 +1956,27 @@ pending.log: pending --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +pipelined.log: pipelined + @p='pipelined'; \ + b='pipelined'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +qmin.log: qmin + @p='qmin'; \ + b='qmin'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +reclimit.log: reclimit + @p='reclimit'; \ + b='reclimit'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) redirect.log: redirect @p='redirect'; \ b='redirect'; \ @@ -1768,6 +1984,13 @@ redirect.log: redirect --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +resolver.log: resolver + @p='resolver'; \ + b='resolver'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) rndc.log: rndc @p='rndc'; \ b='rndc'; \ @@ -1782,9 +2005,9 @@ rootkeysentinel.log: rootkeysentinel --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -rpz.log: rpz - @p='rpz'; \ - b='rpz'; \ +rpzextra.log: rpzextra + @p='rpzextra'; \ + b='rpzextra'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -1831,6 +2054,13 @@ sfcache.log: sfcache --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +shutdown.log: shutdown + @p='shutdown'; \ + b='shutdown'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) smartsign.log: smartsign @p='smartsign'; \ b='smartsign'; \ @@ -1859,6 +2089,27 @@ staticstub.log: staticstub --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +statistics.log: statistics + @p='statistics'; \ + b='statistics'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +statschannel.log: statschannel + @p='statschannel'; \ + b='statschannel'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +stress.log: stress + @p='stress'; \ + b='stress'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) stub.log: stub @p='stub'; \ b='stub'; \ @@ -1873,6 +2124,13 @@ synthfromdnssec.log: synthfromdnssec --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tcp.log: tcp + @p='tcp'; \ + b='tcp'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) tkey.log: tkey @p='tkey'; \ b='tkey'; \ @@ -1943,97 +2201,6 @@ wildcard.log: wildcard --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -xferquota.log: xferquota - @p='xferquota'; \ - b='xferquota'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -zonechecks.log: zonechecks - @p='zonechecks'; \ - b='zonechecks'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -nzd2nzf.log: nzd2nzf - @p='nzd2nzf'; \ - b='nzd2nzf'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -fetchlimit.log: fetchlimit - @p='fetchlimit'; \ - b='fetchlimit'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -ixfr.log: ixfr - @p='ixfr'; \ - b='ixfr'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -nsupdate.log: nsupdate - @p='nsupdate'; \ - b='nsupdate'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -resolver.log: resolver - @p='resolver'; \ - b='resolver'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -statistics.log: statistics - @p='statistics'; \ - b='statistics'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -stress.log: stress - @p='stress'; \ - b='stress'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -upforwd.log: upforwd - @p='upforwd'; \ - b='upforwd'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -zero.log: zero - @p='zero'; \ - b='zero'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -dnstap.log: dnstap - @p='dnstap'; \ - b='dnstap'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -statschannel.log: statschannel - @p='statschannel'; \ - b='statschannel'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) xfer.log: xfer @p='xfer'; \ b='xfer'; \ @@ -2041,114 +2208,23 @@ xfer.log: xfer --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -reclimit.log: reclimit - @p='reclimit'; \ - b='reclimit'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -kasp.log: kasp - @p='kasp'; \ - b='kasp'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -keymgr2kasp.log: keymgr2kasp - @p='keymgr2kasp'; \ - b='keymgr2kasp'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -tcp.log: tcp - @p='tcp'; \ - b='tcp'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -pipelined.log: pipelined - @p='pipelined'; \ - b='pipelined'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -checkds.log: checkds - @p='checkds'; \ - b='checkds'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -dispatch.log: dispatch - @p='dispatch'; \ - b='dispatch'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -rpzextra.log: rpzextra - @p='rpzextra'; \ - b='rpzextra'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -shutdown.log: shutdown - @p='shutdown'; \ - b='shutdown'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -timeouts.log: timeouts - @p='timeouts'; \ - b='timeouts'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -qmin.log: qmin - @p='qmin'; \ - b='qmin'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -cookie.log: cookie - @p='cookie'; \ - b='cookie'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -digdelv.log: digdelv - @p='digdelv'; \ - b='digdelv'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -dnssec.log: dnssec - @p='dnssec'; \ - b='dnssec'; \ +xferquota.log: xferquota + @p='xferquota'; \ + b='xferquota'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -forward.log: forward - @p='forward'; \ - b='forward'; \ +zero.log: zero + @p='zero'; \ + b='zero'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -chain.log: chain - @p='chain'; \ - b='chain'; \ +zonechecks.log: zonechecks + @p='zonechecks'; \ + b='zonechecks'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -2400,16 +2476,20 @@ dist-hook: sed -n "s|^Would remove \(.*\)|$(distdir)/\1|p" | \ xargs -I{} rm -rf "{}" +@HAVE_PERL_TRUE@@HAVE_PYTEST_FALSE@@HAVE_PYTHON_TRUE@check: +@HAVE_PERL_TRUE@@HAVE_PYTEST_FALSE@@HAVE_PYTHON_TRUE@ echo pytest is not available, no tests were ran +@HAVE_PERL_TRUE@@HAVE_PYTEST_FALSE@@HAVE_PYTHON_TRUE@ exit 1 +@HAVE_PERL_TRUE@@HAVE_PYTHON_FALSE@check: +@HAVE_PERL_TRUE@@HAVE_PYTHON_FALSE@ echo Python is not available, no tests were ran +@HAVE_PERL_TRUE@@HAVE_PYTHON_FALSE@ exit 1 @HAVE_PERL_FALSE@check: @HAVE_PERL_FALSE@ echo Perl is not available, no tests were ran @HAVE_PERL_FALSE@ exit 1 -$(TESTS): legacy.run.sh - test-local: check clean-local:: - -find $(builddir) -maxdepth 1 -type d -name "*_*" | xargs rm -rf + -find -L . -mindepth 1 -maxdepth 1 -type d -name "*_*" -and -not -name "_common" -exec rm -rf {} \; # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/bin/tests/system/README b/bin/tests/system/README index 265a9ef..cb9f71b 100644 --- a/bin/tests/system/README +++ b/bin/tests/system/README @@ -14,10 +14,9 @@ Introduction This directory holds a simple test environment for running bind9 system tests involving multiple name servers. -With the exception of "common" (which holds configuration information common to -multiple tests), each directory holds a set of scripts and configuration -files to test different parts of BIND. The directories are named for the -aspect of BIND they test, for example: +Each system test directory holds a set of scripts and configuration files to +test different parts of BIND. The directories are named for the aspect of BIND +they test, for example: dnssec/ DNSSEC tests forward/ Forwarding tests @@ -25,6 +24,9 @@ aspect of BIND they test, for example: etc. +A system test directory must start with an alphabetic character and may not +contain any special characters. Only hyphen may be used as a word separator. + Typically each set of tests sets up 2-5 name servers and then performs one or more tests against them. Within the test subdirectory, each name server has a separate subdirectory containing its configuration data. These subdirectories @@ -323,6 +325,8 @@ setup.sh Run after prereq.sh, this sets up the preconditions for the tests. tests.sh Runs the actual tests. This file is mandatory. +tests_sh_xyz.py A glue file for the pytest runner for executing shell tests. + clean.sh Run at the end to clean up temporary files, but only if the test was completed successfully and its running was not inhibited by the "-n" switch being passed to "legacy.run.sh". Otherwise the @@ -542,6 +546,17 @@ e. Retain a count of test failures and return this as the exit status from the script. +tests_sh_xyz.py +--------------- +This glue file is required by the pytest runner in order to find and execute +the shell tests in tests.sh. + +Replace the "xyz" with the system test name and create the file with the +following contents. + + def test_xyz(run_tests_sh): + run_tests_sh() + clean.sh --- The inverse of "setup.sh", this is invoked by the framework to clean up the @@ -695,13 +710,13 @@ or SEQUENTIAL variables. need to edit multiple files to add a test.) -Valgrind +rr --- -When running system tests, named can be run under Valgrind. The output from -Valgrind are sent to per-process files that can be reviewed after the test has -completed. To enable this, set the USE_VALGRIND environment variable to -"helgrind" to run the Helgrind tool, or any other value to run the Memcheck -tool. To use "helgrind" effectively, build BIND with --disable-atomic. + +When running system tests, named can be run under the rr tool. rr records a +trace to the $system_test/nsX/named-Y/ directory, which can be later used to +replay named. To enable this, execute start.pl with the USE_RR environment +variable set. Developer Notes for pytest runner === diff --git a/bin/tests/system/_common/controls.conf.in b/bin/tests/system/_common/controls.conf.in new file mode 100644 index 0000000..1db9286 --- /dev/null +++ b/bin/tests/system/_common/controls.conf.in @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + diff --git a/bin/tests/system/_common/rndc.conf b/bin/tests/system/_common/rndc.conf new file mode 100644 index 0000000..b887ec3 --- /dev/null +++ b/bin/tests/system/_common/rndc.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + default-key "rndc_key"; +}; + +key rndc_key { + algorithm hmac-sha256; + secret "1234abcd8765"; +}; diff --git a/bin/tests/system/_common/rndc.key b/bin/tests/system/_common/rndc.key new file mode 100644 index 0000000..3ef41c3 --- /dev/null +++ b/bin/tests/system/_common/rndc.key @@ -0,0 +1,15 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/_common/root.hint b/bin/tests/system/_common/root.hint new file mode 100644 index 0000000..e0f186c --- /dev/null +++ b/bin/tests/system/_common/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.1 diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in index c3343a3..d87b1a7 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -47,7 +47,7 @@ key two { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in index ac9ac84..2456e99 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -47,7 +47,7 @@ key two { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in index efa73fa..99320a7 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -60,7 +60,7 @@ acl accept { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in index 54c0da3..08bd80c 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -59,7 +59,7 @@ acl check2 { !key two; 10.53.0.2; }; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in index e5b57f0..94371d0 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -49,7 +49,7 @@ key two { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index 48536da..4e6c241 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 t=0 @@ -25,15 +25,20 @@ echo_i "testing basic ACL processing" # key "one" should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # any other key should be fine t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} copy_setports ns2/named2.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -42,19 +47,28 @@ sleep 5 # prefix 10/8 should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # any other address should work, as long as it sends key "one" t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} echo_i "testing nested ACL processing" # all combinations of 10.53.0.{1|2} with key {one|two}, should succeed @@ -65,43 +79,64 @@ sleep 5 # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # but only one or the other should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $tt failed" + status=1 +} # and other values? right out t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two copy_setports ns2/named4.conf.in ns2/named.conf @@ -111,32 +146,47 @@ sleep 5 # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} echo_i "testing allow-query-on ACL processing" copy_setports ns2/named5.conf.in ns2/named.conf @@ -144,27 +194,30 @@ rndc_reload ns2 10.53.0.2 sleep 5 t=$((t + 1)) $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.${t} -grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.3 >dig.out.${t} +grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} echo_i "testing blackhole ACL processing" t=$((t + 1)) ret=0 $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.1.${t} -grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.3 >dig.out.1.${t} +grep "status: NOERROR" dig.out.1.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.8 > dig.out.2.${t} && ret=1 -grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1 -grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.8 >dig.out.2.${t} && ret=1 +grep "status: NOERROR" dig.out.2.${t} >/dev/null 2>&1 && ret=1 +grep "communications error" dig.out.2.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.3.${t} -grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.3 >dig.out.3.${t} +grep "status: NOERROR" dig.out.3.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} soa example. \ - @10.53.0.2 -b 10.53.0.8 > dig.out.4.${t} && ret=1 -grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1 -grep "timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1 -grep ";; no servers could be reached" dig.out.4.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.8 >dig.out.4.${t} && ret=1 +grep "status: NOERROR" dig.out.4.${t} >/dev/null 2>&1 && ret=1 +grep "timed out" dig.out.4.${t} >/dev/null 2>&1 || ret=1 +grep ";; no servers could be reached" dig.out.4.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -179,7 +232,7 @@ sleep 1 t=$((t + 1)) ret=0 echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -192,7 +245,7 @@ sleep 1 t=$((t + 1)) ret=0 echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -208,7 +261,7 @@ sleep 1 t=$((t + 1)) ret=0 echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -221,7 +274,7 @@ sleep 1 t=$((t + 1)) ret=0 echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/additional/ns1/named1.conf.in b/bin/tests/system/additional/ns1/named1.conf.in index d058d1e..0d07e54 100644 --- a/bin/tests/system/additional/ns1/named1.conf.in +++ b/bin/tests/system/additional/ns1/named1.conf.in @@ -25,7 +25,7 @@ options { minimal-responses yes; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/additional/ns1/named2.conf.in b/bin/tests/system/additional/ns1/named2.conf.in index 56c6d4b..efed639 100644 --- a/bin/tests/system/additional/ns1/named2.conf.in +++ b/bin/tests/system/additional/ns1/named2.conf.in @@ -25,7 +25,7 @@ options { minimal-responses no; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/additional/ns1/named3.conf.in b/bin/tests/system/additional/ns1/named3.conf.in index ad453a3..0ff7125 100644 --- a/bin/tests/system/additional/ns1/named3.conf.in +++ b/bin/tests/system/additional/ns1/named3.conf.in @@ -26,7 +26,7 @@ options { minimal-responses no-auth; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/additional/ns1/named4.conf.in b/bin/tests/system/additional/ns1/named4.conf.in index 69479b9..8c53086 100644 --- a/bin/tests/system/additional/ns1/named4.conf.in +++ b/bin/tests/system/additional/ns1/named4.conf.in @@ -25,7 +25,7 @@ options { minimal-responses no-auth-recursive; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh index a50004c..193c9f9 100644 --- a/bin/tests/system/additional/tests.sh +++ b/bin/tests/system/additional/tests.sh @@ -16,235 +16,251 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 dotests() { - n=$((n + 1)) - echo_i "test with RT, single zone (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with RT, two zones (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NAPTR, single zone (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NAPTR, two zones (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with LP (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + n=$((n + 1)) + echo_i "test with RT, single zone (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with RT, two zones (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NAPTR, single zone (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NAPTR, two zones (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with LP (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in no) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; yes) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 ;; no-auth) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NID (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NID + LP (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with RT, single zone (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with RT, two zones (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NAPTR, single zone (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NAPTR, two zones (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with LP (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NID (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NID + LP (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with RT, single zone (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with RT, two zones (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NAPTR, single zone (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NAPTR, two zones (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with LP (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in no) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; yes) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 ;; no-auth) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NID (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NID + LP (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NS, root zone ($n)" - ret=0 - $DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1 - # Always expect glue for root priming queries, regardless $minimal - grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NS, non-root zone ($n)" - ret=0 - $DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NID (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NID + LP (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NS, root zone ($n)" + ret=0 + $DIG $DIGOPTS -t NS . @10.53.0.1 >dig.out.$n || ret=1 + # Always expect glue for root priming queries, regardless $minimal + grep 'ADDITIONAL: 3' dig.out.$n >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NS, non-root zone ($n)" + ret=0 + $DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in yes) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no-auth) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi } echo_i "testing with 'minimal-responses yes;'" @@ -262,10 +278,11 @@ dotests n=$((n + 1)) echo_i "testing with 'minimal-any no;' ($n)" ret=0 -$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "reconfiguring server: minimal-any yes" @@ -275,28 +292,31 @@ rndc_reconfig ns1 10.53.0.1 n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over UDP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over TCP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over UDP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "testing with 'minimal-responses no-auth;'" @@ -314,23 +334,25 @@ dotests n=$((n + 1)) echo_i "testing returning TLSA records with MX query ($n)" ret=0 -$DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1 -grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1 -grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1 -grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t mx mx.example @10.53.0.1 >dig.out.$n || ret=1 +grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n >/dev/null || ret=1 +grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1 +grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing returning TLSA records with SRV query ($n)" ret=0 -$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1 -grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n > /dev/null || ret=1 -grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1 -grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 >dig.out.$n || ret=1 +grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n >/dev/null || ret=1 +grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1 +grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "reconfiguring server: minimal-responses no" @@ -340,39 +362,43 @@ rndc_reconfig ns1 10.53.0.1 n=$((n + 1)) echo_i "testing NS handling in ANY responses (authoritative) ($n)" ret=0 -$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 -grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 +grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing NS handling in ANY responses (recursive) ($n)" ret=0 -$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1 -grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 -grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 >dig.out.$n || ret=1 +grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 +grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)" ret=0 -$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)" ret=0 -$DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1 -grep "ADDITIONAL: 3" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t NS ex @10.53.0.3 >dig.out.$n || ret=1 +grep "ADDITIONAL: 3" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "exit status: $status" diff --git a/bin/tests/system/addzone/ns1/named.conf.in b/bin/tests/system/addzone/ns1/named.conf.in index 9015e1b..8c94791 100644 --- a/bin/tests/system/addzone/ns1/named.conf.in +++ b/bin/tests/system/addzone/ns1/named.conf.in @@ -33,7 +33,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "inlinesec.example" { diff --git a/bin/tests/system/addzone/ns2/named1.conf.in b/bin/tests/system/addzone/ns2/named1.conf.in index 23be60e..bd94f6e 100644 --- a/bin/tests/system/addzone/ns2/named1.conf.in +++ b/bin/tests/system/addzone/ns2/named1.conf.in @@ -22,7 +22,7 @@ options { dnssec-validation no; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -30,7 +30,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/addzone/ns2/named2.conf.in b/bin/tests/system/addzone/ns2/named2.conf.in index 8b0f23d..ef9adeb 100644 --- a/bin/tests/system/addzone/ns2/named2.conf.in +++ b/bin/tests/system/addzone/ns2/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -36,7 +36,7 @@ view internal { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "policy" { @@ -51,7 +51,7 @@ view external { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; diff --git a/bin/tests/system/addzone/ns2/named3.conf.in b/bin/tests/system/addzone/ns2/named3.conf.in index 7078ce9..ca934c4 100644 --- a/bin/tests/system/addzone/ns2/named3.conf.in +++ b/bin/tests/system/addzone/ns2/named3.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -36,7 +36,7 @@ view internal { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "policy" { @@ -51,7 +51,7 @@ view directory { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; @@ -61,7 +61,7 @@ view external { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; diff --git a/bin/tests/system/addzone/ns3/named1.conf.in b/bin/tests/system/addzone/ns3/named1.conf.in index 6c512a6..0202b8e 100644 --- a/bin/tests/system/addzone/ns3/named1.conf.in +++ b/bin/tests/system/addzone/ns3/named1.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/addzone/ns3/named2.conf.in b/bin/tests/system/addzone/ns3/named2.conf.in index 6ca25f1..2e95b4c 100644 --- a/bin/tests/system/addzone/ns3/named2.conf.in +++ b/bin/tests/system/addzone/ns3/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/addzone/tests.sh b/bin/tests/system/addzone/tests.sh index 2937e79..39b4fdb 100755 --- a/bin/tests/system/addzone/tests.sh +++ b/bin/tests/system/addzone/tests.sh @@ -16,12 +16,12 @@ set -e . ../conf.sh DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" check_zonestatus() ( - $RNDCCMD "10.53.0.$1" zonestatus -redirect > "zonestatus.out.ns$1.$n" && - grep "type: redirect" "zonestatus.out.ns$1.$n" > /dev/null && - grep "serial: 1" "zonestatus.out.ns$1.$n" > /dev/null + $RNDCCMD "10.53.0.$1" zonestatus -redirect >"zonestatus.out.ns$1.$n" \ + && grep "type: redirect" "zonestatus.out.ns$1.$n" >/dev/null \ + && grep "serial: 1" "zonestatus.out.ns$1.$n" >/dev/null ) status=0 @@ -29,9 +29,9 @@ n=0 echo_i "checking normally loaded zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -40,28 +40,28 @@ status=$((status + ret)) # NZF to NZD occurs during named startup echo_i "checking previously added zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.previous.example' dig.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if $FEATURETEST --with-lmdb; then - echo_i "checking that existing NZF file was renamed after migration ($n)" - [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking that existing NZF file was renamed after migration ($n)" + [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "adding new zone ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -_check_adding_new_zone () ( - $DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.$n > /dev/null +_check_adding_new_zone() ( + $DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_adding_new_zone || ret=1 n=$((n + 1)) @@ -71,7 +71,7 @@ status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "checking addzone errors are logged correctly" ret=0 -$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1 wait_for_log_peek 20 "addzone: 'mister' unexpected" ns2/named.run || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -80,7 +80,7 @@ status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "checking modzone errors are logged correctly" ret=0 -$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1 wait_for_log_peek 20 "modzone: 'mister' unexpected" ns2/named.run || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -91,9 +91,9 @@ ret=0 $RNDCCMD 10.53.0.2 addzone '"32/1.0.0.127-in-addr.added.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_zone_that_requires_quotes() ( - $DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_zone_that_requires_quotes || ret=1 n=$((n + 1)) @@ -104,9 +104,9 @@ echo_i "adding a zone with a quote in the name ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone '"foo\"bar.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_zone_with_a_quote() ( - $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.foo\\"bar.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.foo\\"bar.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_zone_with_a_quote || ret=1 n=$((n + 1)) @@ -115,30 +115,30 @@ status=$((status + ret)) echo_i "adding new zone with missing file ($n)" ret=0 -$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.pre.$n || ret=1 -grep "status: REFUSED" dig.out.ns2.pre.$n > /dev/null || ret=1 -$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n && ret=1 -grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 -$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.post.$n || ret=1 -grep "status: REFUSED" dig.out.ns2.post.$n > /dev/null || ret=1 +$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.pre.$n || ret=1 +grep "status: REFUSED" dig.out.ns2.pre.$n >/dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2>rndc.out.ns2.$n && ret=1 +grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1 +$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.post.$n || ret=1 +grep "status: REFUSED" dig.out.ns2.post.$n >/dev/null || ret=1 digcomp dig.out.ns2.pre.$n dig.out.ns2.post.$n || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if ! $FEATURETEST --with-lmdb; then - echo_i "verifying no comments in NZF file ($n)" - ret=0 - hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) - [ $hcount -eq 0 ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "verifying no comments in NZF file ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) + [ $hcount -eq 0 ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking rndc showzone with previously added zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone previous.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone previous.example >rndc.out.ns2.$n expected='zone "previous.example" { type primary; file "previous.db"; };' [ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 n=$((n + 1)) @@ -146,20 +146,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if $FEATURETEST --with-lmdb; then - echo_i "checking zone is present in NZD ($n)" - ret=0 - $NZD2NZF ns2/_default.nzd | grep previous.example > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking zone is present in NZD ($n)" + ret=0 + $NZD2NZF ns2/_default.nzd | grep previous.example >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "deleting previously added zone ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone previous.example 2>&1 | sed 's/^/I:ns2 /' _check_deleting_previously_added_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.previous.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.previous.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_previously_added_zone || ret=1 n=$((n + 1)) @@ -167,34 +167,34 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) check_nzd2nzf() ( - $NZD2NZF ns2/_default.nzd > nzd2nzf.out.$n && - ! grep previous.example nzd2nzf.out.$n > /dev/null + $NZD2NZF ns2/_default.nzd >nzd2nzf.out.$n \ + && ! grep previous.example nzd2nzf.out.$n >/dev/null ) if $FEATURETEST --with-lmdb; then - echo_i "checking zone was deleted from NZD ($n)" - retry_quiet 10 check_nzd2nzf || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking zone was deleted from NZD ($n)" + retry_quiet 10 check_nzd2nzf || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi if ! $FEATURETEST --with-lmdb; then - echo_i "checking NZF file now has comment ($n)" - ret=0 - hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) - [ $hcount -eq 1 ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking NZF file now has comment ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) + [ $hcount -eq 1 ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "deleting newly added zone added.example ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone added.example 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone || ret=1 n=$((n + 1)) @@ -205,9 +205,9 @@ echo_i "deleting newly added zone with escaped quote ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone "foo\\\"bar.example" 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone_quote() ( - $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep "^a.foo\"bar.example" dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep "^a.foo\"bar.example" dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone_quote || ret=1 n=$((n + 1)) @@ -216,7 +216,7 @@ status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone normal.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone normal.example >rndc.out.ns2.$n expected='zone "normal.example" { type primary; file "normal.db"; };' [ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 n=$((n + 1)) @@ -225,7 +225,7 @@ status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded zone with trailing dot ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone finaldot.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone finaldot.example >rndc.out.ns2.$n expected='zone "finaldot.example." { type primary; file "normal.db"; };' [ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 n=$((n + 1)) @@ -234,7 +234,7 @@ status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded redirect zone ($n)" ret=0 -$RNDCCMD 10.53.0.1 showzone -redirect > rndc.out.ns1.$n +$RNDCCMD 10.53.0.1 showzone -redirect >rndc.out.ns1.$n expected='zone "." { type redirect; file "redirect.db"; };' [ "$(cat rndc.out.ns1.$n)" = "$expected" ] || ret=1 n=$((n + 1)) @@ -243,9 +243,9 @@ status=$((status + ret)) echo_i "checking rndc zonestatus with a normally-loaded redirect zone ($n)" ret=0 -$RNDCCMD 10.53.0.1 zonestatus -redirect > rndc.out.ns1.$n -grep "type: redirect" rndc.out.ns1.$n > /dev/null || ret=1 -grep "serial: 0" rndc.out.ns1.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 zonestatus -redirect >rndc.out.ns1.$n +grep "type: redirect" rndc.out.ns1.$n >/dev/null || ret=1 +grep "serial: 0" rndc.out.ns1.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -254,7 +254,7 @@ echo_i "checking rndc reload with a normally-loaded redirect zone ($n)" ret=0 sleep 1 cp -f ns1/redirect.db.2 ns1/redirect.db -$RNDCCMD 10.53.0.1 reload -redirect > rndc.out.ns1.$n +$RNDCCMD 10.53.0.1 reload -redirect >rndc.out.ns1.$n retry_quiet 5 check_zonestatus 1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -262,13 +262,13 @@ status=$((status + ret)) echo_i "delete a normally-loaded zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone normal.example > rndc.out.ns2.$n 2>&1 -grep "is no longer active and will be deleted" rndc.out.ns2.$n > /dev/null || ret=11 -grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n > /dev/null || ret=1 -grep "must also be removed from named.conf." rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 delzone normal.example >rndc.out.ns2.$n 2>&1 +grep "is no longer active and will be deleted" rndc.out.ns2.$n >/dev/null || ret=11 +grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n >/dev/null || ret=1 +grep "must also be removed from named.conf." rndc.out.ns2.$n >/dev/null || ret=1 _check_delete_normally_loaded_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_delete_normally_loaded_zone || ret=1 @@ -279,9 +279,9 @@ status=$((status + ret)) echo_i "attempting to add primary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inline.example { type primary; file "inline.db"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_add_primary_zone_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inline.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inline.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inline.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inline.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_add_primary_zone_with_inline || ret=1 n=$((n + 1)) @@ -290,8 +290,8 @@ status=$((status + ret)) echo_i "attempting to add primary zone with inline signing and missing file ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2> rndc.out.ns2.$n && ret=1 -grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2>rndc.out.ns2.$n && ret=1 +grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -299,9 +299,9 @@ status=$((status + ret)) echo_i "attempting to add secondary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_add_secondary_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_add_secondary_with_inline || ret=1 n=$((n + 1)) @@ -311,14 +311,16 @@ status=$((status + ret)) echo_i "attempting to delete secondary zone with inline signing ($n)" ret=0 retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 -$RNDCCMD 10.53.0.2 delzone inlinesec.example > rndc.out2.test$n 2>&1 || ret=1 -test -f inlinesec.bk || -grep '^inlinesec.bk$' rndc.out2.test$n > /dev/null || { - echo_i "failed to report inlinesec.bk"; ret=1; +$RNDCCMD 10.53.0.2 delzone inlinesec.example >rndc.out2.test$n 2>&1 || ret=1 +test -f inlinesec.bk \ + || grep '^inlinesec.bk$' rndc.out2.test$n >/dev/null || { + echo_i "failed to report inlinesec.bk" + ret=1 } -test ! -f inlinesec.bk.signed || -grep '^inlinesec.bk.signed$' rndc.out2.test$n > /dev/null || { - echo_i "failed to report inlinesec.bk.signed"; ret=1; +test ! -f inlinesec.bk.signed \ + || grep '^inlinesec.bk.signed$' rndc.out2.test$n >/dev/null || { + echo_i "failed to report inlinesec.bk.signed" + ret=1 } n=$((n + 1)) status=$((status + ret)) @@ -326,9 +328,9 @@ status=$((status + ret)) echo_i "restoring secondary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_restoring_secondary_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_restoring_secondary_with_inline || ret=1 n=$((n + 1)) @@ -338,7 +340,7 @@ status=$((status + ret)) echo_i "deleting secondary zone with automatic zone file removal ($n)" ret=0 retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 -$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example > /dev/null 2>&1 +$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example >/dev/null 2>&1 retry_quiet 10 test ! -f ns2/inlinesec.bk.signed -a ! -f ns2/inlinesec.bk n=$((n + 1)) status=$((status + ret)) @@ -346,38 +348,38 @@ status=$((status + ret)) echo_i "modifying zone configuration ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'mod.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/ns2 /' | cat_i -$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.1.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 modzone 'mod.example { type primary; file "added.db"; allow-query { none; }; };' 2>&1 | sed 's/^/ns2 /' | cat_i -$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.2.$n || ret=1 -$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' > /dev/null 2>&1 || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.2.$n || ret=1 +$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that adding a 'stub' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that adding a 'static-stub' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' >rndc.out.ns2.$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that adding a 'primary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' >rndc.out.ns2.$n 2>&1 || ret=1 _check_add_primary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 && - grep "type redirect;" showzone.out.ns2.$n > /dev/null && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 0" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \ + && grep "type redirect;" showzone.out.ns2.$n >/dev/null \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 0" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_add_primary_redirect || ret=1 n=$((n + 1)) @@ -388,7 +390,7 @@ echo_i "check that reloading a added 'primary redirect' zone works ($n)" ret=0 sleep 1 cp -f ns2/redirect.db.2 ns2/redirect.db -$RNDCCMD 10.53.0.2 reload -redirect > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 reload -redirect >rndc.out.ns2.$n retry_quiet 10 check_zonestatus 2 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -396,17 +398,17 @@ status=$((status + ret)) echo_i "check that retransfer of a added 'primary redirect' zone fails ($n)" ret=0 -$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && ret=1 +$RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that deleting a 'primary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1 _check_deleting_primary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true - grep 'not found' showzone.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true + grep 'not found' showzone.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_primary_redirect || ret=1 n=$((n + 1)) @@ -415,13 +417,13 @@ status=$((status + ret)) echo_i "check that adding a 'secondary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1 _check_adding_secondary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 && - grep "type redirect;" showzone.out.ns2.$n > /dev/null && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 0" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \ + && grep "type redirect;" showzone.out.ns2.$n >/dev/null \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 0" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_adding_secondary_redirect || ret=1 n=$((n + 1)) @@ -431,12 +433,12 @@ status=$((status + ret)) echo_i "check that retransfering a added 'secondary redirect' zone works ($n)" ret=0 cp -f ns3/redirect.db.2 ns3/redirect.db -$RNDCCMD 10.53.0.3 reload . > showzone.out.ns3.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 reload . >showzone.out.ns3.$n 2>&1 || ret=1 _check_retransfering_secondary_redirect() ( - $RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 1" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 1" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_retransfering_secondary_redirect || ret=1 n=$((n + 1)) @@ -445,10 +447,10 @@ status=$((status + ret)) echo_i "check that deleting a 'secondary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1 _check_deleting_secondary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true - grep 'not found' showzone.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true + grep 'not found' showzone.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_secondary_redirect || ret=1 n=$((n + 1)) @@ -457,32 +459,32 @@ status=$((status + ret)) echo_i "check that zone type 'hint' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that zone type 'forward' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that zone type 'delegation-only' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'in-view' zones are properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -500,48 +502,48 @@ echo_i "adding new zone to external view ($n)" # the zone does not exist because a) it has not yet been loaded, b) # it failed to load, or c) it has been deleted. ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if ! $FEATURETEST --with-lmdb; then - echo_i "checking new NZF file has comment ($n)" - ret=0 - hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l) - [ $hcount -eq 1 ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking new NZF file has comment ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l) + [ $hcount -eq 1 ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi if $FEATURETEST --with-lmdb; then - echo_i "verifying added.example in external view created an external.nzd DB ($n)" - ret=0 - [ -e ns2/external.nzd ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "verifying added.example in external view created an external.nzd DB ($n)" + ret=0 + [ -e ns2/external.nzd ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking rndc reload causes named to reload the external view's new zone config ($n)" ret=0 $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i _check_rndc_reload_external_view_config() ( - $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n && - grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null && - $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n && - grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null + $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \ + && grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \ + && $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \ + && grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null ) retry_quiet 10 _check_rndc_reload_external_view_config || ret=1 n=$((n + 1)) @@ -550,15 +552,15 @@ status=$((status + ret)) echo_i "checking rndc showzone with newly added zone ($n)" _check_rndc_showzone_newly_added() ( - if ! $FEATURETEST --with-lmdb; then - expected='zone "added.example" in external { type primary; file "added.db"; };' - else - expected='zone "added.example" { type primary; file "added.db"; };' - fi - $RNDCCMD 10.53.0.2 showzone added.example in external > rndc.out.ns2.$n 2>/dev/null && - [ "$(cat rndc.out.ns2.$n)" = "$expected" ] + if ! $FEATURETEST --with-lmdb; then + expected='zone "added.example" in external { type primary; file "added.db"; };' + else + expected='zone "added.example" { type primary; file "added.db"; };' + fi + $RNDCCMD 10.53.0.2 showzone added.example in external >rndc.out.ns2.$n 2>/dev/null \ + && [ "$(cat rndc.out.ns2.$n)" = "$expected" ] ) -retry_quiet 10 _check_rndc_showzone_newly_added || ret=1 +retry_quiet 10 _check_rndc_showzone_newly_added || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -567,9 +569,9 @@ echo_i "deleting newly added zone ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone() ( - $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone || ret=1 n=$((n + 1)) @@ -578,22 +580,22 @@ status=$((status + ret)) echo_i "attempting to add zone to internal view ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.pre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.pre.$n > /dev/null || ret=1 -$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n && ret=1 -grep "permission denied" rndc.out.ns2.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.pre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.pre.$n >/dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2>rndc.out.ns2.$n && ret=1 +grep "permission denied" rndc.out.ns2.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "attempting to delete a policy zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1 && ret=1 -grep 'cannot be deleted' rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2>rndc.out.ns2.$n >&1 && ret=1 +grep 'cannot be deleted' rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -602,11 +604,11 @@ echo_i "adding new zone again to external view ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_adding_new_zone_again_external() ( - $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n && - grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null && - $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n && - grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null + $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \ + && grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \ + && $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \ + && grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null ) retry_quiet 10 _check_adding_new_zone_again_external || ret=1 n=$((n + 1)) @@ -620,9 +622,9 @@ rndc_reconfig ns2 10.53.0.2 echo_i "checking new zone is still loaded after dir change ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -630,39 +632,39 @@ status=$((status + ret)) echo_i "deleting newly added zone from external ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' -$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "adding new zone to directory view ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dirpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.dirpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dirpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.dirpre.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 addzone 'added.example in directory { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dir.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.dir.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.dir.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dir.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.dir.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.dir.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if $FEATURETEST --with-lmdb; then - echo_i "checking NZD file was created in new-zones-directory ($n)" - expect=ns2/new-zones/directory.nzd + echo_i "checking NZD file was created in new-zones-directory ($n)" + expect=ns2/new-zones/directory.nzd else - echo_i "checking NZF file was created in new-zones-directory ($n)" - expect=ns2/new-zones/directory.nzf + echo_i "checking NZF file was created in new-zones-directory ($n)" + expect=ns2/new-zones/directory.nzf fi $RNDCCMD 10.53.0.2 sync 'added.example IN directory' 2>&1 | sed 's/^/I:ns2 /' sleep 2 @@ -674,9 +676,9 @@ status=$((status + ret)) echo_i "deleting newly added zone from directory ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in directory' 2>&1 | sed 's/^/I:ns2 /' -$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -684,70 +686,69 @@ status=$((status + ret)) echo_i "ensure the configuration context is cleaned up correctly ($n)" ret=0 rndc_reconfig ns2 10.53.0.2 -$RNDCCMD 10.53.0.2 status > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 status >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check delzone after reconfig failure ($n)" ret=0 -$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' >/dev/null 2>&1 || ret=1 copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 -$RNDCCMD 10.53.0.3 delzone inlinesec.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 delzone inlinesec.example >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if ! $FEATURETEST --with-lmdb -then - echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)" - ret=0 - $RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 - $RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' > /dev/null 2>&1 && ret=1 - $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 - $RNDCCMD 10.53.0.3 delzone "test3.baz" > /dev/null 2>&1 || ret=1 - grep test2.baz ns3/_default.nzf > /dev/null && ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if ! $FEATURETEST --with-lmdb; then + echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)" + ret=0 + $RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 + $RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' >/dev/null 2>&1 && ret=1 + $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 + $RNDCCMD 10.53.0.3 delzone "test3.baz" >/dev/null 2>&1 || ret=1 + grep test2.baz ns3/_default.nzf >/dev/null && ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi _check_version_bind() ( - $DIG $DIGOPTS @10.53.0.3 version.bind txt ch > dig.out.test$n && - grep "status: NOERROR" dig.out.test$n > /dev/null + $DIG $DIGOPTS @10.53.0.3 version.bind txt ch >dig.out.test$n \ + && grep "status: NOERROR" dig.out.test$n >/dev/null ) echo_i "check that named restarts with multiple added zones ($n)" ret=0 -$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 stop_server ns3 start_server --noclean --restart --port ${PORT} ns3 || ret=1 retry_quiet 10 _check_version_bind || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' > dig.out.3.test$n || ret=1 -grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.3.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' > dig.out.4.test$n || ret=1 -grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.4.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' > dig.out.5.test$n || ret=1 -grep "status: NOERROR" dig.out.5.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.5.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' > dig.out.6.test$n || ret=1 -grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' >dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.3.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' >dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.4.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' >dig.out.5.test$n || ret=1 +grep "status: NOERROR" dig.out.5.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.5.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' >dig.out.6.test$n || ret=1 +grep "status: NOERROR" dig.out.6.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) diff --git a/bin/tests/system/addzone/tests_rndc_deadlock.py b/bin/tests/system/addzone/tests_rndc_deadlock.py index bd21d62..fefcc2d 100755 --- a/bin/tests/system/addzone/tests_rndc_deadlock.py +++ b/bin/tests/system/addzone/tests_rndc_deadlock.py @@ -22,7 +22,7 @@ def run_rndc(server, rndc_command): rndc = os.getenv("RNDC") port = os.getenv("CONTROLPORT") - cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server] + cmdline = [rndc, "-c", "../_common/rndc.conf", "-p", port, "-s", server] cmdline.extend(rndc_command) subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10) diff --git a/bin/tests/system/allow-query/ns2/named01.conf.in b/bin/tests/system/allow-query/ns2/named01.conf.in index 3069010..fec3ddd 100644 --- a/bin/tests/system/allow-query/ns2/named01.conf.in +++ b/bin/tests/system/allow-query/ns2/named01.conf.in @@ -24,7 +24,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named02.conf.in b/bin/tests/system/allow-query/ns2/named02.conf.in index 678c417..95a78b2 100644 --- a/bin/tests/system/allow-query/ns2/named02.conf.in +++ b/bin/tests/system/allow-query/ns2/named02.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named03.conf.in b/bin/tests/system/allow-query/ns2/named03.conf.in index cdc64ff..fd6add2 100644 --- a/bin/tests/system/allow-query/ns2/named03.conf.in +++ b/bin/tests/system/allow-query/ns2/named03.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named04.conf.in b/bin/tests/system/allow-query/ns2/named04.conf.in index 0544662..f6d231d 100644 --- a/bin/tests/system/allow-query/ns2/named04.conf.in +++ b/bin/tests/system/allow-query/ns2/named04.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named05.conf.in b/bin/tests/system/allow-query/ns2/named05.conf.in index 6f92049..fe6cc0c 100644 --- a/bin/tests/system/allow-query/ns2/named05.conf.in +++ b/bin/tests/system/allow-query/ns2/named05.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named06.conf.in b/bin/tests/system/allow-query/ns2/named06.conf.in index 261c75b..1f78f13 100644 --- a/bin/tests/system/allow-query/ns2/named06.conf.in +++ b/bin/tests/system/allow-query/ns2/named06.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named07.conf.in b/bin/tests/system/allow-query/ns2/named07.conf.in index 8050fa2..15dca8f 100644 --- a/bin/tests/system/allow-query/ns2/named07.conf.in +++ b/bin/tests/system/allow-query/ns2/named07.conf.in @@ -27,7 +27,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named08.conf.in b/bin/tests/system/allow-query/ns2/named08.conf.in index ffa4cdc..c2eed2d 100644 --- a/bin/tests/system/allow-query/ns2/named08.conf.in +++ b/bin/tests/system/allow-query/ns2/named08.conf.in @@ -27,7 +27,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named09.conf.in b/bin/tests/system/allow-query/ns2/named09.conf.in index 49166e6..248da9e 100644 --- a/bin/tests/system/allow-query/ns2/named09.conf.in +++ b/bin/tests/system/allow-query/ns2/named09.conf.in @@ -27,7 +27,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in index d684c2d..774dace 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -30,7 +30,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in index 59b9e0e..c860aed 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -36,7 +36,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in index a8e9107..1d9c5d5 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -30,7 +30,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named21.conf.in b/bin/tests/system/allow-query/ns2/named21.conf.in index c6204a3..b120f2a 100644 --- a/bin/tests/system/allow-query/ns2/named21.conf.in +++ b/bin/tests/system/allow-query/ns2/named21.conf.in @@ -26,7 +26,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named22.conf.in b/bin/tests/system/allow-query/ns2/named22.conf.in index 454f24a..37ccedc 100644 --- a/bin/tests/system/allow-query/ns2/named22.conf.in +++ b/bin/tests/system/allow-query/ns2/named22.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named23.conf.in b/bin/tests/system/allow-query/ns2/named23.conf.in index f62337b..c43e232 100644 --- a/bin/tests/system/allow-query/ns2/named23.conf.in +++ b/bin/tests/system/allow-query/ns2/named23.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named24.conf.in b/bin/tests/system/allow-query/ns2/named24.conf.in index 1e277a9..6cdbeec 100644 --- a/bin/tests/system/allow-query/ns2/named24.conf.in +++ b/bin/tests/system/allow-query/ns2/named24.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named25.conf.in b/bin/tests/system/allow-query/ns2/named25.conf.in index 0548af2..51e247c 100644 --- a/bin/tests/system/allow-query/ns2/named25.conf.in +++ b/bin/tests/system/allow-query/ns2/named25.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named26.conf.in b/bin/tests/system/allow-query/ns2/named26.conf.in index 40e5dfd..a72136c 100644 --- a/bin/tests/system/allow-query/ns2/named26.conf.in +++ b/bin/tests/system/allow-query/ns2/named26.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named27.conf.in b/bin/tests/system/allow-query/ns2/named27.conf.in index 92fa1f8..4c3f958 100644 --- a/bin/tests/system/allow-query/ns2/named27.conf.in +++ b/bin/tests/system/allow-query/ns2/named27.conf.in @@ -30,7 +30,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named28.conf.in b/bin/tests/system/allow-query/ns2/named28.conf.in index 2ecac7c..8db4555 100644 --- a/bin/tests/system/allow-query/ns2/named28.conf.in +++ b/bin/tests/system/allow-query/ns2/named28.conf.in @@ -30,7 +30,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named29.conf.in b/bin/tests/system/allow-query/ns2/named29.conf.in index 9a6c9e5..2031a6e 100644 --- a/bin/tests/system/allow-query/ns2/named29.conf.in +++ b/bin/tests/system/allow-query/ns2/named29.conf.in @@ -30,7 +30,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in index f7084c8..e57b7ab 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -33,7 +33,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in index d6a7af5..776cbb7 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -40,7 +40,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in index b7d7ee4..35dfb6e 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -33,7 +33,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named33.conf.in b/bin/tests/system/allow-query/ns2/named33.conf.in index be31b72..3721e62 100644 --- a/bin/tests/system/allow-query/ns2/named33.conf.in +++ b/bin/tests/system/allow-query/ns2/named33.conf.in @@ -29,7 +29,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named34.conf.in b/bin/tests/system/allow-query/ns2/named34.conf.in index 165ff06..09125ef 100644 --- a/bin/tests/system/allow-query/ns2/named34.conf.in +++ b/bin/tests/system/allow-query/ns2/named34.conf.in @@ -29,7 +29,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in index b7a8746..10e0818 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -38,7 +38,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named53.conf.in b/bin/tests/system/allow-query/ns2/named53.conf.in index bd0af28..d3463b2 100644 --- a/bin/tests/system/allow-query/ns2/named53.conf.in +++ b/bin/tests/system/allow-query/ns2/named53.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named54.conf.in b/bin/tests/system/allow-query/ns2/named54.conf.in index a6ca424..5dddf89 100644 --- a/bin/tests/system/allow-query/ns2/named54.conf.in +++ b/bin/tests/system/allow-query/ns2/named54.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named55.conf.in b/bin/tests/system/allow-query/ns2/named55.conf.in index 6bcba07..4a0880f 100644 --- a/bin/tests/system/allow-query/ns2/named55.conf.in +++ b/bin/tests/system/allow-query/ns2/named55.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named56.conf.in b/bin/tests/system/allow-query/ns2/named56.conf.in index d89a5fb..564063b 100644 --- a/bin/tests/system/allow-query/ns2/named56.conf.in +++ b/bin/tests/system/allow-query/ns2/named56.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named57.conf.in b/bin/tests/system/allow-query/ns2/named57.conf.in index bcc3a85..db5f3d0 100644 --- a/bin/tests/system/allow-query/ns2/named57.conf.in +++ b/bin/tests/system/allow-query/ns2/named57.conf.in @@ -27,7 +27,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns3/named1.conf.in b/bin/tests/system/allow-query/ns3/named1.conf.in index 74b9885..bc42246 100644 --- a/bin/tests/system/allow-query/ns3/named1.conf.in +++ b/bin/tests/system/allow-query/ns3/named1.conf.in @@ -31,5 +31,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/allow-query/ns3/named2.conf.in b/bin/tests/system/allow-query/ns3/named2.conf.in index c4a4e8f..53e73ad 100644 --- a/bin/tests/system/allow-query/ns3/named2.conf.in +++ b/bin/tests/system/allow-query/ns3/named2.conf.in @@ -34,5 +34,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/allow-query/ns3/named3.conf.in b/bin/tests/system/allow-query/ns3/named3.conf.in index 0e1f7b0..36b5f77 100644 --- a/bin/tests/system/allow-query/ns3/named3.conf.in +++ b/bin/tests/system/allow-query/ns3/named3.conf.in @@ -34,5 +34,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/allow-query/ns3/named4.conf.in b/bin/tests/system/allow-query/ns3/named4.conf.in index 36ff911..f9e88d4 100644 --- a/bin/tests/system/allow-query/ns3/named4.conf.in +++ b/bin/tests/system/allow-query/ns3/named4.conf.in @@ -34,5 +34,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/allow-query/setup.sh b/bin/tests/system/allow-query/setup.sh index c85676e..886c8ac 100644 --- a/bin/tests/system/allow-query/setup.sh +++ b/bin/tests/system/allow-query/setup.sh @@ -13,7 +13,7 @@ . ../conf.sh -copy_setports ../common/controls.conf.in ns2/controls.conf -copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named01.conf.in ns2/named.conf -copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ../_common/controls.conf.in ns2/controls.conf +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named01.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh index 3a1b8b4..cb82370 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -61,15 +61,15 @@ DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnss status=0 n=0 -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null # Test 1 - default, query allowed n=$((n + 1)) echo_i "test $n: default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -80,9 +80,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -93,11 +93,11 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -nextpart ns2/named.run | grep 'recursion not enabled for view' > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 +nextpart ns2/named.run | grep 'recursion not enabled for view' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -106,10 +106,10 @@ DIGNOEDNS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +no echo_i "test $n: none - query refused (no edns)" ret=0 -$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null && ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null && ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -120,9 +120,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -133,10 +133,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -147,10 +147,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -161,9 +161,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -174,14 +174,13 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - # Test 9 - acl disallowed, query refused n=$((n + 1)) copy_setports ns2/named09.conf.in ns2/named.conf @@ -189,10 +188,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -203,9 +202,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -216,10 +215,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -230,10 +229,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -247,9 +246,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -260,9 +259,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -273,10 +272,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -287,9 +286,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -300,10 +299,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -314,10 +313,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -328,9 +327,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -341,10 +340,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -355,10 +354,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -369,9 +368,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -382,10 +381,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -396,10 +395,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -410,9 +409,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -423,10 +422,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -441,9 +440,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: zone default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -451,9 +450,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -461,10 +460,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -472,9 +471,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -482,10 +481,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -493,10 +492,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -504,9 +503,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -514,10 +513,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -525,10 +524,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -536,9 +535,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -546,10 +545,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -557,10 +556,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -571,9 +570,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -584,10 +583,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -598,9 +597,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -611,10 +610,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -625,13 +624,13 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, allow-query-on" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n > /dev/null || ret=1 -grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n >/dev/null || ret=1 +grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -639,13 +638,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: default allow-recursion configuration" ret=0 -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n -grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 -$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1 +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n +grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -653,12 +652,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: default allow-query-cache configuration" ret=0 -$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n -grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 -$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n +grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -670,14 +669,14 @@ rndc_reload ns3 10.53.0.3 echo_i "test $n: block recursion-on, allow query-cache-on" ret=0 # this should query the cache, and an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1 -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1 +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should require recursion and therefore can't get an answer -$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -689,22 +688,22 @@ rndc_reload ns3 10.53.0.3 echo_i "test $n: inheritance of allow-query-cache-on" ret=0 # this should query the cache, an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should be refused due to allow-recursion-on/allow-query-cache-on -$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 # this should require recursion and should be allowed -$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n -grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n +grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 # this should require recursion and be refused -$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n -grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n +grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -716,22 +715,22 @@ rndc_reload ns3 10.53.0.3 echo_i "test $n: inheritance of allow-recursion-on" ret=0 # this should query the cache, an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should be refused due to allow-recursion-on/allow-query-cache-on -$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 # this should require recursion and should be allowed -$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n -grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n +grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 # this should require recursion and be refused -$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n -grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n +grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/allow-query/tests_sh_allow_query.py b/bin/tests/system/allow-query/tests_sh_allow_query.py new file mode 100644 index 0000000..7b22ee2 --- /dev/null +++ b/bin/tests/system/allow-query/tests_sh_allow_query.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_allow_query(run_tests_sh): + run_tests_sh() diff --git a/bin/tests/system/allow-query/tests_sh_allowquery.py b/bin/tests/system/allow-query/tests_sh_allowquery.py deleted file mode 100644 index ce20d79..0000000 --- a/bin/tests/system/allow-query/tests_sh_allowquery.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - - -def test_allowquery(run_tests_sh): - run_tests_sh() diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh index 6cd4a27..a1f5c73 100644 --- a/bin/tests/system/auth/tests.sh +++ b/bin/tests/system/auth/tests.sh @@ -22,13 +22,11 @@ n=0 n=$((n + 1)) echo_i "wait for zones to finish transferring to ns2 ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do +for i in 1 2 3 4 5 6 7 8 9 10; do ret=0 - for zone in example.com example.net - do - $DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 + for zone in example.com example.net; do + $DIG $DIGOPTS @10.53.0.2 soa $zone >dig.out.test$n || ret=1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 @@ -43,44 +41,44 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +norec @10.53.0.1 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +rec @10.53.0.1 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +norec @10.53.0.2 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -90,100 +88,100 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 -grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1 +grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that CHAOS addresses are compared correctly ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n -lines=$(wc -l < dig.out.test$n) +$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos >dig.out.test$n +lines=$(wc -l $zonefile +cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. >$zonefile zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) @@ -34,20 +34,20 @@ rm $zsknopriv.private ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone) kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone) -keyfile_to_static_ds $ksksby > trusted.conf +keyfile_to_static_ds $ksksby >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf -keyfile_to_static_ds $kskrev > trusted.conf +keyfile_to_static_ds $kskrev >trusted.conf cp trusted.conf ../ns5/trusted.conf -echo $zskact > ../active.key -echo $zskvanish > ../vanishing.key -echo $zskdel > ../del.key -echo $zskinact > ../inact.key -echo $zskunpub > ../unpub.key -echo $zsknopriv > ../nopriv.key -echo $zsksby > ../standby.key -echo $zskactnowpub1d > ../activate-now-publish-1day.key -$REVOKE -R $kskrev > ../rev.key +echo $zskact >../active.key +echo $zskvanish >../vanishing.key +echo $zskdel >../del.key +echo $zskinact >../inact.key +echo $zskunpub >../unpub.key +echo $zsknopriv >../nopriv.key +echo $zsksby >../standby.key +echo $zskactnowpub1d >../activate-now-publish-1day.key +$REVOKE -R $kskrev >../rev.key diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 9b7c31d..c6fd69d 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -14,52 +14,50 @@ . ../../conf.sh # Have the child generate subdomain keys and pass DS sets to us. -( cd ../ns3 && $SHELL keygen.sh ) +(cd ../ns3 && $SHELL keygen.sh) for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \ - nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ - cdnskey-delete -do - cp ../ns3/dsset-$subdomain.example. . + nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ + cdnskey-delete; do + cp ../ns3/dsset-$subdomain.example. . done # Create keys and pass the DS to the parent. zone=example zonefile="${zone}.db" infile="${zonefile}.in" -cat $infile dsset-*.example. > $zonefile +cat $infile dsset-*.example. >$zonefile kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null -$DSFROMKEY $kskname.key > dsset-${zone}. +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null +$DSFROMKEY $kskname.key >dsset-${zone}. # Create keys for a private secure zone. zone=private.secure.example zonefile="${zone}.db" infile="${zonefile}.in" ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null -keyfile_to_static_ds $ksk > private.conf +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null +keyfile_to_static_ds $ksk >private.conf cp private.conf ../ns4/private.conf -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >/dev/null # Extract saved keys for the revoke-to-duplicate-key test zone=bar zonefile="${zone}.db" infile="${zonefile}.in" -cat $infile > $zonefile +cat $infile >$zonefile for i in Xbar.+013+59973.key Xbar.+013+59973.private \ - Xbar.+013+60101.key Xbar.+013+60101.private -do - cp $i $(echo $i | sed s/X/K/) + Xbar.+013+60101.key Xbar.+013+60101.private; do + cp $i $(echo $i | sed s/X/K/) done -$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null -$DSFROMKEY Kbar.+013+60101.key > dsset-bar. +$KEYGEN -a ECDSAP256SHA256 -q $zone >/dev/null +$DSFROMKEY Kbar.+013+60101.key >dsset-bar. # a zone with empty non-terminals. zone=optout-with-ent zonefile=optout-with-ent.db infile=optout-with-ent.db.in -cat $infile > $zonefile +cat $infile >$zonefile kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in index c155a3b..a134019 100644 --- a/bin/tests/system/autosign/ns2/named.conf.in +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -38,7 +38,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 96158b3..b59cb50 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -15,43 +15,43 @@ SYSTESTDIR=autosign -dumpit () { - echo_d "${debug}: dumping ${1}" - cat "${1}" | cat_d +dumpit() { + echo_d "${debug}: dumping ${1}" + cat "${1}" | cat_d } -setup () { - echo_i "setting up zone: $1" - debug="$1" - zone="$1" - zonefile="${zone}.db" - infile="${zonefile}.in" - n=$((${n:-0} + 1)) +setup() { + echo_i "setting up zone: $1" + debug="$1" + zone="$1" + zonefile="${zone}.db" + infile="${zonefile}.in" + n=$((${n:-0} + 1)) } setup secure.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC3/NSEC test zone # setup secure.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC3/NSEC3 test zone # setup nsec3.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Jitter/NSEC3 test zone @@ -59,10 +59,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}. setup jitter.nsec3.example cp $infile $zonefile count=1 -while [ $count -le 1000 ] -do - echo "label${count} IN TXT label${count}" >> $zonefile - count=$((count + 1)) +while [ $count -le 1000 ]; do + echo "label${count} IN TXT label${count}" >>$zonefile + count=$((count + 1)) done # Don't create keys just yet, because the scenario we want to test # is an unsigned zone that has a NSEC3PARAM record added with @@ -73,98 +72,100 @@ done # setup optout.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A nsec3 zone (non-optout). # setup nsec3.example -cat $infile dsset-*.${zone}. > $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile dsset-*.${zone}. >$zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # An NSEC3 zone, with NSEC3 parameters set prior to signing # setup autonsec3.example -cat $infile > $zonefile -ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../autoksk.key -zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../autozsk.key -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile >$zonefile +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../autoksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../autozsk.key +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/NSEC test zone # setup secure.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/NSEC3 test zone # setup nsec3.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/OPTOUT test zone # setup optout.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A optout nsec3 zone. # setup optout.example -cat $infile dsset-*.${zone}. > $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile dsset-*.${zone}. >$zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A RSASHA256 zone. # setup rsasha256.example cp $infile $zonefile -ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A RSASHA512 zone. # setup rsasha512.example cp $infile $zonefile -ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC-only zone. A zone using NSEC-only DNSSEC algorithms. # None of these algorithms are supported for signing in FIPS mode # as they are MD5 and SHA1 based. # -if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) -then - setup nsec-only.example - cp $infile $zonefile - ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out - $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out - $DSFROMKEY $ksk.key > dsset-${zone}. +if ( + cd .. + $SHELL ../testcrypto.sh -q RSASHA1 +); then + setup nsec-only.example + cp $infile $zonefile + ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out + $KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out + $DSFROMKEY $ksk.key >dsset-${zone}. else - echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" + echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" fi # @@ -174,52 +175,59 @@ fi setup oldsigs.example cp $infile $zonefile count=1 -while [ $count -le 1000 ] -do - echo "label${count} IN TXT label${count}" >> $zonefile - count=$((count + 1)) +while [ $count -le 1000 ]; do + echo "label${count} IN TXT label${count}" >>$zonefile + count=$((count + 1)) done -$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out mv $zonefile.signed $zonefile # # NSEC3->NSEC transition test zone. # setup nsec3-to-nsec.example -$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out + +# +# NSEC3->NSEC3 transition test zone. +# +setup nsec3-to-nsec3.example +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out # # secure-to-insecure transition test zone; used to test removal of # keys via nsupdate # setup secure-to-insecure.example -$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -q $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -o $zone -f $zonefile $infile >s.out || dumpit s.out # # another secure-to-insecure transition test zone; used to test # removal of keys on schedule. # setup secure-to-insecure2.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../del1.key -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../del2.key -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../del1.key +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../del2.key +$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out # # Introducing a pre-published key test. # setup prepub.example infile="secure-to-insecure2.example.db.in" -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out # # Key TTL tests. @@ -227,46 +235,46 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # no default key TTL; DNSKEY should get SOA TTL setup ttl1.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # default key TTL should be used setup ttl2.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # mismatched key TTLs, should use shortest setup ttl3.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # existing DNSKEY RRset, should retain TTL setup ttl4.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out -cat ${infile} K${zone}.+*.key > $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out +cat ${infile} K${zone}.+*.key >$zonefile +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out # # A zone with a DNSKEY RRset that is published before it's activated # setup delay.example -ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../delayksk.key -zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../delayzsk.key +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../delayksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../delayzsk.key # # A zone with signatures that are already expired, and the private KSK # is missing. # setup noksk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../noksk-ksk.key +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../noksk-ksk.key rm -f ${ksk}.private # @@ -274,11 +282,11 @@ rm -f ${ksk}.private # is missing. # setup nozsk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../nozsk-ksk.key -echo $zsk > ../nozsk-zsk.key +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../nozsk-ksk.key +echo $zsk >../nozsk-zsk.key rm -f ${zsk}.private # @@ -286,77 +294,77 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../inaczsk-ksk.key -echo $zsk > ../inaczsk-zsk.key -$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../inaczsk-ksk.key +echo $zsk >../inaczsk-zsk.key +$SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out # # A zone that is set to 'auto-dnssec maintain' during a reconfig # setup reconf.example cp secure.example.db.in $zonefile -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out # # A zone which generates CDS and CDNSEY RRsets automatically # setup sync.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. -echo ns3/$ksk > ../sync.key +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. +echo ns3/$ksk >../sync.key # # A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly # setup kskonly.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that has a published inactive key that is autosigned. # setup inacksk2.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that has a published inactive key that is autosigned. # setup inaczsk2.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inacksk3.example cp $infile $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone >kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inaczsk3.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with an active KSK + ZSK and an inactive ZSK, with the @@ -364,28 +372,28 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup delzsk.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out -echo $zsk > ../delzsk.key +echo $zsk >../delzsk.key # # Check that NSEC3 are correctly signed and returned from below a DNAME # setup dname-at-apex-nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Check that dynamically added CDS (DELETE) is kept in the zone after signing. # setup cds-delete.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Check that dynamically added CDNSKEY (DELETE) is kept in the zone after @@ -393,6 +401,6 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup cdnskey-delete.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 64196a1..cbdf8f7 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -42,7 +42,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { @@ -167,6 +167,7 @@ zone "nsec3-to-nsec.example" { type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; + max-journal-size 10M; auto-dnssec maintain; }; @@ -185,6 +186,14 @@ zone "secure-to-insecure2.example" { dnssec-secure-to-insecure yes; }; +zone "nsec3-to-nsec3.example" { + type primary; + file "nsec3-to-nsec3.example.db"; + allow-update { any; }; + inline-signing no; + max-journal-size 10M; +}; + zone "oldsigs.example" { type primary; file "oldsigs.example.db"; diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns4/named.conf.in b/bin/tests/system/autosign/ns4/named.conf.in index b46ce91..13a8e89 100644 --- a/bin/tests/system/autosign/ns4/named.conf.in +++ b/bin/tests/system/autosign/ns4/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns5/named.conf.in b/bin/tests/system/autosign/ns5/named.conf.in index 710dfa8..e0927da 100644 --- a/bin/tests/system/autosign/ns5/named.conf.in +++ b/bin/tests/system/autosign/ns5/named.conf.in @@ -27,7 +27,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index ad23c22..5789fe7 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -19,18 +19,18 @@ status=0 n=0 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # convert private-type records to readable form # $1 is the zone # $2 is the server # $3 is ignored # $4 is the alternate type -showprivate () { - echo "-- $@ --" - $DIG $DIGOPTS +nodnssec +short @$2 -t ${4:-type65534} $1 | cut -f3 -d' ' | - while read record; do - $PERL -e 'my $rdata = pack("H*", @ARGV[0]); +showprivate() { + echo "-- $@ --" + $DIG $DIGOPTS +nodnssec +short @$2 -t ${4:-type65534} $1 | cut -f3 -d' ' \ + | while read record; do + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); my $action = "signing"; @@ -38,107 +38,103 @@ showprivate () { my $state = " (incomplete)"; $state = " (complete)" if $complete; print ("$action: alg: $alg, key: $key$state\n");' $record - done + done } # check that signing records are marked as complete # if $3 is 1 then we are expecting "(incomplete)" # if $3 is 2 then we are not expecting either "(complete)" or "(incomplete)" # if $4 is present then that specifies any alternate type to check -checkprivate () { - _ret=0 - expected="${3:-0}" - x=$(showprivate "$@") - echo $x | grep "(complete)" > /dev/null || _ret=2 - echo $x | grep "(incomplete)" > /dev/null && _ret=1 - - if [ $_ret = $expected ]; then - return 0 - fi - - echo "$x" - echo_i "failed" - return 1 +checkprivate() { + _ret=0 + expected="${3:-0}" + x=$(showprivate "$@") + echo $x | grep "(complete)" >/dev/null || _ret=2 + echo $x | grep "(incomplete)" >/dev/null && _ret=1 + + if [ $_ret = $expected ]; then + return 0 + fi + + echo "$x" + echo_i "failed" + return 1 } # wait until notifies for zone $1 are sent by server $2. This is an indication # that the zone is signed with the active keys, and the changes have been # committed. -wait_for_notifies () { - wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1 +wait_for_notifies() { + wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1 } freq() { - _file=$1 - # remove first and last line that has incomplete set and skews the distribution - awk '$4 == "RRSIG" {print substr($9,1,8)}' < "$_file" | sort | uniq -c | sed '1d;$d' + _file=$1 + # remove first and last line that has incomplete set and skews the distribution + awk '$4 == "RRSIG" {print substr($9,1,8)}' <"$_file" | sort | uniq -c | sed '1d;$d' } # Check the signatures expiration times. First check how many signatures # there are in total ($rrsigs). Then see what the distribution of signature # expiration times is ($expiretimes). Ignore the time part for a better # modelled distribution. -checkjitter () { - _file=$1 - _ret=0 - - if ! command -v bc >/dev/null 2>&1; then - echo_i "skip: bc not available" - return 0 - fi - - freq "$_file" | cat_i - _expiretimes=$(freq "$_file" | awk '{print $1}') - - _count=0 - # Check if we have at least 4 days - # This number has been tuned for `sig-validity-interval 10 2`, as - # 1 signature expiration dates should be spread out across at most 8 (10-2) days - # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days - # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) - for _num in $_expiretimes - do - _count=$((_count+1)) - done - if [ "$_count" -lt 4 ]; then - echo_i "error: not enough categories" - return 1 - fi - - # Calculate mean - _total=0 - for _num in $_expiretimes - do - _total=$((_total+_num)) - done - _mean=$(($_total / $_count)) - - # Calculate stddev - _stddev=0 - for _num in $_expiretimes - do - _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc) - done - _stddev=$(echo "sqrt($_stddev/$_count)" | bc) - - # We expect the number of signatures not to exceed the mean +- 3 * stddev. - _limit=$((_stddev*3)) - _low=$((_mean-_limit)) - _high=$((_mean+_limit)) - # Find outliers. - echo_i "checking whether all frequencies fall into <$_low;$_high> range" - for _num in $_expiretimes - do - if [ $_num -gt $_high ]; then - echo_i "error: too many RRSIG records ($_num) in expiration bucket" - _ret=1 - fi - if [ $_num -lt $_low ]; then - echo_i "error: too few RRSIG records ($_num) in expiration bucket" - _ret=1 - fi - done - - return $_ret +checkjitter() { + _file=$1 + _ret=0 + + if ! command -v bc >/dev/null 2>&1; then + echo_i "skip: bc not available" + return 0 + fi + + freq "$_file" | cat_i + _expiretimes=$(freq "$_file" | awk '{print $1}') + + _count=0 + # Check if we have at least 4 days + # This number has been tuned for `sig-validity-interval 10 2`, as + # 1 signature expiration dates should be spread out across at most 8 (10-2) days + # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days + # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) + for _num in $_expiretimes; do + _count=$((_count + 1)) + done + if [ "$_count" -lt 4 ]; then + echo_i "error: not enough categories" + return 1 + fi + + # Calculate mean + _total=0 + for _num in $_expiretimes; do + _total=$((_total + _num)) + done + _mean=$(($_total / $_count)) + + # Calculate stddev + _stddev=0 + for _num in $_expiretimes; do + _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc) + done + _stddev=$(echo "sqrt($_stddev/$_count)" | bc) + + # We expect the number of signatures not to exceed the mean +- 3 * stddev. + _limit=$((_stddev * 3)) + _low=$((_mean - _limit)) + _high=$((_mean + _limit)) + # Find outliers. + echo_i "checking whether all frequencies fall into <$_low;$_high> range" + for _num in $_expiretimes; do + if [ $_num -gt $_high ]; then + echo_i "error: too many RRSIG records ($_num) in expiration bucket" + _ret=1 + fi + if [ $_num -lt $_low ]; then + echo_i "error: too few RRSIG records ($_num) in expiration bucket" + _ret=1 + fi + done + + return $_ret } # @@ -149,34 +145,30 @@ checkjitter () { # echo_i "waiting for autosign changes to take effect" i=0 -while [ $i -lt 30 ] -do - ret=0 - # - # Wait for the root DNSKEY RRset to be fully signed. - # - $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 - grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1 - for z in . - do - $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 - grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 - done - for z in bar. example. private.secure.example. optout-with-ent. - do - $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 - grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 - done - for z in bar. example. inacksk2.example. inacksk3.example \ - inaczsk2.example. inaczsk3.example noksk.example nozsk.example - do - $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 - grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 - done - i=$((i + 1)) - if [ $ret = 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 2 +while [ $i -lt 30 ]; do + ret=0 + # + # Wait for the root DNSKEY RRset to be fully signed. + # + $DIG $DIGOPTS . @10.53.0.1 dnskey >dig.out.ns1.test$n || ret=1 + grep "ANSWER: 10," dig.out.ns1.test$n >/dev/null || ret=1 + for z in .; do + $DIG $DIGOPTS $z @10.53.0.1 nsec >dig.out.ns1.test$n || ret=1 + grep "NS SOA" dig.out.ns1.test$n >/dev/null || ret=1 + done + for z in bar. example. private.secure.example. optout-with-ent.; do + $DIG $DIGOPTS $z @10.53.0.2 nsec >dig.out.ns2.test$n || ret=1 + grep "NS SOA" dig.out.ns2.test$n >/dev/null || ret=1 + done + for z in bar. example. inacksk2.example. inacksk3.example \ + inaczsk2.example. inaczsk3.example noksk.example nozsk.example; do + $DIG $DIGOPTS $z @10.53.0.3 nsec >dig.out.ns3.test$n || ret=1 + grep "NS SOA" dig.out.ns3.test$n >/dev/null || ret=1 + done + i=$((i + 1)) + if [ $ret = 0 ]; then break; fi + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "done"; fi @@ -185,21 +177,21 @@ status=$((status + ret)) echo_i "Convert optout-with-ent from nsec to nsec3" ($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +echo_i "Convert nsec3-to-nsec3.example from having salt 'beef' to no salt" +($RNDCCMD 10.53.0.3 signing -nsec3param 1 1 1 - nsec3-to-nsec3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 + echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" -for z in . -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in .; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done -for z in bar. example. private.secure.example. -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in bar. example. private.secure.example.; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done -for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done # Set logfile offset for wait_for_log usage. @@ -213,14 +205,14 @@ echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY" echo_ic "is initially signed with a KSK and not a ZSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1 +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n >/dev/null || ret=1 pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null && ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "DNSKEY" { count++ } @@ -236,7 +228,7 @@ awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }' id=$(awk "${awk}" dig.out.ns3.test$n) keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") -$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 +$SETTIME -D now+5 "${keyfile}" >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 n=$((n + 1)) @@ -250,11 +242,11 @@ echo_i "check that zone with active and inactive ZSK and active KSK is properly" echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone" echo_ic "is initially signed with a ZSK and not a KSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1 -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}') +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n >/dev/null || ret=1 +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null && ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "CNAME" { count++ } END {print count}' dig.out.ns3.test$n) @@ -266,7 +258,7 @@ test $count -eq 3 || ret=1 id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n) keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") -$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 +$SETTIME -D now+5 "${keyfile}" >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -275,24 +267,24 @@ status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)" ret=0 # these commands should result in an empty file: -$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion prerequisites ($n)" ret=0 -$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "converting zones from nsec to nsec3" -$NSUPDATE > /dev/null 2>&1 </dev/null 2>&1 < nsupdate.out 2>&1 <nsupdate.out 2>&1 < dig.out.ns3.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking for nsec3param signing record ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 -grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 signing -list autonsec3.example. >signing.out.test$n 2>&1 +grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "resetting nsec3param via rndc signing ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. >/dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. >/dev/null 2>&1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 - grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 - num=$(grep "Pending " signing.out.test$n | wc -l) - [ $num -eq 1 ] || ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $RNDCCMD 10.53.0.3 signing -list autonsec3.example. >signing.out.test$n 2>&1 + grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n >/dev/null || ret=1 + num=$(grep "Pending " signing.out.test$n | wc -l) + [ $num -eq 1 ] || ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -370,15 +361,15 @@ status=$((status + ret)) echo_i "signing preset nsec3 zone" zsk=$(cat autozsk.key) ksk=$(cat autoksk.key) -$SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -P now -A now $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now -A now $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 echo_i "converting zone from nsec3 to nsec" -$NSUPDATE > /dev/null 2>&1 << END || status=1 +$NSUPDATE >/dev/null 2>&1 < dig.out.test$n - nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)" - if [ "$nearest_expiration" -le "$now" ]; then - echo_i "failed: $nearest_expiration <= $now" - return 1 - fi + $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 >dig.out.test$n + nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -467,7 +458,7 @@ status=$((status + ret)) # Check jitter distribution. echo_i "checking expired signatures were jittered correctly ($n)" ret=0 -$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 checkjitter dig.out.ns3.test$n || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -475,38 +466,37 @@ status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" ret=0 -$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.ok.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.ok.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking direct NSEC3 autosigning succeeded ($n)" ret=0 -$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 -[ -s dig.out.ns3.ok.test$n ] || ret=1 -grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.ok.test$n || ret=1 +[ -s dig.out.ns3.ok.test$n ] || ret=1 +grep "NSEC3PARAM" dig.out.ns3.ok.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" ret=0 -if $SHELL ../testcrypto.sh -q RSASHA1 -then - grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1 +if $SHELL ../testcrypto.sh -q RSASHA1; then + grep "failed: REFUSED" nsupdate.out >/dev/null || ret=1 else - echo_i "skip: RSASHA1 not supported" + echo_i "skip: RSASHA1 not supported" fi n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -515,39 +505,39 @@ status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion succeeded ($n)" ret=0 # this command should result in an empty file: -$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 >dig.out.ns3.nx.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.nx.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. >/dev/null 2>&1 # this command should result in an empty file: no_nsec3param() ( - $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1 - grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1 - return 0 + $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.nx.test$n || return 1 + grep "NSEC3PARAM" dig.out.ns3.nx.test$n >/dev/null && return 1 + return 0 ) retry_quiet 10 no_nsec3param || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (no default) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -556,7 +546,7 @@ status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (with default) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -565,7 +555,7 @@ status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -574,7 +564,7 @@ status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -583,10 +573,10 @@ status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -594,11 +584,11 @@ status=$((status + ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -606,22 +596,22 @@ status=$((status + ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -629,12 +619,12 @@ status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth q.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth q.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -642,25 +632,25 @@ status=$((status + ret)) echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth q.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth q.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking negative validation NODATA NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -668,13 +658,13 @@ status=$((status + ret)) echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -682,13 +672,13 @@ status=$((status + ret)) echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -697,12 +687,12 @@ status=$((status + ret)) echo_i "checking 1-server insecurity proof NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -710,13 +700,13 @@ status=$((status + ret)) echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -726,12 +716,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -739,12 +729,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -752,12 +742,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -765,12 +755,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -778,12 +768,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -791,12 +781,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -804,12 +794,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -817,12 +807,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -830,12 +820,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -843,11 +833,11 @@ status=$((status + ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth empty.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth empty.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -858,13 +848,13 @@ status=$((status + ret)) echo_i "checking 2-server insecurity proof ($n)" ret=0 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -873,43 +863,43 @@ status=$((status + ret)) echo_i "checking 2-server insecurity proof with a negative answer ($n)" ret=0 -$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ - || ret=1 -$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ - || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ + || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking security root query ($n)" ret=0 -$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -917,12 +907,12 @@ status=$((status + ret)) echo_i "checking that positive validation in a privately secure zone works ($n)" ret=0 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -930,22 +920,22 @@ status=$((status + ret)) echo_i "checking that negative validation in a privately secure zone works ($n)" ret=0 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking privately secure to nxdomain works ($n)" ret=0 -$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -955,9 +945,9 @@ status=$((status + ret)) echo_i "checking that validation returns insecure due to revoked trusted key ($n)" ret=0 -$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +$DIG $DIGOPTS example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "flags:.*; QUERY" dig.out.ns5.test$n >/dev/null || ret=1 +grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -965,8 +955,8 @@ status=$((status + ret)) echo_i "checking that revoked key is present ($n)" ret=0 id=$(cat rev.key) -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -974,8 +964,8 @@ status=$((status + ret)) echo_i "checking that revoked key self-signs ($n)" ret=0 id=$(cat rev.key) -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -983,8 +973,8 @@ status=$((status + ret)) echo_i "checking for unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat unpub.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -992,8 +982,8 @@ status=$((status + ret)) echo_i "checking for activated but unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1001,8 +991,8 @@ status=$((status + ret)) echo_i "checking that standby key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat standby.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1010,8 +1000,8 @@ status=$((status + ret)) echo_i "checking that deactivated key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat inact.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1021,7 +1011,7 @@ ret=0 id=$(keyfile_to_key_id "$(cat nopriv.key)") file="ns1/$(cat nopriv.key).key" keydata=$(grep DNSKEY $file) -$NSUPDATE > /dev/null 2>&1 </dev/null 2>&1 < dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1038,27 +1028,27 @@ status=$((status + ret)) echo_i "checking key deletion ($n)" ret=0 id=$(keyfile_to_key_id "$(cat del.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking secure-to-insecure transition, nsupdate ($n)" ret=0 -$NSUPDATE > /dev/null 2>&1 </dev/null 2>&1 < dig.out.ns3.test$n || ret=1 - grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 + grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n >/dev/null && ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1067,17 +1057,17 @@ status=$((status + ret)) echo_i "checking secure-to-insecure transition, scheduled ($n)" ret=0 file="ns3/$(cat del1.key).key" -$SETTIME -I now -D now $file > settime.out.test$n.1 || ret=1 +$SETTIME -I now -D now $file >settime.out.test$n.1 || ret=1 file="ns3/$(cat del2.key).key" -$SETTIME -I now -D now $file > settime.out.test$n.2 || ret=1 +$SETTIME -I now -D now $file >settime.out.test$n.2 || ret=1 ($RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 - grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 + grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n >/dev/null && ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1086,7 +1076,7 @@ status=$((status + ret)) echo_i "checking jitter in a newly signed NSEC3 zone ($n)" ret=0 # Use DNS UPDATE to add an NSEC3PARAM record into the zone. -$NSUPDATE > nsupdate.out.test$n 2>&1 <nsupdate.out.test$n 2>&1 < /dev/null +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example >/dev/null # Trigger zone signing. ($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 # Wait until zone has been signed. check_if_nsec3param_exists() { - $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 > dig.out.ns3.1.test$n || return 1 - grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1 + $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 >dig.out.ns3.1.test$n || return 1 + grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1 } retry_quiet 40 check_if_nsec3param_exists || { - echo_i "error: NSEC3PARAM not present yet" - ret=1 + echo_i "error: NSEC3PARAM not present yet" + ret=1 } -$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 +$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 # Check jitter distribution. checkjitter dig.out.ns3.2.test$n || ret=1 n=$((n + 1)) @@ -1118,17 +1108,16 @@ ret=0 oldserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}') oldinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example >/dev/null ($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 newserial=$oldserial try=0 -while [ $oldserial -eq $newserial -a $try -lt 42 ] -do - newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | - awk '$0 !~ /SOA/ {print $3}') - sleep 1 - try=$((try + 1)) +while [ $oldserial -eq $newserial -a $try -lt 42 ]; do + newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 \ + | awk '$0 !~ /SOA/ {print $3}') + sleep 1 + try=$((try + 1)) done newinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) #echo "$oldserial : $newserial" @@ -1151,8 +1140,8 @@ oldfile=$(cat active.key) oldid=$(keyfile_to_key_id "$(cat active.key)") newfile=$(cat standby.key) newid=$(keyfile_to_key_id "$(cat standby.key)") -$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1 -$SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1 +$SETTIME -K ns1 -I now+2s -D now+25 $oldfile >settime.out.test$n.1 || ret=1 +$SETTIME -K ns1 -i 0 -S $oldfile $newfile >settime.out.test$n.2 || ret=1 # note previous zone serial number oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') @@ -1161,7 +1150,7 @@ oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') sleep 4 echo_i "revoking key to duplicated key ID" -$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1 +$SETTIME -R now -K ns2 Kbar.+013+59973.key >settime.out.test$n.3 || ret=1 ($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 @@ -1170,17 +1159,17 @@ sleep 5 echo_i "checking former standby key $newid is now active ($n)" ret=0 -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking former standby key has only signed incrementally ($n)" ret=0 -$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 +grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1189,15 +1178,15 @@ echo_i "checking that signing records have been marked as complete ($n)" ret=0 checkprivate . 10.53.0.1 || ret=1 checkprivate bar 10.53.0.2 || ret=1 -checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280 +checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280 checkprivate private.secure.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.optout.example 10.53.0.3 || ret=1 -checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed -if $SHELL ../testcrypto.sh -q RSASHA1 -then - checkprivate nsec-only.example 10.53.0.3 || ret=1 +checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed +checkprivate nsec3-to-nsec3.example 10.53.0.3 2 || ret=1 # automatically removed +if $SHELL ../testcrypto.sh -q RSASHA1; then + checkprivate nsec-only.example 10.53.0.3 || ret=1 fi checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate optout.example 10.53.0.3 || ret=1 @@ -1209,8 +1198,8 @@ checkprivate rsasha512.example 10.53.0.3 || ret=1 checkprivate secure.example 10.53.0.3 || ret=1 checkprivate secure.nsec3.example 10.53.0.3 || ret=1 checkprivate secure.optout.example 10.53.0.3 || ret=1 -checkprivate secure-to-insecure2.example 10.53.0.3 2|| ret=1 # automatically removed -checkprivate secure-to-insecure.example 10.53.0.3 2 || ret=1 # automatically removed +checkprivate secure-to-insecure2.example 10.53.0.3 2 || ret=1 # automatically removed +checkprivate secure-to-insecure.example 10.53.0.3 2 || ret=1 # automatically removed checkprivate ttl1.example 10.53.0.3 || ret=1 checkprivate ttl2.example 10.53.0.3 || ret=1 checkprivate ttl3.example 10.53.0.3 || ret=1 @@ -1226,8 +1215,8 @@ sleep 5 echo_i "checking former standby key has now signed fully ($n)" ret=0 -$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1245,11 +1234,11 @@ ret=0 zsk=$(cat delayzsk.key) ksk=$(cat delayksk.key) # publication and activation times should be unset -$SETTIME -K ns3 -pA -pP $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -pA -pP $zsk >settime.out.test$n.zsk || ret=1 grep -v UNSET settime.out.test$n.zsk >/dev/null && ret=1 -$SETTIME -K ns3 -pA -pP $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -pA -pP $ksk >settime.out.test$n.ksk || ret=1 grep -v UNSET settime.out.test$n.ksk >/dev/null && ret=1 -$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 # DNSKEY not expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 n=$((n + 1)) @@ -1260,14 +1249,14 @@ echo_i "checking scheduled key publication, not activation ($n)" ret=0 # Ensure initial zone is loaded. wait_for_notifies "delay.example" "ns3" || ret=1 -$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -P now+3s -A none $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now+3s -A none $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 wait_for_notifies "delay.example" "ns3" || ret=1 -$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 # DNSKEY expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1 # RRSIG not expected: @@ -1278,19 +1267,19 @@ status=$((status + ret)) echo_i "checking scheduled key activation ($n)" ret=0 -$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -A now+3s $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -A now+3s $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 wait_for_log_re 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run check_is_signed() { - $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1 + $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.1.test$n || return 1 # DNSKEY expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1 # RRSIG expected: awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1 - $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || return 1 + $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 >dig.out.ns3.2.test$n || return 1 # A expected: awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1 # RRSIG expected: @@ -1310,12 +1299,15 @@ echo_i "checking former active key was removed ($n)" now=$($PERL -e 'print time(), "\n";') sleep=$((starttime + 29 - now)) case $sleep in --*|0);; -*) echo_i "waiting for timer to have activated"; sleep $sleep;; + -* | 0) ;; + *) + echo_i "waiting for timer to have activated" + sleep $sleep + ;; esac ret=0 -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$oldid"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1323,8 +1315,8 @@ status=$((status + ret)) echo_i "checking private key file removal caused no immediate harm ($n)" ret=0 id=$(keyfile_to_key_id "$(cat vanishing.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1333,12 +1325,12 @@ echo_i "checking revoked key with duplicate key ID ($n)" ret=0 id=59973 rid=60101 -$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns2.test$n >/dev/null && ret=1 keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l) test $keys -eq 2 || ret=1 -$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey bar @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1356,10 +1348,10 @@ status=$((status + ret)) # this confirms that key events are never scheduled more than # 'dnssec-loadkeys-interval' minutes in the future, and that the # event scheduled is within 10 seconds of expected interval. -check_interval () { - awk '/next key event/ {print $2 ":" $9}' $1/named.run | - sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' | - awk -F: ' +check_interval() { + awk '/next key event/ {print $2 ":" $9}' $1/named.run \ + | sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' \ + | awk -F: ' { x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000); # abs(x) < 1000 ms treat as 'now' @@ -1377,7 +1369,7 @@ check_interval () { exit (1); } END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 || return $? - return 0 + return 0 } echo_i "checking automatic key reloading interval ($n)" @@ -1403,8 +1395,8 @@ echo_i "forcing full sign with unreadable keys ($n)" ret=0 chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1 ($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 -$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS . @10.53.0.1 dnskey >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1419,12 +1411,12 @@ rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) ($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 rndc_reconfig ns3 10.53.0.3 for i in 0 1 2 3 4 5 6 7 8 9; do - lret=0 - rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) - [ "$rekey_calls" -gt 0 ] || lret=1 - if [ "$lret" -eq 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 1 + lret=0 + rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) + [ "$rekey_calls" -gt 0 ] || lret=1 + if [ "$lret" -eq 0 ]; then break; fi + echo_i "waiting ... ($i)" + sleep 1 done n=$((n + 1)) if [ "$lret" != 0 ]; then ret=$lret; fi @@ -1433,19 +1425,19 @@ status=$((status + ret)) echo_i "test CDS and CDNSKEY auto generation ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n -grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1 -grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n +grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n >/dev/null || ret=1 +grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example dnskey >dig.out.ns3.dnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) @@ -1458,9 +1450,9 @@ status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n -$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n -$DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey >dig.out.ns3.dnskeytest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey >dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example cds >dig.out.ns3.cdstest$n lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) @@ -1472,16 +1464,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" -$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -D sync now $(cat sync.key) >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 echo_i "checking that the CDS and CDNSKEY are deleted ($n)" ret=0 ensure_cds_and_cdnskey_are_deleted() { - $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 - $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 + $DIG $DIGOPTS @10.53.0.3 sync.example. CDS >dig.out.ns3.cdstest$n || return 1 + awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 + $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY >dig.out.ns3.cdnskeytest$n || return 1 + awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 } retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 n=$((n + 1)) @@ -1490,7 +1482,7 @@ status=$((status + ret)) echo_i "check that dnssec-settime -p Dsync works ($n)" ret=0 -$SETTIME -p Dsync $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -p Dsync $(cat sync.key) >settime.out.test$n || ret=1 grep "SYNC Delete:" settime.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1498,7 +1490,7 @@ status=$((status + ret)) echo_i "check that dnssec-settime -p Psync works ($n)" ret=0 -$SETTIME -p Psync $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -p Psync $(cat sync.key) >settime.out.test$n || ret=1 grep "SYNC Publish:" settime.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1506,17 +1498,17 @@ status=$((status + ret)) echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ) +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null || ret=1 -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ) +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1524,8 +1516,8 @@ status=$((status + ret)) echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n -grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example >dig.out.ns3.test$n +grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1538,12 +1530,12 @@ echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY" echo_ic "is now signed with the ZSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ) +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null || ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "DNSKEY" { count++ } @@ -1566,10 +1558,10 @@ echo_i "check that zone with active and inactive ZSK and active KSK is properly" echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone" echo_ic "is now signed with the KSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}') +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null || ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "CNAME" { count++ } END {print count}' dig.out.ns3.test$n) @@ -1585,45 +1577,54 @@ status=$((status + ret)) echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)" ret=0 # Switch the zone over to NSEC3 and wait until the transition is complete. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. >signing.out.1.test$n 2>&1 || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1 - { grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -eq 0 ]; then - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1 - { grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then - _ret=0 - break - fi - fi - sleep 1 + _ret=1 + $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 >dig.out.ns3.1.test$n 2>&1 || ret=1 + { + grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n >/dev/null 2>&1 + rc=$? + } || true + if [ $rc -eq 0 ]; then + $RNDCCMD 10.53.0.3 signing -list delzsk.example >signing.out.2.test$n 2>&1 + { + grep "Creating NSEC3 chain " signing.out.2.test$n >/dev/null 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + _ret=0 + break + fi + fi + sleep 1 done if [ $_ret -ne 0 ]; then - echo_i "timed out waiting for NSEC3 chain creation" - ret=1 + echo_i "timed out waiting for NSEC3 chain creation" + ret=1 fi # Mark the inactive ZSK as pending removal. file="ns3/$(cat delzsk.key).key" -$SETTIME -D now-1h $file > settime.out.test$n || ret=1 +$SETTIME -D now-1h $file >settime.out.test$n || ret=1 # Trigger removal of the inactive ZSK and wait until its completion. ($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1 - { grep "Signing " signing.out.3.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then - if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then - _ret=0 - break - fi - fi - sleep 1 + _ret=1 + $RNDCCMD 10.53.0.3 signing -list delzsk.example >signing.out.3.test$n 2>&1 + { + grep "Signing " signing.out.3.test$n >/dev/null 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then + _ret=0 + break + fi + fi + sleep 1 done if [ $_ret -ne 0 ]; then - echo_i "timed out waiting for key removal" - ret=1 + echo_i "timed out waiting for key removal" + ret=1 fi # Check whether key removal caused NSEC3 records to be erroneously created for # glue records due to a secure delegation already being signed by the active key @@ -1634,26 +1635,26 @@ fi # $ nsec3hash 12345678 1 10 ns.sub.delzsk.example. # 589R358VSPJUFVAJU949JPVF74D9PTGH (salt=12345678, hash=1, iterations=10) # -$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 > dig.out.ns3.3.test$n || ret=1 -grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 >dig.out.ns3.3.test$n || ret=1 +grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n >/dev/null 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)" ret=0 -$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that DNAME is not treated as a delegation when signing ($n)" ret=0 -$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1 -$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n >/dev/null 2>&1 || ret=1 +$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1677,7 +1678,7 @@ status=$((status + ret)) echo_i "checking that CDS (DELETE) persists after zone sign ($n)" echo_i "update add cds-delete.example. CDS 0 0 00" ret=0 -$NSUPDATE > nsupdate.out 2>&1 <nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 - grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n >/dev/null 2>&1 || return 1 + return 0 ) _cdnskey_delete_nx() { - $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n >/dev/null 2>&1 && return 1 + return 0 } echo_i "query cds-delete.example. CDS" @@ -1702,7 +1703,7 @@ retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 echo_i "sign cds-delete.example." nextpart ns3/named.run >/dev/null -$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 sign cds-delete.example >/dev/null 2>&1 || ret=1 wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run # The CDS (DELETE) record should still be here. echo_i "query cds-delete.example. CDS" @@ -1718,7 +1719,7 @@ status=$((status + ret)) echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)" echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA==" ret=0 -$NSUPDATE > nsupdate.out 2>&1 <nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 - grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n >/dev/null 2>&1 && return 1 + return 0 ) _cdnskey_delete() { - $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n >/dev/null 2>&1 || return 1 + return 0 } echo_i "query cdnskey-delete.example. CDNSKEY" @@ -1743,7 +1744,7 @@ retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 echo_i "sign cdsnskey-delete.example." nextpart ns3/named.run >/dev/null -$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 sign cdnskey-delete.example >/dev/null 2>&1 || ret=1 wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run # The CDNSKEY (DELETE) record should still be here. echo_i "query cdnskey-delete.example. CDNSKEY" @@ -1761,40 +1762,80 @@ ret=0 zone=optout-with-ent hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL # check that NSEC3 for ENT is present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.pre.ns2.test$n >/dev/null || ret=1 # remove first delegation of two delegations, NSEC3 for ENT should remain. ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update del sub1.ent.$zone NS -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update del sub1.ent.$zone NS + echo send ) | $NSUPDATE # check that NSEC3 for ENT is still present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.mid.ns2.test$n grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.mid.ns2.test$n >/dev/null || ret=1 # remove second delegation of two delegations, NSEC3 for ENT should be deleted. ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update del sub2.ent.$zone NS -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update del sub2.ent.$zone NS + echo send ) | $NSUPDATE # check that NSEC3 for ENT is gone present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.post.ns2.test$n grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1 -$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n -grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.post.ns2.test$n >/dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" >dig.out.axfr.ns2.test$n +grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) + +echo_i "check that the startup change from NSEC3 to NSEC is properly signed ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \ + | awk 'BEGIN { private=0; rrsig=0; ok=0 } +$1 == "del" && $5 == "SOA" { if (private || rrsig) { if (private == rrsig) { exit(0); } else { exit(1); } } } +$1 == "add" && $5 == "TYPE65534" { private=1 } +$1 == "add" && $5 == "RRSIG" && $6 == "TYPE65534" { rrsig=1 } +END { if (private || rrsig) { if (private == rrsig) { exit(0); } else { exit(1); } } else { exit (1); } } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that NSEC3 to NSEC builds the NSEC chain first ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \ + | awk 'BEGIN { nsec3param=0; nsec=0 } +$1 == "del" && $5 == "SOA" { if (nsec3param || nsec) { if (nsec3param && !nsec) { exit(1); } else { exit(0); } } } +$1 == "del" && $5 == "NSEC3PARAM" { nsec3param=1 } +$1 == "add" && $2 == "nsec3-to-nsec.example." && $5 == "NSEC" { nsec=1 } +END { if (nsec3param || nsec) { if (nsec3param && !nsec) { exit(1); } else { exit(0); } } else { exit(1); } } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that NSEC3 to NSEC3 builds the new NSEC3 chain first ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec3.example.db.jnl \ + | awk 'BEGIN { addnsec3param=0; delnsec3param=0; nsec3=0 } +$1 == "del" && $5 == "SOA" { if (delnsec3param || nsec3 || addnsec3param) { if (delnsec3param && (!nsec3 || !addnsec3param)) { exit(1); } else { exit(0); } } } +$1 == "del" && $5 == "NSEC3PARAM" { delnsec3param=1 } +$1 == "add" && $5 == "NSEC3PARAM" { addnsec3param=1 } +$1 == "add" && $5 == "NSEC3" { nsec3=1 } +END { if (delnsec3param || nsec3 || addnsec3param) { if (delnsec3param && (!nsec3 || !addnsec3param)) { exit(1); } else { exit(0); } } else { exit(1); } } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/builtin/ns1/named.conf.in b/bin/tests/system/builtin/ns1/named.conf.in index 723e6b2..d2abad7 100644 --- a/bin/tests/system/builtin/ns1/named.conf.in +++ b/bin/tests/system/builtin/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/builtin/ns2/named.conf.in b/bin/tests/system/builtin/ns2/named.conf.in index 38b95f0..64327db 100644 --- a/bin/tests/system/builtin/ns2/named.conf.in +++ b/bin/tests/system/builtin/ns2/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/builtin/ns3/named.conf.in b/bin/tests/system/builtin/ns3/named.conf.in index df538db..c3a1372 100644 --- a/bin/tests/system/builtin/ns3/named.conf.in +++ b/bin/tests/system/builtin/ns3/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/builtin/tests.sh b/bin/tests/system/builtin/tests.sh index 9151fc3..cd3df75 100644 --- a/bin/tests/system/builtin/tests.sh +++ b/bin/tests/system/builtin/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 @@ -126,41 +126,47 @@ n=$((n + 1)) ret=0 count=0 echo_i "Checking expected empty zones were configured ($n)" -for zone in ${emptyzones} -do - grep "automatic empty zone: $zone" ns1/named.run > /dev/null || { - echo_i "failed (empty zone $zone missing)" - ret=1 - } - count=$((count + 1)) +for zone in ${emptyzones}; do + grep "automatic empty zone: $zone" ns1/named.run >/dev/null || { + echo_i "failed (empty zone $zone missing)" + ret=1 + } + count=$((count + 1)) done lines=$(grep "automatic empty zone: " ns1/named.run | wc -l) test $count -eq $lines -a $count -eq 99 || { - ret=1; echo_i "failed (count mismatch)"; + ret=1 + echo_i "failed (count mismatch)" } -if [ $ret != 0 ] ; then status=$((status + ret)); fi +if [ $ret != 0 ]; then status=$((status + ret)); fi n=$((n + 1)) echo_i "Checking that reconfiguring empty zones is silent ($n)" $RNDCCMD 10.53.0.1 reconfig ret=0 -grep "automatic empty zone" ns1/named.run > /dev/null || ret=1 -grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || ret=1 -grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 +grep "automatic empty zone" ns1/named.run >/dev/null || ret=1 +grep "received control channel command 'reconfig'" ns1/named.run >/dev/null || ret=1 +grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1 sleep 1 -grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "Checking that reloading empty zones is silent ($n)" rndc_reload ns1 10.53.0.1 ret=0 -grep "automatic empty zone" ns1/named.run > /dev/null || ret=1 -grep "received control channel command 'reload'" ns1/named.run > /dev/null || ret=1 -grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 +grep "automatic empty zone" ns1/named.run >/dev/null || ret=1 +grep "received control channel command 'reload'" ns1/named.run >/dev/null || ret=1 +grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1 sleep 1 -grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi HOST_NAME=$($FEATURETEST --gethostname) BIND_VERSION_STRING=$($NAMED -V | head -1) @@ -169,80 +175,113 @@ BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p') n=$((n + 1)) ret=0 echo_i "Checking that default version works for rndc ($n)" -$RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1 -grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$RNDCCMD 10.53.0.1 status >rndc.status.ns1.$n 2>&1 +grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom version works for rndc ($n)" -$RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1 -grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$RNDCCMD 10.53.0.3 status >rndc.status.ns3.$n 2>&1 +grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that default version works for query ($n)" -$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 -grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1 +grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom version works for query ($n)" -$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 -grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1 +grep "^\"this is a test of version\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that default hostname works for query ($n)" -$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 -grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1 +grep "^\"$HOST_NAME\"$" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom hostname works for query ($n)" -$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 -grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1 +grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that default server-id is none for query ($n)" -$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS id.server txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1 +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that server-id hostname works for query ($n)" -$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n || ret=1 -grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 >dig.out.ns2.$n || ret=1 +grep "^\"$HOST_NAME\"$" dig.out.ns2.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)" -$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n || ret=1 -grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 >dig.out.ns2.$n || ret=1 +grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom server-id works for query ($n)" -$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 -grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1 +grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom server-id works for EDNS name server ID request ($n)" -$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n || ret=1 -grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 >dig.out.ns3.$n || ret=1 +grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/cacheclean/ns2/named.conf.in b/bin/tests/system/cacheclean/ns2/named.conf.in index 0b5cd29..6ffa073 100644 --- a/bin/tests/system/cacheclean/ns2/named.conf.in +++ b/bin/tests/system/cacheclean/ns2/named.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "flushtest.example" { diff --git a/bin/tests/system/cacheclean/tests.sh b/bin/tests/system/cacheclean/tests.sh index 387ce86..141716a 100755 --- a/bin/tests/system/cacheclean/tests.sh +++ b/bin/tests/system/cacheclean/tests.sh @@ -18,17 +18,17 @@ set -e status=0 n=0 -RNDCOPTS="-c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" +RNDCOPTS="-c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm \ +nostat @10.53.0.2 -p ${PORT}" # fill the cache with nodes from flushtest.example zone -load_cache () { - # empty all existing cache data - $RNDC $RNDCOPTS flush +load_cache() { + # empty all existing cache data + $RNDC $RNDCOPTS flush - # load the positive cache entries - $DIG $DIGOPTS -f - << EOF > /dev/null 2>&1 + # load the positive cache entries + $DIG $DIGOPTS -f - </dev/null 2>&1 txt top1.flushtest.example txt second1.top1.flushtest.example txt third1.second1.top1.flushtest.example @@ -47,42 +47,42 @@ txt third2.second2.top3.flushtest.example txt second3.top3.flushtest.example EOF - # load the negative cache entries - # nxrrset: - $DIG $DIGOPTS a third1.second1.top1.flushtest.example > /dev/null - # nxdomain: - $DIG $DIGOPTS txt top4.flushtest.example > /dev/null - # empty nonterminal: - $DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null + # load the negative cache entries + # nxrrset: + $DIG $DIGOPTS a third1.second1.top1.flushtest.example >/dev/null + # nxdomain: + $DIG $DIGOPTS txt top4.flushtest.example >/dev/null + # empty nonterminal: + $DIG $DIGOPTS txt second2.top3.flushtest.example >/dev/null - # sleep 2 seconds ensure the TTLs will be lower on cached data - sleep 2 + # sleep 2 seconds ensure the TTLs will be lower on cached data + sleep 2 } -dump_cache () { - rndc_dumpdb ns2 -cache _default +dump_cache() { + rndc_dumpdb ns2 -cache _default } -clear_cache () { - $RNDC $RNDCOPTS flush +clear_cache() { + $RNDC $RNDCOPTS flush } -in_cache () { - ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}') - [ -z "$ttl" ] && { - ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}') - [ "$ttl" -ge 3599 ] && return 1 - return 0 - } - [ "$ttl" -ge 3599 ] && return 1 - return 0 +in_cache() { + ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}') + [ -z "$ttl" ] && { + ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}') + [ "$ttl" -ge 3599 ] && return 1 + return 0 + } + [ "$ttl" -ge 3599 ] && return 1 + return 0 } # Extract records at and below name "$1" from the cache dump in file "$2". -filter_tree () { - tree="$1" - file="$2" - perl -n -e ' +filter_tree() { + tree="$1" + file="$2" + perl -n -e ' next if /^;/; if (/'"$tree"'/ || (/^\t/ && $print)) { $print = 1; @@ -95,7 +95,7 @@ filter_tree () { n=$((n + 1)) echo_i "check correctness of routine cache cleaning ($n)" -$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1 +$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch >dig.out.ns2 || status=1 digcomp --lc dig.out.ns2 knowngood.dig.out || status=1 @@ -103,7 +103,10 @@ n=$((n + 1)) echo_i "only one tcp socket was used ($n)" tcpclients=$(awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l) -test $tcpclients -eq 1 || { status=1; echo_i "failed"; } +test $tcpclients -eq 1 || { + status=1 + echo_i "failed" +} n=$((n + 1)) echo_i "reset and check that records are correctly cached initially ($n)" @@ -111,7 +114,10 @@ ret=0 load_cache dump_cache nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l) -[ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; } +[ $nrecords -eq 18 ] || { + ret=1 + echo_i "found $nrecords records expected 18" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -205,7 +211,10 @@ echo_i "check the number of cached records remaining ($n)" ret=0 dump_cache nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l) -[ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; } +[ $nrecords -eq 17 ] || { + ret=1 + echo_i "found $nrecords records expected 17" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -223,7 +232,10 @@ echo_i "check the number of cached records remaining ($n)" ret=0 dump_cache nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l) -[ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; } +[ $nrecords -eq 1 ] || { + ret=1 + echo_i "found $nrecords records expected 1" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -234,34 +246,34 @@ load_cache dump_cache mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a sed -n '/plain success\/timeout/,/Unassociated entries/p' \ - ns2/named_dump.db.test$n.a > sed.out.$n.a -grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1 -grep 'Unassociated entries' sed.out.$n.a > /dev/null 2>&1 || ret=1 -grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1 + ns2/named_dump.db.test$n.a >sed.out.$n.a +grep 'plain success/timeout' sed.out.$n.a >/dev/null 2>&1 || ret=1 +grep 'Unassociated entries' sed.out.$n.a >/dev/null 2>&1 || ret=1 +grep 'ns.flushtest.example' sed.out.$n.a >/dev/null 2>&1 || ret=1 $RNDC $RNDCOPTS flushtree flushtest.example || ret=1 dump_cache mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b sed -n '/plain success\/timeout/,/Unassociated entries/p' \ - ns2/named_dump.db.test$n.b > sed.out.$n.b -grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1 -grep 'Unassociated entries' sed.out.$n.b > /dev/null 2>&1 || ret=1 -grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1 + ns2/named_dump.db.test$n.b >sed.out.$n.b +grep 'plain success/timeout' sed.out.$n.b >/dev/null 2>&1 || ret=1 +grep 'Unassociated entries' sed.out.$n.b >/dev/null 2>&1 || ret=1 +grep 'ns.flushtest.example' sed.out.$n.b >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check expire option returned from primary zone ($n)" ret=0 -$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1 -grep EXPIRE: dig.out.expire > /dev/null || ret=1 +$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test >dig.out.expire || ret=1 +grep EXPIRE: dig.out.expire >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check expire option returned from secondary zone ($n)" ret=0 -$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1 -grep EXPIRE: dig.out.expire > /dev/null || ret=1 +$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test >dig.out.expire || ret=1 +grep EXPIRE: dig.out.expire >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/case/tests.sh b/bin/tests/system/case/tests.sh index 6b40574..c5bc0e7 100644 --- a/bin/tests/system/case/tests.sh +++ b/bin/tests/system/case/tests.sh @@ -18,9 +18,9 @@ set -e DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" wait_for_serial() ( - $DIG $DIGOPTS "@$1" "$2" SOA > "$4" - serial=$(awk '$4 == "SOA" { print $7 }' "$4") - [ "$3" -eq "${serial:--1}" ] + $DIG $DIGOPTS "@$1" "$2" SOA >"$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] ) status=0 @@ -29,25 +29,23 @@ n=0 n=$((n + 1)) echo_i "waiting for zone transfer to complete ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n || true - grep SOA dig.ns2.test$n > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS soa example. @10.53.0.2 >dig.ns2.test$n || true + grep SOA dig.ns2.test$n >/dev/null && break + sleep 1 done -for i in 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n || true - grep SOA dig.ns2.test$n > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS soa dynamic. @10.53.0.2 >dig.ns2.test$n || true + grep SOA dig.ns2.test$n >/dev/null && break + sleep 1 done n=$((n + 1)) echo_i "testing case preserving responses - no acl ($n)" ret=0 -$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n || ret=1 -grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 -grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. @10.53.0.1 >dig.ns1.test$n || ret=1 +grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1 +grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1 test $ret -eq 0 || echo_i "failed" status=$((status + ret)) @@ -56,14 +54,14 @@ echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)" ret=0 # check that we preserve zone case for non-matching query (10.53.0.1) -$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n || ret=1 -grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 -grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 >dig.ns1.test$n || ret=1 +grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1 +grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1 # check that we don't preserve zone case for match (10.53.0.2) -$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n || ret=1 -grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1 -grep "mail.example" dig.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 >dig.ns2.test$n || ret=1 +grep "0.mail.example" dig.ns2.test$n >/dev/null || ret=1 +grep "mail.example" dig.ns2.test$n >/dev/null || ret=1 test $ret -eq 0 || echo_i "failed" status=$((status + ret)) @@ -71,7 +69,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n dynamic.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -80,7 +78,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n dynamic.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -88,13 +86,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "change SOA owner case via update ($n)" -$NSUPDATE << EOF +$NSUPDATE < dig.ns1.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n postupdate.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -111,7 +109,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check SOA owner case is transferred to secondary ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n postupdate.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -120,13 +118,13 @@ status=$((status + ret)) #update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1 n=$((n + 1)) echo_i "change A record owner case via update ($n)" -$NSUPDATE << EOF +$NSUPDATE < dig.ns1.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n postns1.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -143,7 +141,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check A owner case is transferred to secondary ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n postns1.good || ret=1 status=$((status + ret)) diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index bcfc68a..1f4ee99 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index 3169abb..882a4ba 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in index b5be974..51d72dc 100644 --- a/bin/tests/system/catz/ns2/named2.conf.in +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/ns3/named.conf.in b/bin/tests/system/catz/ns3/named.conf.in index fb82379..47c4ed7 100644 --- a/bin/tests/system/catz/ns3/named.conf.in +++ b/bin/tests/system/catz/ns3/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/ns4/named.conf.in b/bin/tests/system/catz/ns4/named.conf.in index 2f43c25..3ac60b2 100644 --- a/bin/tests/system/catz/ns4/named.conf.in +++ b/bin/tests/system/catz/ns4/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 4965e20..8e54e0c 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -17,339 +17,339 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" -p "${PORT}" "$@" + "$DIG" -p "${PORT}" "$@" } rndccmd() ( - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" ) _wait_for_message() ( - nextpartpeek "$1" > wait_for_message.$n - grep -F "$2" wait_for_message.$n >/dev/null + nextpartpeek "$1" >wait_for_message.$n + grep -F "$2" wait_for_message.$n >/dev/null ) wait_for_message() ( - retry_quiet 20 _wait_for_message "$@" + retry_quiet 20 _wait_for_message "$@" ) _wait_for_rcode() ( - rcode="$1" - qtype="$2" - ns="$3" - qname="$4" - file="$5" - shift 5 - dig_with_opts "$ns" "$qtype" "$qname" "$@" >"$file" || return 1 - grep "status: $rcode" "$file" >/dev/null + rcode="$1" + qtype="$2" + ns="$3" + qname="$4" + file="$5" + shift 5 + dig_with_opts "$ns" "$qtype" "$qname" "$@" >"$file" || return 1 + grep "status: $rcode" "$file" >/dev/null ) wait_for_rcode() ( - retry_quiet 10 _wait_for_rcode "$@" + retry_quiet 10 _wait_for_rcode "$@" ) wait_for_soa() ( - wait_for_rcode NOERROR SOA "$@" + wait_for_rcode NOERROR SOA "$@" ) wait_for_a() ( - wait_for_rcode NOERROR A "$@" + wait_for_rcode NOERROR A "$@" ) wait_for_no_soa() { - wait_for_rcode REFUSED SOA "$@" + wait_for_rcode REFUSED SOA "$@" } _wait_for_zonefile() ( - # shellcheck disable=SC2234 - [ -f "$1" ] + # shellcheck disable=SC2234 + [ -f "$1" ] ) wait_for_zonefile() ( - retry_quiet 10 _wait_for_zonefile "$@" + retry_quiet 10 _wait_for_zonefile "$@" ) _wait_for_no_zonefile() ( - # shellcheck disable=SC2234 - [ ! -f "$1" ] + # shellcheck disable=SC2234 + [ ! -f "$1" ] ) wait_for_no_zonefile() ( - retry_quiet 10 _wait_for_no_zonefile "$@" + retry_quiet 10 _wait_for_no_zonefile "$@" ) status=0 n=0 ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad1.example (with no version) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "catz: zone 'catalog-bad1.example' has no 'version' record" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad1.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "catz: zone 'catalog-bad1.example' has no 'version' record" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad1.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad2.example (with unsupported version) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "catz: zone 'catalog-bad2.example' unsupported version '99'" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad2.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "catz: zone 'catalog-bad2.example' unsupported version '99'" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad2.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad3.example (with two supported version records) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "catz: 'version' property TXT RRset contains more than one record, which is invalid" && -wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad3.example IN TXT (failure) - ignoring" && -wait_for_message ns2/named.run "catz: zone 'catalog-bad3.example' version is not set" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad3.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "catz: 'version' property TXT RRset contains more than one record, which is invalid" \ + && wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad3.example IN TXT (failure) - ignoring" \ + && wait_for_message ns2/named.run "catz: zone 'catalog-bad3.example' version is not set" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad3.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad4.example (with only spurious type A version record) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad4.example IN A (failure) - ignoring" && -wait_for_message ns2/named.run "catz: zone 'catalog-bad4.example' version is not set" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad4.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad4.example IN A (failure) - ignoring" \ + && wait_for_message ns2/named.run "catz: zone 'catalog-bad4.example' version is not set" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad4.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad5.example (non-IN class) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "'catalog-zones' option is only supported for views with class IN" && -wait_for_message ns2/named.run "all zones loaded" || ret=1 +wait_for_message ns2/named.run "'catalog-zones' option is only supported for views with class IN" \ + && wait_for_message ns2/named.run "all zones loaded" || ret=1 grep -F "catz: dns_catz_add_zone catalog-bad5.example" ns2/named.run && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null ########################################################################## echo_i "Testing adding/removing of domain in catalog zone" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom1.example. to primary via RNDC ($n)" ret=0 # enough initial content for IXFR response when TXT record is added below -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom1.example.db -echo "@ 3600 IN NS invalid." >> ns1/dom1.example.db -echo "foo 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "bar 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "xxx 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "yyy 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom1.example.db +echo "@ 3600 IN NS invalid." >>ns1/dom1.example.db +echo "foo 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "bar 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "xxx 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "yyy 3600 IN TXT some content here" >>ns1/dom1.example.db rndccmd 10.53.0.1 addzone dom1.example. in default '{ type primary; file "dom1.example.db"; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom1.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN PTR dom1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom1.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom1.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that zone-directory is populated ($n)" ret=0 wait_for_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "update dom1.example. ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom1.example 0 IN TXT added record send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to be updated ($n)" ret=0 wait_for_txt() { - dig_with_opts @10.53.0.2 TXT dom1.example. > dig.out.test$n || return 1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "IN.TXT." dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 TXT dom1.example. >dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "IN.TXT." dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_txt || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that journal was created for cleanup test ($n)" ret=0 test -f ns2/zonedir/__catz__default_catalog1.example_dom1.example.db.jnl || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "update catalog zone serial ($n)" ret=0 # default minimum update rate is once / 5 seconds sleep 5 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add catalog1.example 3600 SOA . . 20 86400 3600 86400 3600 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for catalog zone to transfer ($n)" ret=0 wait_for_soa_equal_20() { - dig_with_opts @10.53.0.2 SOA catalog1.example. > dig.out.test$n || return 1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep 'IN.SOA.\. \. 20 ' dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 SOA catalog1.example. >dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep 'IN.SOA.\. \. 20 ' dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_soa_equal_20 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "update dom1.example. again ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add foo.dom1.example 0 IN TXT added record send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to be updated again ($n)" ret=0 wait_for_txt() { - dig_with_opts @10.53.0.2 TXT foo.dom1.example. > dig.out.test$n || return 1 - grep "ANSWER: 2," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "IN.TXT." dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 TXT foo.dom1.example. >dig.out.test$n || return 1 + grep "ANSWER: 2," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "IN.TXT." dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_txt || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom1.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "zone_shutdown: zone dom1.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that zone-directory is emptied ($n)" ret=0 wait_for_no_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db" || ret=1 wait_for_no_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db.jnl" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null ########################################################################## echo_i "Testing various simple operations on domains, including using multiple catalog zones and garbage in zone" -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom2.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom2.example.db -echo "@ IN NS invalid." >> ns1/dom2.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom2.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom2.example.db +echo "@ IN NS invalid." >>ns1/dom2.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom2.example.db rndccmd 10.53.0.1 addzone dom2.example. in default '{type primary; file "dom2.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom2.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom2.example.db -echo "@ IN NS invalid." >> ns3/dom2.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom2.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom2.example.db +echo "@ IN NS invalid." >>ns3/dom2.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom2.example.db rndccmd 10.53.0.3 addzone dom2.example. '{type primary; file "dom2.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom4.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom4.example.db -echo "@ IN NS invalid." >> ns1/dom4.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom4.example.db +echo "@ IN NS invalid." >>ns1/dom4.example.db rndccmd 10.53.0.1 addzone dom4.example. in default '{type primary; file "dom4.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom2.example, dom3.example. and some garbage to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. update add coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "catalog2.example." @@ -366,197 +366,197 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom4.example. to catalog2 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" && -wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom4.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom4.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom4.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom4.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom3.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom3.example.db -echo "@ IN NS invalid." >> ns1/dom3.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom3.example.db +echo "@ IN NS invalid." >>ns1/dom3.example.db rndccmd 10.53.0.1 addzone dom3.example. in default '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is served by primary ($n)" ret=0 -wait_for_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom3.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" \ + && wait_for_message ns2/named.run "transfer of 'dom3.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # The member zone's PTR RRset must have only one record in it. # Check that adding a second record to the RRset is caught and such a # catalog zone is not processed. -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom4-reused-label.example. to catalog2 zone, reusing a label ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4-reused-label.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up, and checking that the reused label has been caught ($n)" ret=0 -wait_for_message ns2/named.run "de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example IN PTR (failure)" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog2.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example IN PTR (failure)" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog2.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom4-reused-label.example. from catalog2 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4-reused-label.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # Test zone associated state reset. -n=$((n+1)) +n=$((n + 1)) echo_i "renaming the label of domain dom4.example. in catalog2 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. update add dom4-renamed-label.zones.catalog2.example. 3600 IN PTR dom4.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up, and checking that the zone has been reset ($n)" ret=0 -wait_for_message ns2/named.run "catz: zone 'dom4.example' unique label has changed, reset state" && -wait_for_message ns2/named.run "catz: deleting zone 'dom4.example' from catalog 'catalog2.example' - success" && -wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example' - success" || ret=1 +wait_for_message ns2/named.run "catz: zone 'dom4.example' unique label has changed, reset state" \ + && wait_for_message ns2/named.run "catz: deleting zone 'dom4.example' from catalog 'catalog2.example' - success" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example' - success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom2.example. to catalog2 zone to test change of ownership ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add dom2-without-coo.zones.catalog2.example. 3600 IN PTR dom2.example. update add primaries.dom2-without-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that unpermitted change of ownership did not happen ($n)" ret=0 wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom2.example' will not be added because another catalog zone already contains an entry with that zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom2.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding change of ownership permission record for dom2.example. into catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR catalog2.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: updating catalog zone 'catalog1.example'" && -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: updating catalog zone 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "updating catalog2 zone to initiate a zone transfer ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete dom2-without-coo.zones.catalog2.example. 3600 IN PTR dom2.example. update delete primaries.dom2-without-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 @@ -565,291 +565,291 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up and checking that the change of ownership was successful ($n)" ret=0 -wait_for_message ns2/named.run "catz: zone 'dom2.example' change of ownership from 'catalog1.example' to 'catalog2.example'" && -wait_for_message ns2/named.run "catz: deleting zone 'dom2.example' from catalog 'catalog1.example' - success" && -wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: zone 'dom2.example' change of ownership from 'catalog1.example' to 'catalog2.example'" \ + && wait_for_message ns2/named.run "catz: deleting zone 'dom2.example' from catalog 'catalog1.example' - success" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom2.example. is served by secondary and that it's now the one from ns3 ($n)" ret=0 wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 -grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom2.example. and its change of ownership permission record from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. update delete coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR catalog2.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: update_from_db: iteration finished" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding change of ownership permission record for dom2.example. into catalog2 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add coo.dom2-with-coo.zones.catalog2.example. 3600 IN PTR catalog1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: update_from_db: iteration finished" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding back dom2.example. into catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that the change of ownership did not happen because version '1' catalog2 zone does not support the 'coo' property ($n)" ret=0 wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom2.example' will not be added because another catalog zone already contains an entry with that zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom2.example. is still served by secondary and that it's still the one from ns3 ($n)" ret=0 wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 -grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # GL #3060 -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)" ret=0 -sed -e "s/^#T3//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T3//" ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking again that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # GL #3911 -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)" ret=0 -sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T4//" ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # catalog zone update can be deferred sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "checking again that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom-existing.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing.example.db -echo "@ IN NS invalid." >> ns1/dom-existing.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom-existing.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom-existing.example.db +echo "@ IN NS invalid." >>ns1/dom-existing.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom-existing.example.db rndccmd 10.53.0.1 addzone dom-existing.example. in default '{type primary; file "dom-existing.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing.example. is served by primary ($n)" ret=0 wait_for_a @10.53.0.1 dom-existing.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom-existing.example. to catalog1 zone to test that existing zones don't get overwritten ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom-existing.zones.catalog1.example. 3600 IN PTR dom-existing.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom-existing.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom-existing.example' will not be added because it is an explicitly configured zone" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom-existing.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom-existing.example' will not be added because it is an explicitly configured zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing.example. is served by secondary and that it's not the one from the primary ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom-existing.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null && ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom-existing-forward.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing-forward.example.db -echo "@ IN NS invalid." >> ns1/dom-existing-forward.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom-existing-forward.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom-existing-forward.example.db +echo "@ IN NS invalid." >>ns1/dom-existing-forward.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom-existing-forward.example.db rndccmd 10.53.0.1 addzone dom-existing-forward.example. in default '{type primary; file "dom-existing-forward.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing-forward.example. is served by primary ($n)" ret=0 wait_for_a @10.53.0.1 dom-existing-forward.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom-existing-forward.example. to catalog1 zone to test that existing forward zones don't get overwritten ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom-existing-forward.zones.catalog1.example. 3600 IN PTR dom-existing-forward.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom-existing-forward.example' will not be processed because of the explicitly configured forwarding for that zone" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom-existing-forward.example' will not be processed because of the explicitly configured forwarding for that zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing-forward.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom-existing-forward.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom-existing-forward-off.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing-forward-off.example.db -echo "@ IN NS invalid." >> ns1/dom-existing-forward-off.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom-existing-forward-off.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom-existing-forward-off.example.db +echo "@ IN NS invalid." >>ns1/dom-existing-forward-off.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom-existing-forward-off.example.db rndccmd 10.53.0.1 addzone dom-existing-forward-off.example. in default '{type primary; file "dom-existing-forward-off.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing-forward-off.example. is served by primary ($n)" ret=0 wait_for_a @10.53.0.1 dom-existing-forward-off.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom-existing-forward-off.example. to catalog1 zone to test that a zone with turned off forwarding can be used in a catalog zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom-existing-forward-off.zones.catalog1.example. 3600 IN PTR dom-existing-forward-off.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward-off.example' from catalog 'catalog1.example'" && -if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward-off.example' from catalog 'catalog1.example'" \ + && if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing-forward-off.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom-existing-forward-off.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing all records from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. update delete coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "catalog2.example." @@ -869,12 +869,12 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing all records from catalog2 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete dom2-with-coo.zones.catalog2.example. 3600 IN PTR dom2.example. update delete primaries.dom2-with-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 @@ -883,70 +883,69 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing primaries suboption and random labels" -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom5.example. with a valid primaries suboption (IP without TSIG) and a random label ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. update add primaries.ext.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom5.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom5.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom5.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom5.example. ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. update delete primaries.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom5.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) ########################################################################## echo_i "Testing primaries global option" -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom6.example. and a valid global primaries option (IP without TSIG) ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add primaries.ext.catalog1.example. 3600 IN A 10.53.0.3 update add primaries.ext.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 @@ -954,27 +953,27 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom6.example/IN/default' from " > /dev/null || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom6.example/IN/default' from " >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom6.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom6.example. ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete primaries.ext.catalog1.example. 3600 IN A 10.53.0.3 update delete primaries.ext.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 @@ -982,142 +981,142 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom6.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom6.example. and an invalid global primaries option (TSIG without IP) ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add label1.primaries.ext.catalog1.example. 3600 IN TXT "tsig_key" update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom6.example'" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom6.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom6.example. ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete label1.primaries.ext.catalog1.example. 3600 IN TXT "tsig_key" update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" > /dev/null || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "Checking that a missing zone directory forces in-memory ($n)" ret=0 -grep "'nonexistent' not found; zone files will not be saved" ns2/named.run > /dev/null || ret=1 +grep "'nonexistent' not found; zone files will not be saved" ns2/named.run >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing allow-query and allow-transfer ACLs" -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom7.example. and dom8.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom7.example.db -echo "@ IN NS invalid." >> ns1/dom7.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom7.example.db +echo "@ IN NS invalid." >>ns1/dom7.example.db rndccmd 10.53.0.1 addzone dom7.example. in default '{type primary; file "dom7.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom8.example.db -echo "@ IN NS invalid." >> ns1/dom8.example.db +status=$((status + ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom8.example.db +echo "@ IN NS invalid." >>ns1/dom8.example.db rndccmd 10.53.0.1 addzone dom8.example. in default '{type primary; file "dom8.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom7.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom7.example. to catalog1 zone with an allow-query statement ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN PTR dom7.example. update add allow-query.ext.78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN APL 1:10.53.0.1/32 !1:10.53.0.0/30 1:0.0.0.0/0 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" > /dev/null && -wait_for_message ns2/named.run "transfer of 'dom7.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" >/dev/null \ + && wait_for_message ns2/named.run "transfer of 'dom7.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is not accessible from 10.53.0.2 ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is accessible from 10.53.0.5 ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.5 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom8.example. domain and global allow-query and allow-transfer ACLs ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add cba95222e308baba42417be6021026fdf20827b6.zones.catalog1.example. 3600 IN PTR dom8.example update add allow-query.ext.catalog1.example. 3600 IN APL 1:10.53.0.1/32 @@ -1125,118 +1124,117 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" && -wait_for_message ns2/named.run "transfer of 'dom8.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" \ + && wait_for_message ns2/named.run "transfer of 'dom8.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is not accessible from 10.53.0.2 ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is not AXFR accessible from 10.53.0.1 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n || ret=1 -grep "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 >dig.out.test$n || ret=1 +grep "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n || ret=1 -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 >dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting global allow-query and allow-domain ACLs ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete allow-query.ext.catalog1.example. 3600 IN APL 1:10.53.0.1/32 update delete allow-transfer.ext.catalog1.example. 3600 IN APL 1:10.53.0.2/32 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.2 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.1 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n || ret=1 -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 >dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n || ret=1 -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 >dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) ########################################################################## echo_i "Testing TSIG keys for primaries set per-domain" -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom9.example. to primary via RNDC, with transfers allowed only with TSIG key ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom9.example.db -echo "@ IN NS invalid." >> ns1/dom9.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom9.example.db +echo "@ IN NS invalid." >>ns1/dom9.example.db rndccmd 10.53.0.1 addzone dom9.example. in default '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom9.example. to catalog1 zone with a valid primaries suboption (IP with TSIG) ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -1244,77 +1242,77 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom9.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom9.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is accessible on secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "change TSIG key name on primary ($n)" ret=0 rndccmd 10.53.0.1 modzone dom9.example. in default '{type primary; notify yes; file "dom9.example.db"; allow-transfer { key next_key; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update TSIG key name in catalog zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update del label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update zone contents and reload ($n)" ret=0 -echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" > ns1/dom9.example.db -echo "@ IN NS ns2" >> ns1/dom9.example.db -echo "ns2 IN A 10.53.0.2" >> ns1/dom9.example.db +echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" >ns1/dom9.example.db +echo "@ IN NS ns2" >>ns1/dom9.example.db +echo "ns2 IN A 10.53.0.2" >>ns1/dom9.example.db rndccmd 10.53.0.1 reload dom9.example. || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for primary to update zone ($n)" ret=0 wait_for_a @10.53.0.1 ns2.dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to update zone ($n)" ret=0 wait_for_a @10.53.0.2 ns2.dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom9.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -1322,675 +1320,672 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is no longer accessible on secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom9.example. to catalog1 zone with an invalid primaries suboption (TSIG without IP) ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom9.example'" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom9.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom9.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing catalog entries that can't be represented as filenames" # note: we need 4 backslashes in the shell to get 2 backslashes in DNS # presentation format, which is 1 backslash on the wire. for special in \ - this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ - this.zone/domain.has.a.slash.dom10.example \ - this.zone\\\\domain.has.backslash.dom10.example \ - this.zone:domain.has.a.colon.dom.10.example -do - # hashes below are generated by: - # python ${TOP}/contrib/scripts/catzhash.py "${special}" - - case "$special" in + this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ + this.zone/domain.has.a.slash.dom10.example \ + this.zone\\\\domain.has.backslash.dom10.example \ + this.zone:domain.has.a.colon.dom.10.example; do + # hashes below are generated by: + # python ${TOP}/contrib/scripts/catzhash.py "${special}" + + case "$special" in this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example) - hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 - db=__catz__a35e0a044ff9f37436068e1e83e9b99fb9da51b0fe7b699bdb404f7755d68276.db - ;; + hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 + db=__catz__a35e0a044ff9f37436068e1e83e9b99fb9da51b0fe7b699bdb404f7755d68276.db + ;; this.zone/domain.has.a.slash.dom10.example) - hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa - db=__catz__765197c8050c794f4ec5bbf5dbdf64d0551459c08a91a4217768fcd16cd3b7ce.db - ;; + hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa + db=__catz__765197c8050c794f4ec5bbf5dbdf64d0551459c08a91a4217768fcd16cd3b7ce.db + ;; this.zone\\\\domain.has.backslash.dom10.example) - hash=91e27e02153d38cf656a9b376d7747fbcd19f985 - db=__catz__0f2f3beaf2ef70e0086063ae28a69444cdf3847cb85e668bfe52c89f7f756b29.db - ;; + hash=91e27e02153d38cf656a9b376d7747fbcd19f985 + db=__catz__0f2f3beaf2ef70e0086063ae28a69444cdf3847cb85e668bfe52c89f7f756b29.db + ;; this.zone:domain.has.a.colon.dom.10.example) - hash=8b7238bf4c34045834c573ba4116557ebb24d33c - db=__catz__ba75ab860533508a62b0937c5c6b8537e4186e4d5e7685161287260d07418251.db - ;; - esac - - n=$((n+1)) - echo_i "checking that ${special}. is not served by primary ($n)" - ret=0 - wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "Adding a domain ${special}. to primary via RNDC ($n)" - ret=0 - echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db - echo "@ IN NS invalid." >> ns1/dom10.example.db - rndccmd 10.53.0.1 addzone '"'"${special}"'"' in default '{type primary; file "dom10.example.db";};' || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is now served by primary ($n)" - ret=0 - wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - nextpart ns2/named.run >/dev/null - - n=$((n+1)) - echo_i "Adding domain ${special}. to catalog1 zone ($n)" - ret=0 - $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + hash=8b7238bf4c34045834c573ba4116557ebb24d33c + db=__catz__ba75ab860533508a62b0937c5c6b8537e4186e4d5e7685161287260d07418251.db + ;; + esac + + n=$((n + 1)) + echo_i "checking that ${special}. is not served by primary ($n)" + ret=0 + wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "Adding a domain ${special}. to primary via RNDC ($n)" + ret=0 + echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom10.example.db + echo "@ IN NS invalid." >>ns1/dom10.example.db + rndccmd 10.53.0.1 addzone '"'"${special}"'"' in default '{type primary; file "dom10.example.db";};' || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is now served by primary ($n)" + ret=0 + wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + nextpart ns2/named.run >/dev/null + + n=$((n + 1)) + echo_i "Adding domain ${special}. to catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add ${hash}.zones.catalog1.example 3600 IN PTR ${special}. send END - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "waiting for secondary to sync up ($n)" - ret=0 - wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" && - wait_for_message ns2/named.run "transfer of '$special/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is served by secondary ($n)" - ret=0 - wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that zone-directory is populated with a hashed filename ($n)" - ret=0 - wait_for_zonefile "ns2/zonedir/$db" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "removing domain ${special}. from catalog1 zone ($n)" - ret=0 - $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of '$special/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is served by secondary ($n)" + ret=0 + wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that zone-directory is populated with a hashed filename ($n)" + ret=0 + wait_for_zonefile "ns2/zonedir/$db" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "removing domain ${special}. from catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete ${hash}.zones.catalog1.example send END - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "waiting for secondary to sync up ($n)" - ret=0 - wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN/default: shutting down" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is not served by secondary ($n)" - ret=0 - wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that zone-directory is emptied ($n)" - ret=0 - wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 - wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN/default: shutting down" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is not served by secondary ($n)" + ret=0 + wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that zone-directory is emptied ($n)" + ret=0 + wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 + wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done ########################################################################## echo_i "Testing adding a domain and a subdomain of it" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom11.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom11.example.db -echo "@ IN NS invalid." >> ns1/dom11.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom11.example.db +echo "@ IN NS invalid." >>ns1/dom11.example.db rndccmd 10.53.0.1 addzone dom11.example. in default '{type primary; file "dom11.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom11.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example. 3600 IN PTR dom11.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is not served by primary ($n)" ret=0 wait_for_rcode NXDOMAIN SOA @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain subdomain.of.dom11.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/subdomain.of.dom11.example.db -echo "@ IN NS invalid." >> ns1/subdomain.of.dom11.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/subdomain.of.dom11.example.db +echo "@ IN NS invalid." >>ns1/subdomain.of.dom11.example.db rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. in default '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain subdomain.of.dom11.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example. 3600 IN PTR subdomain.of.dom11.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom11.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is still served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain subdomain.of.dom11.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 subdomain.of.d11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing adding a catalog zone at runtime with rndc reconfig" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom12.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom12.example.db -echo "@ IN NS invalid." >> ns1/dom12.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom12.example.db +echo "@ IN NS invalid." >>ns1/dom12.example.db rndccmd 10.53.0.1 addzone dom12.example. in default '{type primary; file "dom12.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom12.example. to catalog4 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)" ret=0 -sed -e "s/^#T1//g" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T1//g" ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" && -wait_for_message ns2/named.run "transfer of 'dom12.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom12.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is still served by secondary after reconfiguration ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "checking that dom12.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)" ret=0 -sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T2//" ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom12.example. from catalog4 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing having a zone in two different catalogs" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom13.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom13.example.db -echo "@ IN NS invalid." >> ns1/dom13.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom13.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom13.example.db +echo "@ IN NS invalid." >>ns1/dom13.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom13.example.db rndccmd 10.53.0.1 addzone dom13.example. in default '{type primary; file "dom13.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom13.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom13.example.db -echo "@ IN NS invalid." >> ns3/dom13.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom13.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom13.example.db +echo "@ IN NS invalid." >>ns3/dom13.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom13.example.db rndccmd 10.53.0.3 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom13.example. to catalog1 zone with ns1 as primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. update add primaries.ext.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom13.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom13.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom13.example. to catalog2 zone with ns3 as primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. update add primaries.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom13.example. from catalog2 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. update delete primaries.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom13.example. from catalog1 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. update delete primaries.ext.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.2 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing recreation of a manually deleted zone after a reload" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom16.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom16.example.db -echo "@ IN NS invalid." >> ns1/dom16.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom16.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom16.example.db +echo "@ IN NS invalid." >>ns1/dom16.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom16.example.db rndccmd 10.53.0.1 addzone dom16.example. in default '{type primary; file "dom16.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom16.example. to catalog1 zone with ns1 as primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. update add masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom16.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom16.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null @@ -1998,14 +1993,14 @@ echo_i "Deleting dom16.example. from secondary ns2 via RNDC ($n)" ret=0 rndccmd 10.53.0.2 delzone dom16.example. in default >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null @@ -2013,353 +2008,353 @@ echo_i "Reloading secondary ns2 via RNDC ($n)" ret=0 rndccmd 10.53.0.2 reload >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom16.example. from catalog1 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. update delete masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing having a regular zone and a zone in catalog zone of the same name" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom14.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom14.example.db -echo "@ IN NS invalid." >> ns1/dom14.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom14.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom14.example.db +echo "@ IN NS invalid." >>ns1/dom14.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom14.example.db rndccmd 10.53.0.1 addzone dom14.example. in default '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom14.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom14.example.db -echo "@ IN NS invalid." >> ns3/dom14.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom14.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom14.example.db +echo "@ IN NS invalid." >>ns3/dom14.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom14.example.db rndccmd 10.53.0.3 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom14.example. with rndc with ns1 as primary ($n)" ret=0 rndccmd 10.53.0.2 addzone dom14.example. in default '{type secondary; primaries {10.53.0.1;};};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "transfer of 'dom14.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom14.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom14.example. to catalog2 zone with ns3 as primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. update add primaries.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom14.example. from catalog2 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. update delete primaries.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing changing label for a member zone" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom15.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom15.example.db -echo "@ IN NS invalid." >> ns1/dom15.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom15.example.db +echo "@ IN NS invalid." >>ns1/dom15.example.db rndccmd 10.53.0.1 addzone dom15.example. in default '{type primary; file "dom15.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "Adding domain dom15.example. to catalog1 zone with 'dom15label1' label ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 3 -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Changing label of domain dom15.example. from 'dom15label1' to 'dom15label2' ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. update add dom15label2.zones.catalog1.example. 3600 IN PTR dom15.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing custom properties version '1' and version '2' syntaxes" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom17.example. and dom18.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom17.example.db -echo "@ IN NS invalid." >> ns1/dom17.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom17.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom17.example.db +echo "@ IN NS invalid." >>ns1/dom17.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom17.example.db rndccmd 10.53.0.1 addzone dom17.example. in default '{type primary; file "dom17.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom18.example.db -echo "@ IN NS invalid." >> ns1/dom18.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom18.example.db +status=$((status + ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom18.example.db +echo "@ IN NS invalid." >>ns1/dom18.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom18.example.db rndccmd 10.53.0.1 addzone dom18.example. in default '{type primary; file "dom18.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is not served by primary ns3 ($n)" ret=0 wait_for_no_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is not served by primary ns3 ($n)" ret=0 wait_for_no_soa @10.53.0.3 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom17.example. and dom18.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom17.example.db -echo "@ IN NS invalid." >> ns3/dom17.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom17.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom17.example.db +echo "@ IN NS invalid." >>ns3/dom17.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom17.example.db rndccmd 10.53.0.3 addzone dom17.example. '{type primary; file "dom17.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom18.example.db -echo "@ IN NS invalid." >> ns3/dom18.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom18.example.db +status=$((status + ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom18.example.db +echo "@ IN NS invalid." >>ns3/dom18.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom18.example.db rndccmd 10.53.0.3 addzone dom18.example. '{type primary; file "dom18.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom17.example. and dom18.example. to catalog1 zone with ns3 as custom primary using different custom properties syntax ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom17.zones.catalog1.example. 3600 IN PTR dom17.example. update add dom18.zones.catalog1.example. 3600 IN PTR dom18.example. @@ -2368,49 +2363,49 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.dom17.zones.catalog1.example IN A (failure) - ignoring" && -wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.dom17.zones.catalog1.example IN A (failure) - ignoring" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" \ + && wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The "primaries" custom property for dom17.example. was added using the legacy # syntax into a version 2 catalog1 zone, so we expect that it was ignored, no # override of the default setting happened, and dom17.example. was transferred # from the ns1 primary (the default). -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom17.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The "primaries" custom property for dom18.example. was added using a supported # syntax into a version 2 catalog1 zone, so we expect that it was processed, # will override the default setting, and dom18.example. was transferred # from the ns3 primary. -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is served by secondary and that it's the one from ns3 ($n)" ret=0 wait_for_a @10.53.0.2 dom18.example. dig.out.test$n || ret=1 -grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom17.example. and dom18.example. from catalog1 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete dom17.zones.catalog1.example. 3600 IN PTR dom17.example. update delete dom18.zones.catalog1.example. 3600 IN PTR dom18.example. @@ -2419,38 +2414,38 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog1.example' - success" && -wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog1.example' - success" && -wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" && -wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog1.example' - success" \ + && wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog1.example' - success" \ + && wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" \ + && wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom17.example. and dom18.example. to catalog2 zone with ns3 as custom primary using different custom properties syntax ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add dom17.zones.catalog2.example. 3600 IN PTR dom17.example. update add dom18.zones.catalog2.example. 3600 IN PTR dom18.example. @@ -2459,49 +2454,49 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.ext.dom18.zones.catalog2.example IN A (failure) - ignoring" && -wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.ext.dom18.zones.catalog2.example IN A (failure) - ignoring" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" \ + && wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The "primaries" custom property for dom17.example. was added using a supported # syntax into a version 1 catalog1 zone, so we expect that it was processed, # will override the default setting, and dom17.example. was transferred # from the ns3 primary. -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is served by secondary and that it's the one from ns3 ($n)" ret=0 wait_for_a @10.53.0.2 dom17.example. dig.out.test$n || ret=1 -grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The "primaries" custom property for dom18.example. was added using the new # syntax into a version 1 catalog1 zone, so we expect that it was ignored, no # override of the default setting happened, and dom18.example. was transferred # from the ns1 primary (the default). -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom18.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom17.example. and dom18.example. from catalog2 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete dom17.zones.catalog2.example. 3600 IN PTR dom17.example. update delete dom18.zones.catalog2.example. 3600 IN PTR dom18.example. @@ -2510,34 +2505,34 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog2.example' - success" && -wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog2.example' - success" && -wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" && -wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog2.example' - success" \ + && wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog2.example' - success" \ + && wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" \ + && wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "checking that reconfig can delete and restore catalog zone configuration ($n)" ret=0 copy_setports ns2/named2.conf.in ns2/named.conf @@ -2545,30 +2540,30 @@ rndccmd 10.53.0.2 reconfig || ret=1 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ######################################################################### nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a dom19.example. to primary via RNDC ($n)" ret=0 # enough initial content for IXFR response when TXT record is added below -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom19.example.db -echo "@ 3600 IN NS invalid." >> ns1/dom19.example.db -echo "foo 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "bar 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "xxx 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "yyy 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom19.example.db +echo "@ 3600 IN NS invalid." >>ns1/dom19.example.db +echo "foo 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "bar 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "xxx 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "yyy 3600 IN TXT some content here" >>ns1/dom19.example.db rndccmd 10.53.0.1 addzone dom19.example. in default '{ type primary; file "dom19.example.db"; allow-transfer { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "add an entry to the restored catalog zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN PTR dom19.example. update add label1.primaries.ext.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -2576,82 +2571,82 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom19.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom19.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain tls1.example. to primary via RNDC ($n)" ret=0 # enough initial content for IXFR response when TXT record is added below -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/tls1.example.db -echo "@ 3600 IN NS invalid." >> ns1/tls1.example.db -echo "foo 3600 IN TXT some content here" >> ns1/tls1.example.db -echo "bar 3600 IN TXT some content here" >> ns1/tls1.example.db -echo "xxx 3600 IN TXT some content here" >> ns1/tls1.example.db -echo "yyy 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/tls1.example.db +echo "@ 3600 IN NS invalid." >>ns1/tls1.example.db +echo "foo 3600 IN TXT some content here" >>ns1/tls1.example.db +echo "bar 3600 IN TXT some content here" >>ns1/tls1.example.db +echo "xxx 3600 IN TXT some content here" >>ns1/tls1.example.db +echo "yyy 3600 IN TXT some content here" >>ns1/tls1.example.db rndccmd 10.53.0.1 addzone tls1.example. in default '{ type primary; file "tls1.example.db"; allow-transfer transport tls { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that tls1.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 tls1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns4/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain tls1.example. to catalog-tls zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog-tls.example. 3600 IN PTR tls1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" && -wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1 +wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" \ + && wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that tls1.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## # GL #3777 nextpart ns4/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)" ret=0 -echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db +echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >>ns4/catalog-self.example.db rndccmd 10.53.0.4 reload || ret=1 -n=$((n+1)) +n=$((n + 1)) echo_i "Issuing another rndc reload command after 1 second ($n)" sleep 1 rndccmd 10.53.0.4 reload || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "exit status: $status" diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh index 6de5de5..27474bc 100644 --- a/bin/tests/system/cds/setup.sh +++ b/bin/tests/system/cds/setup.sh @@ -39,22 +39,22 @@ id2=$id2 EOF tac() { - $PERL -e 'print reverse <>' + $PERL -e 'print reverse <>' } convert() { - key=$1 - n=$2 - $DSFROMKEY -12 $key >DS.$n - grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 - grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 - sed 's/ IN DS / IN CDS /' >CDS.$n - sed 's/ IN DS / IN CDS /' >CDS.$n-1 - sed 's/ IN DS / IN CDS /' >CDS.$n-2 - sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n - sed 's/ IN DS / 3600 IN DS /' DS.ttl$n - sed 's/ IN DS / 7200 IN DS /' DS.ttlong$n - tac DS.rev$n + key=$1 + n=$2 + $DSFROMKEY -12 $key >DS.$n + grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 + grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 + sed 's/ IN DS / IN CDS /' >CDS.$n + sed 's/ IN DS / IN CDS /' >CDS.$n-1 + sed 's/ IN DS / IN CDS /' >CDS.$n-2 + sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n + sed 's/ IN DS / 3600 IN DS /' DS.ttl$n + sed 's/ IN DS / 7200 IN DS /' DS.ttlong$n + tac DS.rev$n } convert $key1 1 convert $key2 2 @@ -86,9 +86,9 @@ cat UP.add2 UP.del1 | sed 3d >UP.swap sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' UP.swapttl sign() { - cat >db.$1 - $SIGNER >/dev/null \ - -S -O full -o $Z -f sig.$1 db.$1 + cat >db.$1 + $SIGNER >/dev/null \ + -S -O full -o $Z -f sig.$1 db.$1 } sign null <brk.rrsig.cds.zsk + brk.rrsig.cds.zsk $mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \ - brk.rrsig.cds.ksk + brk.rrsig.cds.ksk -$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " out.$n 2> err.$n; echo $?) || true + ( + "$@" 1>out.$n 2>err.$n + echo $? + ) || true } testcase() { - n=$((n + 1)) - echo_i "$name ($n)" - expect=$1 - shift - result=$(runcmd "$@") - check_stdout - check_stderr - if [ "$expect" -ne "$result" ]; then - echo_d "exit status does not match $expect" - fail - fi - unset name err out + n=$((n + 1)) + echo_i "$name ($n)" + expect=$1 + shift + result=$(runcmd "$@") + check_stdout + check_stderr + if [ "$expect" -ne "$result" ]; then + echo_d "exit status does not match $expect" + fail + fi + unset name err out } check_stderr() { - if [ -n "${err:=}" ]; then - grep -E "$err" err.$n >/dev/null && return 0 - echo_d "stderr did not match '$err'" - else - [ -s err.$n ] || return 0 - fi - cat err.$n | cat_d - fail + if [ -n "${err:=}" ]; then + grep -E "$err" err.$n >/dev/null && return 0 + echo_d "stderr did not match '$err'" + else + [ -s err.$n ] || return 0 + fi + cat err.$n | cat_d + fail } check_stdout() { - diff out.$n "${out:-empty}" >/dev/null && return - echo_d "stdout did not match '$out'" - ( echo "wanted" - cat "$out" - echo "got" - cat out.$n - ) | cat_d - fail + diff out.$n "${out:-empty}" >/dev/null && return + echo_d "stdout did not match '$out'" + ( + echo "wanted" + cat "$out" + echo "got" + cat out.$n + ) | cat_d + fail } Z=cds.test diff --git a/bin/tests/system/chain/ans3/ans.pl b/bin/tests/system/chain/ans3/ans.pl index 271b2a4..e42240b 100644 --- a/bin/tests/system/chain/ans3/ans.pl +++ b/bin/tests/system/chain/ans3/ans.pl @@ -22,9 +22,14 @@ my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; print $pidf "$$\n" or die "cannot write pid file: $!"; $pidf->close or die "cannot close pid file: $!"; sub rmpid { unlink "ans.pid"; exit 1; }; +sub term { }; $SIG{INT} = \&rmpid; -$SIG{TERM} = \&rmpid; +if ($Net::DNS::VERSION > 1.41) { + $SIG{TERM} = \&term; +} else { + $SIG{TERM} = \&rmpid; +} my $localaddr = "10.53.0.3"; @@ -128,4 +133,11 @@ my $ns = Net::DNS::Nameserver->new( Verbose => $verbose, ); -$ns->main_loop; +if ($Net::DNS::VERSION >= 1.42) { + $ns->start_server(); + select(undef, undef, undef, undef); + $ns->stop_server(); + unlink "ans.pid"; +} else { + $ns->main_loop; +} diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh index 90d1912..f2b9e12 100644 --- a/bin/tests/system/chain/ns2/sign.sh +++ b/bin/tests/system/chain/ns2/sign.sh @@ -19,7 +19,7 @@ signedfile=example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-secure.example. zonefile=wildcard-secure.db @@ -27,7 +27,7 @@ signedfile=wildcard-secure.example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec.example. zonefile=wildcard.db @@ -35,7 +35,7 @@ signedfile=wildcard-nsec.example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec3.example. zonefile=wildcard.db @@ -43,7 +43,7 @@ signedfile=wildcard-nsec3.example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec3-optout.example. zonefile=wildcard.db @@ -51,4 +51,4 @@ signedfile=wildcard-nsec3-optout.example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile >/dev/null diff --git a/bin/tests/system/chain/ns5/named.conf.in b/bin/tests/system/chain/ns5/named.conf.in index 86bbf26..ba8cc6f 100644 --- a/bin/tests/system/chain/ns5/named.conf.in +++ b/bin/tests/system/chain/ns5/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "sub5.example" { diff --git a/bin/tests/system/chain/prereq.sh b/bin/tests/system/chain/prereq.sh new file mode 100644 index 0000000..fe84055 --- /dev/null +++ b/bin/tests/system/chain/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS::Nameserver -e ''; then + echo_i "perl Net::DNS::Nameserver module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh index 3ad8e31..4957fe7 100644 --- a/bin/tests/system/chain/tests.sh +++ b/bin/tests/system/chain/tests.sh @@ -16,10 +16,10 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" sendcmd() { - send 10.53.0.4 "${EXTRAPORT1}" + send 10.53.0.4 "${EXTRAPORT1}" } status=0 @@ -28,8 +28,8 @@ n=0 n=$((n + 1)) echo_i "checking short DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1 -grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1 +$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a >dig.out.ns2.short || ret=1 +grep "status: NOERROR" dig.out.ns2.short >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -37,16 +37,16 @@ n=$((n + 1)) echo_i "checking short DNAME from recursive ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1 -grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1 +$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a >dig.out.ns4.short || ret=1 +grep "status: NOERROR" dig.out.ns4.short >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking long DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1 -grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1 +$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a >dig.out.ns2.long || ret=1 +grep "status: NOERROR" dig.out.ns2.long >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -54,16 +54,16 @@ n=$((n + 1)) echo_i "checking long DNAME from recursive ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1 -grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1 +$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a >dig.out.ns4.long || ret=1 +grep "status: NOERROR" dig.out.ns4.long >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking (too) long DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a >dig.out.ns2.toolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns2.toolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -71,9 +71,9 @@ n=$((n + 1)) echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a > dig.out.ns4.cachedtoolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1 -grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a >dig.out.ns4.cachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong >/dev/null || ret=1 +grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -81,50 +81,50 @@ n=$((n + 1)) echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a > dig.out.ns4.uncachedtoolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1 -grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a >dig.out.ns4.uncachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong >/dev/null || ret=1 +grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) find_records() { - owner_name="$1" - rr_type="$2" - file="$3" - awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' < "$file" + owner_name="$1" + rr_type="$2" + file="$3" + awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' <"$file" } count_records() { - owner_name="$1" - rr_type="$2" - file="$3" - find_records "$owner_name" "$rr_type" "$file" | wc -l + owner_name="$1" + rr_type="$2" + file="$3" + find_records "$owner_name" "$rr_type" "$file" | wc -l } exactly_one_record_exists_for() { - owner_name="$1" - rr_type="$2" - file="$3" - test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1 + owner_name="$1" + rr_type="$2" + file="$3" + test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1 } no_records_exist_for() { - owner_name="$1" - rr_type="$2" - file="$3" - test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0 + owner_name="$1" + rr_type="$2" + file="$3" + test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0 } ensure_no_ds_in_bitmap() { - owner_name="$1" - rr_type="$2" - file="$3" - case "$rr_type" in - NSEC) start_index=6 ;; - NSEC3) start_index=10 ;; - *) exit 1 ;; - esac - find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }' + owner_name="$1" + rr_type="$2" + file="$3" + case "$rr_type" in + NSEC) start_index=6 ;; + NSEC3) start_index=10 ;; + *) exit 1 ;; + esac + find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }' } n=$((n + 1)) @@ -132,7 +132,7 @@ echo_i "checking secure delegation prepared using CNAME chaining ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # DS RRset. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains the expected NS and DS RRsets. exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 @@ -144,7 +144,7 @@ echo_i "checking secure delegation prepared using wildcard expansion + CNAME cha ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an # NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains the expected NS and DS RRsets. exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 @@ -161,7 +161,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -183,7 +183,7 @@ ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC records are different. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -206,7 +206,7 @@ ret=0 # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -247,7 +247,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -269,7 +269,7 @@ ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -292,7 +292,7 @@ ret=0 # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -336,7 +336,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with o ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -357,7 +357,7 @@ ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -379,7 +379,7 @@ ret=0 # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -397,8 +397,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking CNAME to DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname -grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1 +$DIG $DIGOPTS cname.example @10.53.0.2 a >dig.out.ns2.cname +grep "status: NOERROR" dig.out.ns2.cname >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -406,12 +406,12 @@ n=$((n + 1)) echo_i "checking CNAME to DNAME from recursive" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS cname.example @10.53.0.7 a > dig.out.ns4.cname -grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1 -grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 +$DIG $DIGOPTS cname.example @10.53.0.7 a >dig.out.ns4.cname +grep "status: NOERROR" dig.out.ns4.cname >/dev/null || ret=1 +grep '^cname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^a.cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^a.target.example.' dig.out.ns4.cname >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -419,10 +419,10 @@ n=$((n + 1)) echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 -grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1 +grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -430,11 +430,11 @@ n=$((n + 1)) echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1 -grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 -grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n >/dev/null || ret=1 +grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1 +grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -442,9 +442,9 @@ n=$((n + 1)) echo_i "checking CNAME loops are detected ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 17" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -452,9 +452,9 @@ n=$((n + 1)) echo_i "checking CNAME to external delegated zones is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 a.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -462,9 +462,9 @@ n=$((n + 1)) echo_i "checking CNAME to internal delegated zones is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 b.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -472,8 +472,8 @@ n=$((n + 1)) echo_i "checking CNAME to signed external delegation is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 c.example >dig.out.$n +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -481,8 +481,8 @@ n=$((n + 1)) echo_i "checking CNAME to signed internal delegation is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 d.example >dig.out.$n +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -491,39 +491,39 @@ echo_i "checking CNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,1,2,2,3,4,s4,s3,s1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|2,1,3,4,s3,s1,s2,s4" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 4 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.4.$n 2>&1 -grep 'status: NOERROR' dig.out.4.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.4.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.4.$n 2>&1 +grep 'status: NOERROR' dig.out.4.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.4.$n >/dev/null 2>&1 || ret=1 echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | sendcmd $RNDCCMD 10.53.0.7 null --- start test$n - step 5 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.5.$n 2>&1 -grep 'status: NOERROR' dig.out.5.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.5.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.5.$n 2>&1 +grep 'status: NOERROR' dig.out.5.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.5.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 6 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|4,3,3,3,s1,s1,1,3,4" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1 -grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.6.$n 2>&1 +grep 'status: NOERROR' dig.out.6.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.6.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -533,9 +533,9 @@ ret=0 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | sendcmd $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 sleep 1 -$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1 +$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil >dig.out.2.$n 2>&1 ttl=$(awk '{print $2}' dig.out.2.$n) [ "$ttl" -eq 86400 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -547,21 +547,21 @@ ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|2,3,s1,s2,s3,s4,1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -571,20 +571,20 @@ echo_i "checking external CNAME/DNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|1,2,3,4,s1,s2,s3,s4" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|s2,2,s1,1,4,s4,3" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|s2,2,2,2" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: SERVFAIL' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -593,8 +593,8 @@ n=$((n + 1)) echo_i "checking explicit DNAME query ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 dname short-dname.example >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -603,8 +603,8 @@ echo_i "checking DNAME via ANY query ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 any short-dname.example >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -612,8 +612,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DNAME resolution via itself (authoritative) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -621,8 +621,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DNAME resolution via itself (recursive) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index bd6e0c2..d66dfa8 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -31,6 +31,9 @@ options { tkey-dhkey "server" 12345; root-delegation-only exclude { "them"; }; + + resolver-nonbackoff-tries 3; + resolver-retry-interval 800; }; trusted-keys { diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 8d82f92..dc7854b 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -23,17 +23,17 @@ mkdir -p keys n=$((n + 1)) echo_i "checking that named-checkconf handles a known good config ($n)" ret=0 -$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 +$CHECKCONF good.conf >checkconf.out$n 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf prints a known good config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf >good.conf.in [ -s good.conf.in ] || ret=1 -$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +$CHECKCONF -p good.conf.in >checkconf.out$n || ret=1 +grep -v '^good.conf.in:' good.conf.out 2>&1 || ret=1 cmp good.conf.in good.conf.out || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -42,102 +42,119 @@ n=$((n + 1)) echo_i "checking that named-checkconf -x removes secrets ($n)" ret=0 # ensure there is a secret and that it is not the check string. -grep 'secret "' good.conf.in > /dev/null || ret=1 -grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 -$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 -grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 +grep 'secret "' good.conf.in >/dev/null || ret=1 +grep 'secret "????????????????"' good.conf.in >/dev/null 2>&1 && ret=1 +$CHECKCONF -p -x good.conf.in >checkconf.out$n || ret=1 +grep -v '^good.conf.in:' good.conf.out 2>&1 || ret=1 +grep 'secret "????????????????"' good.conf.out >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -for bad in bad-*.conf -do - n=$((n + 1)) - echo_i "checking that named-checkconf detects error in $bad ($n)" - ret=0 - { $CHECKCONF $bad > checkconf.out$n 2>&1; rc=$?; } || true - if [ $rc -ne 1 ]; then ret=1; fi - grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 - case $bad in +for bad in bad-*.conf; do + n=$((n + 1)) + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + { + $CHECKCONF $bad >checkconf.out$n 2>&1 + rc=$? + } || true + if [ $rc -ne 1 ]; then ret=1; fi + grep "^$bad:[0-9]*: " /dev/null || ret=1 + case $bad in bad-update-policy[123].conf) - pat="identity and name fields are not the same" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - bad-update-policy[4589].conf|bad-update-policy1[01].conf) - pat="name field not set to placeholder value" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - bad-update-policy[67].conf|bad-update-policy1[2345789].conf|bad-update-policy20.conf) - pat="missing name field type '.*' found" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - esac - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + pat="identity and name fields are not the same" + grep "$pat" /dev/null || ret=1 + ;; + bad-update-policy[4589].conf | bad-update-policy1[01].conf) + pat="name field not set to placeholder value" + grep "$pat" /dev/null || ret=1 + ;; + bad-update-policy[67].conf | bad-update-policy1[2345789].conf | bad-update-policy20.conf) + pat="missing name field type '.*' found" + grep "$pat" /dev/null || ret=1 + ;; + esac + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for good in good-*.conf -do - n=$((n + 1)) - echo_i "checking that named-checkconf detects no error in $good ($n)" - ret=0 - if ! $FEATURETEST --with-libnghttp2 - then - case $good in - good-doh-*.conf) continue;; - good-dot-*.conf) continue;; - esac - fi - { $CHECKCONF $good > checkconf.out$n 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi - status=$((status + ret)) +for good in good-*.conf; do + n=$((n + 1)) + echo_i "checking that named-checkconf detects no error in $good ($n)" + ret=0 + if ! $FEATURETEST --with-libnghttp2; then + case $good in + good-doh-*.conf) continue ;; + good-dot-*.conf) continue ;; + esac + fi + { + $CHECKCONF $good >checkconf.out$n 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + echo_i "failed" + ret=1 + fi + status=$((status + ret)) done -for lmdb in lmdb-*.conf -do - n=$((n + 1)) - ret=0 - - if $FEATURETEST --with-lmdb; then - echo_i "checking that named-checkconf detects no error in $lmdb ($n)" - { $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi - else - echo_i "checking that named-checkconf detects error in $lmdb ($n)" - { $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true - if [ $rc -eq 0 ]; then echo_i "failed"; ret=1; fi - fi - status=$((status + ret)) +for lmdb in lmdb-*.conf; do + n=$((n + 1)) + ret=0 + + if $FEATURETEST --with-lmdb; then + echo_i "checking that named-checkconf detects no error in $lmdb ($n)" + { + $CHECKCONF $lmdb >checkconf.out$n 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + echo_i "failed" + ret=1 + fi + else + echo_i "checking that named-checkconf detects error in $lmdb ($n)" + { + $CHECKCONF $lmdb >checkconf.out$n 2>&1 + rc=$? + } || true + if [ $rc -eq 0 ]; then + echo_i "failed" + ret=1 + fi + fi + status=$((status + ret)) done n=$((n + 1)) echo_i "checking that ancient options report a fatal error ($n)" ret=0 -$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 -grep "no longer exists" ancient.out > /dev/null || ret=1 +$CHECKCONF ancient.conf >ancient.out 2>&1 && ret=1 +grep "no longer exists" ancient.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z catches missing hint file ($n)" ret=0 -$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 -grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 +$CHECKCONF -z hint-nofile.conf >hint-nofile.out 2>&1 && ret=1 +grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf catches range errors ($n)" ret=0 -$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 +$CHECKCONF range.conf >checkconf.out$n 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" ret=0 -$CHECKCONF notify.conf > checkconf.out$n 2>&1 -warnings=$(grep "'notify' is disabled" < checkconf.out$n | wc -l) +$CHECKCONF notify.conf >checkconf.out$n 2>&1 +warnings=$(grep "'notify' is disabled" checkconf.out$n.1 2>&1 && ret=1 -grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF dnssec.1 >checkconf.out$n.1 2>&1 && ret=1 +grep 'auto-dnssec may only be ' /dev/null || ret=1 # dnssec.2: should have no warnings (other than deprecation warning) -$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 || ret=1 -grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n.2") +$CHECKCONF dnssec.2 >checkconf.out$n.2 2>&1 || ret=1 +grep "option 'auto-dnssec' is deprecated" /dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n.2") if [ $lines != 1 ]; then ret=1; fi # dnssec.3: should have specific deprecation warning -$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 && ret=1 -grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1 +$CHECKCONF dnssec.3 >checkconf.out$n.3 2>&1 && ret=1 +grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf deprecate warnings ($n)" ret=0 -$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 -grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'tkey-dhkey' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 +grep "option 'managed-keys' is deprecated" /dev/null || ret=1 +grep "option 'trusted-keys' is deprecated" /dev/null || ret=1 +grep "option 'use-v4-udp-ports' is deprecated" /dev/null || ret=1 +grep "option 'use-v6-udp-ports' is deprecated" /dev/null || ret=1 +grep "option 'avoid-v4-udp-ports' is deprecated" /dev/null || ret=1 +grep "option 'avoid-v6-udp-ports' is deprecated" /dev/null || ret=1 +grep "option 'delegation-only' is deprecated" /dev/null || ret=1 +grep "option 'tkey-dhkey' is deprecated" /dev/null || ret=1 +grep "option 'root-delegation-only' is deprecated" /dev/null || ret=1 +grep "'type delegation-only' is deprecated" /dev/null || ret=1 +grep "option 'dialup' is deprecated" /dev/null || ret=1 +grep "option 'heartbeat-interval' is deprecated" /dev/null || ret=1 +grep "option 'resolver-nonbackoff-tries' is deprecated" /dev/null || ret=1 +grep "option 'resolver-retry-interval' is deprecated" /dev/null || ret=1 +grep "option 'dnssec-must-be-secure' is deprecated" /dev/null || ret=1 +grep "token 'port' is deprecated" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) # set -i to ignore deprecate warnings -$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1 -grep '.*' < checkconf.out$n.2 > /dev/null && ret=1 +$CHECKCONF -i deprecated.conf >checkconf.out$n.2 2>&1 +grep '.*' /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf servestale warnings ($n)" ret=0 -$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1 -grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1 +$CHECKCONF servestale.stale-refresh-time.0.conf >checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) ret=0 -$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1 -grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF servestale.stale-refresh-time.29.conf >checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -202,38 +221,62 @@ n=$((n + 1)) echo_i "range checking fields that do not allow zero ($n)" ret=0 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do - cat > badzero.conf << EOF + cat >badzero.conf < checkconf.out$n.1 2>&1; rc=$?; } || true - [ $rc -eq 1 ] || { echo_i "options $field failed" ; ret=1; } - cat > badzero.conf << EOF + { + $CHECKCONF badzero.conf >checkconf.out$n.1 2>&1 + rc=$? + } || true + [ $rc -eq 1 ] || { + echo_i "options $field failed" + ret=1 + } + cat >badzero.conf < checkconf.out$n.2 2>&1; rc=$?; } || true - [ $rc -eq 1 ] || { echo_i "view $field failed" ; ret=1; } - cat > badzero.conf << EOF + { + $CHECKCONF badzero.conf >checkconf.out$n.2 2>&1 + rc=$? + } || true + [ $rc -eq 1 ] || { + echo_i "view $field failed" + ret=1 + } + cat >badzero.conf < checkconf.out$n.3 2>&1; rc=$?; } || true - [ $rc -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } - cat > badzero.conf << EOF + { + $CHECKCONF badzero.conf >checkconf.out$n.3 2>&1 + rc=$? + } || true + [ $rc -eq 1 ] || { + echo_i "options + view $field failed" + ret=1 + } + cat >badzero.conf < checkconf.out$n.4 2>&1; rc=$?; } || true - [ $rc -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } + { + $CHECKCONF badzero.conf >checkconf.out$n.4 2>&1 + rc=$? + } || true + [ $rc -eq 1 ] || { + echo_i "zone $field failed" + ret=1 + } done if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -241,28 +284,28 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking options allowed in inline-signing secondaries ($n)" ret=0 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 && ret=1 -l=$(grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l) +$CHECKCONF bad-dnssec.conf >checkconf.out$n.1 2>&1 && ret=1 +l=$(grep "dnssec-dnskey-kskonly.*requires inline" checkconf.out$n.2 2>&1 && ret=1 -l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l) +$CHECKCONF bad-dnssec.conf >checkconf.out$n.2 2>&1 && ret=1 +l=$(grep "dnssec-loadkeys-interval.*requires inline" checkconf.out$n.3 2>&1 && ret=1 -l=$(grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l) +$CHECKCONF bad-dnssec.conf >checkconf.out$n.3 2>&1 && ret=1 +l=$(grep "update-check-ksk.*requires inline" checkconf.out$n.1 2>&1 && ret=1 -l=$(grep "missing 'file' entry" < checkconf.out$n.1 | wc -l) +$CHECKCONF inline-no.conf >checkconf.out$n.1 2>&1 && ret=1 +l=$(grep "missing 'file' entry" checkconf.out$n.2 2>&1 || ret=1 -l=$(grep "missing 'file' entry" < checkconf.out$n.2 | wc -l) +$CHECKCONF inline-good.conf >checkconf.out$n.2 2>&1 || ret=1 +l=$(grep "missing 'file' entry" checkconf.out$n.3 2>&1 && ret=1 -l=$(grep "missing 'file' entry" < checkconf.out$n.3 | wc -l) +$CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 && ret=1 +l=$(grep "missing 'file' entry" checkconf.out$n 2>&1 && ret=1 -grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF dlz-bad.conf >checkconf.out$n 2>&1 && ret=1 +grep "'dlz' and 'database'" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -279,17 +322,17 @@ n=$((n + 1)) echo_i "checking for missing key directory warning ($n)" ret=0 rm -rf test.keydir -$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 -l=$(grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l) +$CHECKCONF warn-keydir.conf >checkconf.out$n.1 2>&1 +l=$(grep "'test.keydir' does not exist" checkconf.out$n.2 2>&1 -l=$(grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l) +$CHECKCONF warn-keydir.conf >checkconf.out$n.2 2>&1 +l=$(grep "'test.keydir' is not a directory" checkconf.out$n.3 2>&1 -l=$(grep "key-directory" < checkconf.out$n.3 | wc -l) +$CHECKCONF warn-keydir.conf >checkconf.out$n.3 2>&1 +l=$(grep "key-directory" check.out 2>&1 && ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z max-ttl.conf >check.out 2>&1 && ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" ret=0 -$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z max-ttl-bad.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" ret=0 -$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" ret=0 -$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z altdlz.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" ret=0 -$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z view-class-any1.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" ret=0 -$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z view-class-any2.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z passes on view with IN class ($n)" ret=0 -$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z view-class-in1.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" ret=0 -$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z view-class-in2.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-names fails as configured ($n)" ret=0 -$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-names-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "near '_underscore': bad name (check-names)" /dev/null || ret=1 +grep "zone check-names/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-mx fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "near '10.0.0.1': MX is an address" /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-dup-records fails as configured ($n)" ret=0 -$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-dup-records-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "has semantically identical records" /dev/null || ret=1 +grep "zone check-dup-records/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-mx fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "failed: MX is an address" /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-mx-cname fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-mx-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "MX.* is a CNAME (illegal)" /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-srv-cname fails as configured ($n)" ret=0 -$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-srv-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "SRV.* is a CNAME (illegal)" /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf -p properly print a port range ($n)" ret=0 -$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "range 8610 8614;" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf -z handles in-view ($n)" ret=0 -$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z in-view-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "zone shared.example/IN: loaded serial" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" ret=0 -$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-missing-zone.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf prints max-cache-size correctly ($n)" ret=0 -$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -p max-cache-size-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "max-cache-size 60%;" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf -l prints out the zone list ($n)" ret=0 -$CHECKCONF -l good.conf | -grep -v "is deprecated" | -grep -v "is not implemented" | -grep -v "is not recommended" | -grep -v "no longer exists" | -grep -v "is obsolete" > checkconf.out$n || ret=1 -diff good.zonelist checkconf.out$n > diff.out$n || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -l good.conf \ + | grep -v "is deprecated" \ + | grep -v "is not implemented" \ + | grep -v "is not recommended" \ + | grep -v "no longer exists" \ + | grep -v "is obsolete" >checkconf.out$n || ret=1 +diff good.zonelist checkconf.out$n >diff.out$n || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-2010.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] || ret=1 -grep "key without the updated" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +grep "key without the updated" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-both.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-2017.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that a static root key generates a warning ($n)" ret=0 -$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF check-root-static-key.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that a static root DS trust anchor generates a warning ($n)" ret=0 -$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF check-root-static-ds.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that a trusted-keys entry for root generates a warning ($n)" ret=0 -$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that using trust-anchors and managed-keys generates an error ($n)" ret=0 -$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 -grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1 +grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp errors ($n)" ret=0 -$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 -grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 -grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-and-other-dnssec-options.conf >checkconf.out$n 2>&1 && ret=1 +grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" /dev/null || ret=1 +grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "update-check-ksk: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n") +$CHECKCONF kasp-bad-nsec3-iter.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: nsec3 iterations value 151 out of range" /dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n") if [ $lines -ne 3 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -536,26 +657,26 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp key errors ($n)" ret=0 -$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-bad-keylen.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp signatures refresh errors ($n)" ret=0 -$CHECKCONF kasp-bad-signatures-refresh.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" < checkconf.out$n > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n") +$CHECKCONF kasp-bad-signatures-refresh.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" /dev/null || ret=1 +grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" /dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n") if [ $lines -ne 2 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -563,8 +684,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp key lifetime errors ($n)" ret=0 -$CHECKCONF kasp-bad-lifetime.conf > checkconf.out$n 2>&1 && ret=1 -lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" < checkconf.out$n | wc -l) || ret=1 +$CHECKCONF kasp-bad-lifetime.conf >checkconf.out$n 2>&1 && ret=1 +lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" checkconf.out$n 2>&1 || ret=1 -grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-ignore-keylen.conf >checkconf.out$n 2>&1 || ret=1 +grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp warns about weird policies ($n)" ret=0 -$CHECKCONF kasp-warning.conf > checkconf.out$n 2>&1 || ret=1 -grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: key lifetime is shorter than 30 days" < checkconf.out$n > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n") +$CHECKCONF kasp-warning.conf >checkconf.out$n 2>&1 || ret=1 +grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" /dev/null || ret=1 +grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" /dev/null || ret=1 +grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" /dev/null || ret=1 +grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" /dev/null || ret=1 +grep "dnssec-policy: key lifetime is shorter than 30 days" /dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n") if [ $lines -ne 5 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -594,16 +715,16 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that a good 'kasp' configuration is accepted ($n)" ret=0 -$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF good-kasp.conf >checkconf.out$n 2>/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf prints a known good kasp config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf >good-kasp.conf.in [ -s good-kasp.conf.in ] || ret=1 -$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1 +$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' >good-kasp.conf.out 2>&1 || ret=1 cmp good-kasp.conf.in good-kasp.conf.out || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -611,53 +732,71 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" ret=0 -$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF warn-maxratio1.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "exceeds 100%" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that *-source options with specified port generate warnings ($n)" ret=0 -$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" /dev/null || ret=1 +$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" /dev/null || ret=1 +$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" ret=0 -$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF warn-kasp-max-zone-ttl.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check obsolete options generate warnings ($n)" ret=0 -$CHECKCONF warn-random-device.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'random-device' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF warn-random-device.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'random-device' is obsolete and should be removed" /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" ret=0 -$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1 -grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-wildcard-no.conf >checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that 'check-wildcard yes;' warns as configured ($n)" ret=0 -$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1 -grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-wildcard.conf >checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) echo_i "exit status: $status" diff --git a/bin/tests/system/checkds/ns1/setup.sh b/bin/tests/system/checkds/ns1/setup.sh index 537fb42..92e7442 100644 --- a/bin/tests/system/checkds/ns1/setup.sh +++ b/bin/tests/system/checkds/ns1/setup.sh @@ -31,16 +31,16 @@ cp "$zsk.key" "../ns10/" cp "$ksk.private" "../ns10/" cp "$zsk.private" "../ns10/" -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 ( - cd ../ns10 - cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" - "$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 + cd ../ns10 + cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 ) # Configure the resolving server with a static key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns8/trusted.conf diff --git a/bin/tests/system/checkds/ns2/named.conf.in b/bin/tests/system/checkds/ns2/named.conf.in index 48e675c..2698082 100644 --- a/bin/tests/system/checkds/ns2/named.conf.in +++ b/bin/tests/system/checkds/ns2/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "checkds" { diff --git a/bin/tests/system/checkds/ns2/setup.sh b/bin/tests/system/checkds/ns2/setup.sh index 3701948..6327a3d 100644 --- a/bin/tests/system/checkds/ns2/setup.sh +++ b/bin/tests/system/checkds/ns2/setup.sh @@ -17,20 +17,19 @@ echo_i "ns2/setup.sh" for subdomain in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished \ - resolver-dspublished \ - dswithdrawn missing-dswithdrawn bad-dswithdrawn \ - multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \ - resolver-dswithdrawn -do - cp "../ns9/dsset-$subdomain.checkds." . + multiple-dspublished incomplete-dspublished bad2-dspublished \ + resolver-dspublished \ + dswithdrawn missing-dswithdrawn bad-dswithdrawn \ + multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \ + resolver-dswithdrawn; do + cp "../ns9/dsset-$subdomain.checkds." . done zone="checkds" infile="checkds.db.infile" zonefile="checkds.db" -CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 +CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1 diff --git a/bin/tests/system/checkds/ns3/named.conf.in b/bin/tests/system/checkds/ns3/named.conf.in index 54bfc99..3d54e11 100644 --- a/bin/tests/system/checkds/ns3/named.conf.in +++ b/bin/tests/system/checkds/ns3/named.conf.in @@ -35,7 +35,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/checkds/ns5/named.conf.in b/bin/tests/system/checkds/ns5/named.conf.in index b7226fe..227b562 100644 --- a/bin/tests/system/checkds/ns5/named.conf.in +++ b/bin/tests/system/checkds/ns5/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "checkds" { diff --git a/bin/tests/system/checkds/ns5/setup.sh b/bin/tests/system/checkds/ns5/setup.sh index 79d7b71..9f569c7 100644 --- a/bin/tests/system/checkds/ns5/setup.sh +++ b/bin/tests/system/checkds/ns5/setup.sh @@ -20,7 +20,7 @@ zone="checkds" infile="checkds.db.infile" zonefile="checkds.db" -CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 +CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1 diff --git a/bin/tests/system/checkds/ns6/named.conf.in b/bin/tests/system/checkds/ns6/named.conf.in index cc226fb..814caca 100644 --- a/bin/tests/system/checkds/ns6/named.conf.in +++ b/bin/tests/system/checkds/ns6/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "foo" { diff --git a/bin/tests/system/checkds/ns7/named.conf.in b/bin/tests/system/checkds/ns7/named.conf.in index 57460c8..f4a3524 100644 --- a/bin/tests/system/checkds/ns7/named.conf.in +++ b/bin/tests/system/checkds/ns7/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "checkds" { diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index 74a5130..b964e8c 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -41,7 +41,7 @@ parental-agents "ns2" port @PORT@ { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; /* diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh index e4d1586..5641e24 100644 --- a/bin/tests/system/checkds/ns9/setup.sh +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -17,11 +17,11 @@ echo_i "ns9/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - echo "$zone" >> zones + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >>zones } # Short environment variable names for key states and times. @@ -34,30 +34,28 @@ Y="now-1y" # DS Publication. for zn in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished -do - setup "${zn}.checkds" - cp template.db.in "$zonefile" - keytimes="-P $T -P sync $T -A $T" - CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) - $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 - cat template.db.in "${CSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished; do + setup "${zn}.checkds" + cp template.db.in "$zonefile" + keytimes="-P $T -P sync $T -A $T" + CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone) + $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" >settime.out.$zone 2>&1 + cat template.db.in "${CSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 done # DS Withdrawal. for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \ - incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn -do - setup "${zn}.checkds" - cp template.db.in "$zonefile" - keytimes="-P $Y -P sync $Y -A $Y" - CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) - $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 - cat template.db.in "${CSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn; do + setup "${zn}.checkds" + cp template.db.in "$zonefile" + keytimes="-P $Y -P sync $Y -A $Y" + CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone) + $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" >settime.out.$zone 2>&1 + cat template.db.in "${CSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 done diff --git a/bin/tests/system/checkds/setup.sh b/bin/tests/system/checkds/setup.sh index 828b2e6..848f0c8 100644 --- a/bin/tests/system/checkds/setup.sh +++ b/bin/tests/system/checkds/setup.sh @@ -31,18 +31,18 @@ copy_setports ns10/named.conf.in ns10/named.conf # Setup zones ( - cd ns9 - $SHELL setup.sh + cd ns9 + $SHELL setup.sh ) ( - cd ns5 - $SHELL setup.sh + cd ns5 + $SHELL setup.sh ) ( - cd ns2 - $SHELL setup.sh + cd ns2 + $SHELL setup.sh ) ( - cd ns1 - $SHELL setup.sh + cd ns1 + $SHELL setup.sh ) diff --git a/bin/tests/system/checknames/tests.sh b/bin/tests/system/checknames/tests.sh index 47ba801..143727b 100644 --- a/bin/tests/system/checknames/tests.sh +++ b/bin/tests/system/checknames/tests.sh @@ -20,18 +20,18 @@ n=1 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -wait_for_record () { - $DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1 - grep NOERROR "$4" > /dev/null || return 1 - return 0 +wait_for_record() { + $DIG $DIGOPTS "$1" "$2" "$3" >"$4" || return 1 + grep NOERROR "$4" >/dev/null || return 1 + return 0 } # Entry should exist. echo_i "check for failure from on zone load for 'check-names fail;' ($n)" ret=0 -$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1 -grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS fail.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep SERVFAIL dig.out.ns1.test$n >/dev/null || ret=1 +grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -39,7 +39,7 @@ n=$((n + 1)) # Entry should exist. echo_i "check for warnings from on zone load for 'check-names warn;' ($n)" ret=0 -grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 +grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -55,10 +55,10 @@ n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response warn;' works ($n)" ret=0 -$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1 +grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -66,11 +66,11 @@ n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response (owner) fails;' works ($n)" ret=0 -$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 -grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1 -grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1 +$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 +grep REFUSED dig.out.ns3.test$n >/dev/null || ret=1 +grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -78,11 +78,11 @@ n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response (rdata) fails;' works ($n)" ret=0 -$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 -grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1 -grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1 +$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX >dig.out.ns3.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 +grep SERVFAIL dig.out.ns3.test$n >/dev/null || ret=1 +grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -90,31 +90,31 @@ n=$((n + 1)) echo_i "check that updates to 'check-names fail;' are rejected ($n)" ret=0 not=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || not=0 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || not=0 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.fail.update. 600 A 10.10.10.1 send END if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 -grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1 +grep NXDOMAIN dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)" ret=0 -$NSUPDATE -d < nsupdate.out.test$n 2>&1|| ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.warn.update. 600 A 10.10.10.1 send END -$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -122,16 +122,16 @@ n=$((n + 1)) echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0 +grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -139,16 +139,16 @@ n=$((n + 1)) echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.4 ${PORT} update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1 -grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +grep NOERROR dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -156,26 +156,26 @@ n=$((n + 1)) echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.5 ${PORT} update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0 +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1 -grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A >dig.out.ns5.test$n || ret=1 +grep NOERROR dig.out.ns5.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)" ret=0 # takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary) # and the zone is still loading when we get to this point. retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1 -grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1 +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -183,10 +183,10 @@ n=$((n + 1)) echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" ret=0 retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1 -grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkzone/setup.sh b/bin/tests/system/checkzone/setup.sh index 4518c56..a48aa59 100644 --- a/bin/tests/system/checkzone/setup.sh +++ b/bin/tests/system/checkzone/setup.sh @@ -16,6 +16,6 @@ ln -s $CHECKZONE named-compilezone ./named-compilezone -D -F raw -o good1.db.raw example \ - zones/good1.db > /dev/null 2>&1 + zones/good1.db >/dev/null 2>&1 copy_setports zones/bad-tsig.db.in zones/bad-tsig.db diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh index 169e411..ab15260 100644 --- a/bin/tests/system/checkzone/tests.sh +++ b/bin/tests/system/checkzone/tests.sh @@ -18,121 +18,119 @@ set -e status=0 n=1 -for db in zones/good*.db -do - echo_i "checking $db ($n)" - ret=0 - case $db in - zones/good-gc-msdcs.db|zones/good-spf-exception.db) - $CHECKZONE -k fail -i local example $db > test.out.$n 2>&1 || ret=1 - ;; - zones/good-dns-sd-reverse.db) - $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || ret=1 - ;; - *) - $CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1 - ;; - esac - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +for db in zones/good*.db; do + echo_i "checking $db ($n)" + ret=0 + case $db in + zones/good-gc-msdcs.db | zones/good-spf-exception.db) + $CHECKZONE -k fail -i local example $db >test.out.$n 2>&1 || ret=1 + ;; + zones/good-dns-sd-reverse.db) + $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || ret=1 + ;; + *) + $CHECKZONE -i local example $db >test.out.$n 2>&1 || ret=1 + ;; + esac + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for db in zones/bad*.db -do - echo_i "checking $db ($n)" - ret=0 v=0 - case $db in - zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db) - $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$? - ;; - *) - $CHECKZONE -i local example $db > test.out.$n 2>&1 || v=$? - ;; - esac - test $v = 1 || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +for db in zones/bad*.db; do + echo_i "checking $db ($n)" + ret=0 v=0 + case $db in + zones/bad-dns-sd-reverse.db | zones/bad-svcb-servername.db) + $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || v=$? + ;; + *) + $CHECKZONE -i local example $db >test.out.$n 2>&1 || v=$? + ;; + esac + test $v = 1 || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "checking with journal file ($n)" ret=0 -$CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1 -$CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -o test.orig.db test zones/test1.db >/dev/null 2>&1 || ret=1 +$CHECKZONE -D -o test.changed.db test zones/test2.db >/dev/null 2>&1 || ret=1 $MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1 jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l) [ $jlines = 3 ] || ret=1 -$CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -j -o test.out1.db test test.orig.db >/dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out1.db || ret=1 mv -f test.orig.db.jnl test.journal -$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db >/dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out2.db || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with spf warnings ($n)" ret=0 -$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1 -$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1 -grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1 -grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1 -grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1 -grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1 -grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1 -grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1 -n=$((n+1)) +$CHECKZONE example zones/spf.db >test.out1.$n 2>&1 || ret=1 +$CHECKZONE -T ignore example zones/spf.db >test.out2.$n 2>&1 || ret=1 +grep "'x.example' found type SPF" test.out1.$n >/dev/null && ret=1 +grep "'y.example' found type SPF" test.out1.$n >/dev/null || ret=1 +grep "'example' found type SPF" test.out1.$n >/dev/null && ret=1 +grep "'x.example' found type SPF" test.out2.$n >/dev/null && ret=1 +grep "'y.example' found type SPF" test.out2.$n >/dev/null && ret=1 +grep "'example' found type SPF" test.out2.$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with max ttl (text) ($n)" ret=0 -$CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1 -$CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1 -n=$((n+1)) +$CHECKZONE -l 300 example zones/good1.db >test.out1.$n 2>&1 && ret=1 +$CHECKZONE -l 600 example zones/good1.db >test.out2.$n 2>&1 || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with max ttl (raw) ($n)" ret=0 -$CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1 -$CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1 -n=$((n+1)) +$CHECKZONE -f raw -l 300 example good1.db.raw >test.out1.$n 2>&1 && ret=1 +$CHECKZONE -f raw -l 600 example good1.db.raw >test.out2.$n 2>&1 || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)" ret=0 -$CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null && ret=1 -n=$((n+1)) +$CHECKZONE example zones/nowarn.inherited.owner.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)" ret=0 -$CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=$((n+1)) +$CHECKZONE example zones/warn.inherit.origin.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)" ret=0 -$CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=$((n+1)) +$CHECKZONE example zones/warn.inherited.owner.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that raw zone with bad class is handled ($n)" ret=0 -$CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1 +$CHECKZONE -f raw example zones/bad-badclass.raw >test.out.$n 2>&1 && ret=1 grep "failed: bad class" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that expirations that loop using serial arithmetic are handled ($n)" ret=0 @@ -159,56 +157,56 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 -$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1 +$CHECKZONE example.com zones/ns-address-below-dname.db >test.out.$n 2>&1 && ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 -$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1 +$CHECKZONE example.com zones/delegating-ns-address-below-dname.db >test.out.$n 2>&1 || ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named-compilezone works when reading input from stdin ($n)" ret=0 # Step 1: take raw input from stdin and convert it to text/relative format. # Last argument "-" is optional, but it says more explicitly that we're reading from stdin. cat zones/zone1.db | ./named-compilezone -f text -F text -s relative \ - -o zones/zone1_stdin.txt zone1.com - > /dev/null || ret=1 -status=$((status+ret)) + -o zones/zone1_stdin.txt zone1.com - >/dev/null || ret=1 +status=$((status + ret)) ret=0 # Step 2: take raw input from file and convert it to text format. ./named-compilezone -f text -F text -s relative -o zones/zone1_file.txt \ - zone1.com zones/zone1.db > /dev/null || ret=1 -status=$((status+ret)) + zone1.com zones/zone1.db >/dev/null || ret=1 +status=$((status + ret)) ret=0 # Step 3: Ensure that output conversion from stdin is the same as the output conversion from a file. diff zones/zone1_file.txt zones/zone1_stdin.txt >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "checking integer overflow is prevented in \$GENERATE ($n)" -$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1 +$CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1 lines=$(grep -c CNAME test.out.$n) echo $lines [ "$lines" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/ckdnsrps.sh b/bin/tests/system/ckdnsrps.sh index afc405d..19eb054 100644 --- a/bin/tests/system/ckdnsrps.sh +++ b/bin/tests/system/ckdnsrps.sh @@ -18,7 +18,6 @@ set -e # Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf # and differ from dnsrpz.conf which is used by dnsrpzd. - . ../conf.sh DNSRPS_CMD=../rpz/dnsrps @@ -29,57 +28,64 @@ MCONF=dnsrps.conf SCONF=dnsrps-secondary.conf USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]" while getopts "xADM:S:" c; do - case $c in - x) set -x; DEBUG=-x;; - A) AS_NS=yes;; - D) TEST_DNSRPS=yes;; - M) MCONF="$OPTARG";; - S) SCONF="$OPTARG";; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ;; + A) AS_NS=yes ;; + D) TEST_DNSRPS=yes ;; + M) MCONF="$OPTARG" ;; + S) SCONF="$OPTARG" ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $(expr $OPTIND - 1 || true) if [ "$#" -ne 0 ]; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # erase any existing conf files -cat /dev/null > $MCONF -cat /dev/null > $SCONF +cat /dev/null >$MCONF +cat /dev/null >$SCONF -add_conf () { - echo "$*" >>$MCONF - echo "$*" >>$SCONF +add_conf() { + echo "$*" >>$MCONF + echo "$*" >>$SCONF } if ! $FEATURETEST --enable-dnsrps; then - if [ -n "$TEST_DNSRPS" ]; then - add_conf "## DNSRPS disabled at compile time" - fi - add_conf "#skip" - exit 0 + if [ -n "$TEST_DNSRPS" ]; then + add_conf "## DNSRPS disabled at compile time" + fi + add_conf "#skip" + exit 0 fi if [ -z "$TEST_DNSRPS" ]; then - add_conf "## testing with native RPZ" - add_conf '#skip' - exit 0 + add_conf "## testing with native RPZ" + add_conf '#skip' + exit 0 else - add_conf "## testing with DNSRPS" + add_conf "## testing with DNSRPS" fi if [ ! -x "$DNSRPS_CMD" ]; then - add_conf "## make $DNSRPS_CMD to test DNSRPS" - add_conf '#skip' - exit 0 + add_conf "## make $DNSRPS_CMD to test DNSRPS" + add_conf '#skip' + exit 0 fi -if $DNSRPS_CMD -a >/dev/null; then : +if $DNSRPS_CMD -a >/dev/null; then + : else - add_conf "## DNSRPS provider library is not available" - add_conf '#skip' - exit 0 + add_conf "## DNSRPS provider library is not available" + add_conf '#skip' + exit 0 fi CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf @@ -90,7 +96,7 @@ CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf PRIMARY="$CMN" if [ -n "$AS_NS" ]; then - PRIMARY="$PRIMARY + PRIMARY="$PRIMARY qname-as-ns yes ip-as-ns yes" fi @@ -106,7 +112,6 @@ $CMN dnsrpzd '' }; # do not start dnsrpzd EOF - # DNSRPS is available. # The test should fail if the license is bad. add_conf "dnsrps-enable yes;" @@ -117,49 +122,49 @@ ALT_L=alt-dnsrpzd-license.conf # try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist [ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf if [ -s $ALT_L ]; then - SRC_L=$ALT_L - USE_ALT= + SRC_L=$ALT_L + USE_ALT= else - SRC_L=../rpz/dnsrpzd-license.conf - USE_ALT="## consider installing alt-dnsrpzd-license.conf" + SRC_L=../rpz/dnsrpzd-license.conf + USE_ALT="## consider installing alt-dnsrpzd-license.conf" fi cp $SRC_L $CUR_L # parse $CUR_L for the license zone name, primary IP addresses, and optional # transfer-source IP addresses -eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\ - -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ - -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ - -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - $CUR_L` +eval $(sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' \ + -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ + -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ + -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + $CUR_L) if [ -z "$NAME" ]; then - add_conf "## no DNSRPS tests; no license domain name in $SRC_L" - add_conf '#fail' - exit 0 + add_conf "## no DNSRPS tests; no license domain name in $SRC_L" + add_conf '#fail' + exit 0 fi if [ -z "$IPV4" ]; then - IPV4=license1.fastrpz.com - TS4= + IPV4=license1.fastrpz.com + TS4= fi if [ -z "$IPV6" ]; then - IPV6=license1.fastrpz.com - TS6= + IPV6=license1.fastrpz.com + TS6= fi # This TSIG key is common and NOT a secret KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' # Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems -if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 +if $($DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ + | grep -i "^$NAME.*TXT" >/dev/null); then + exit 0 fi -if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 +if $($DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ + | grep -i "^$NAME.*TXT" >/dev/null); then + exit 0 fi add_conf "## DNSRPS lacks a valid license via $SRC_L" diff --git a/bin/tests/system/cleanall.sh b/bin/tests/system/cleanall.sh index 79a8434..a7e48ad 100644 --- a/bin/tests/system/cleanall.sh +++ b/bin/tests/system/cleanall.sh @@ -17,20 +17,17 @@ . ./conf.sh - find . -type f \( \ - -name '*~' -o -name 'core' -o -name '*.core' \ - -o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \ - -o -name named.run -o -name ans.run \ - -o -name '*-valgrind-*.log' \) -print | xargs rm -f + -name '*~' -o -name 'core' -o -name '*.core' \ + -o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \ + -o -name named.run -o -name ans.run \) -print | xargs rm -f status=0 rm -f ../random.data -for d in $SUBDIRS -do - test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh ) - rm -f test.output.$d - test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null +for d in $SUBDIRS; do + test ! -f $d/clean.sh || (cd $d && $SHELL clean.sh) + rm -f test.output.$d + test -d $d && find $d -type d -exec rmdir '{}' \; 2>/dev/null done diff --git a/bin/tests/system/common/controls.conf.in b/bin/tests/system/common/controls.conf.in deleted file mode 100644 index 1db9286..0000000 --- a/bin/tests/system/common/controls.conf.in +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf deleted file mode 100644 index b887ec3..0000000 --- a/bin/tests/system/common/rndc.conf +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - default-key "rndc_key"; -}; - -key rndc_key { - algorithm hmac-sha256; - secret "1234abcd8765"; -}; diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key deleted file mode 100644 index 3ef41c3..0000000 --- a/bin/tests/system/common/rndc.key +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; diff --git a/bin/tests/system/common/root.hint b/bin/tests/system/common/root.hint deleted file mode 100644 index e0f186c..0000000 --- a/bin/tests/system/common/root.hint +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 999999 -. IN NS a.root-servers.nil. -a.root-servers.nil. IN A 10.53.0.1 diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index 90059dd..d2fc635 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -296,7 +296,7 @@ send() { eval "$($PYTHON "$TOP_SRCDIR/bin/tests/system/get_algorithms.py")" # Default HMAC algorithm. -# also update common/rndc.conf and common/rndc.key when updating DEFAULT_HMAC +# also update _common/rndc.conf and _common/rndc.key when updating DEFAULT_HMAC export DEFAULT_HMAC=hmac-sha256 # @@ -609,12 +609,12 @@ _times() { } rndc_reload() { - $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' + $RNDC -c ../_common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' # reloading single zone is synchronous, if we're reloading whole server # we need to wait for reload to finish if [ -z "$3" ]; then for _ in $(_times 10); do - $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break + $RNDC -c ../_common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break sleep 1 done fi @@ -622,9 +622,9 @@ rndc_reload() { rndc_reconfig() { seconds=${3:-10} - $RNDC -c ../common/rndc.conf -s "$2" -p "${CONTROLPORT}" reconfig 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' + $RNDC -c ../_common/rndc.conf -s "$2" -p "${CONTROLPORT}" reconfig 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' for _ in $(_times "$seconds"); do - "$RNDC" -c ../common/rndc.conf -s "$2" -p "${CONTROLPORT}" status | grep "reload/reconfig in progress" > /dev/null || break + "$RNDC" -c ../_common/rndc.conf -s "$2" -p "${CONTROLPORT}" status | grep "reload/reconfig in progress" > /dev/null || break sleep 1 done } @@ -636,7 +636,7 @@ rndc_reconfig() { # arguments, if any, are appended to the rndc command line after "dumpdb". # # Control channel configuration for the name server instance to send the -# command to must match the contents of bin/tests/system/common/rndc.conf. +# command to must match the contents of bin/tests/system/_common/rndc.conf. # # rndc output is stored in a file called rndc.out.test${n}; the "n" variable is # required to be set by the calling tests.sh script. @@ -651,7 +651,7 @@ rndc_dumpdb() { __ip="10.53.0.$(echo "${__server}" | tr -c -d "0-9")" shift - ${RNDC} -c ../common/rndc.conf -p "${CONTROLPORT}" -s "${__ip}" dumpdb "$@" > "rndc.out.test${n}" 2>&1 || __ret=1 + ${RNDC} -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "${__ip}" dumpdb "$@" > "rndc.out.test${n}" 2>&1 || __ret=1 for _ in 0 1 2 3 4 5 6 7 8 9 do diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 1a2fe73..3608f7f 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -27,12 +27,12 @@ export ARPANAME=$TOP_BUILDDIR/bin/tools/arpaname export CDS=$TOP_BUILDDIR/bin/dnssec/dnssec-cds export CHECKCONF=$TOP_BUILDDIR/bin/check/named-checkconf export CHECKZONE=$TOP_BUILDDIR/bin/check/named-checkzone -if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 - export DELV=$TOP_BUILDDIR/bin/delv/delv - export RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve +if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 + export DELV=$TOP_BUILDDIR/bin/delv/delv + export RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve else - export DELV=: - export RESOLVE=: + export DELV=: + export RESOLVE=: fi export DIG=$TOP_BUILDDIR/bin/dig/dig export DNSTAPREAD=$TOP_BUILDDIR/bin/tools/dnstap-read @@ -88,13 +88,13 @@ export PYTEST=@PYTEST@ # export PERL=$(command -v "@PERL@" || true) if ! test -x "$PERL"; then - echo "Perl interpreter is required for system tests." - exit 77 + echo "Perl interpreter is required for system tests." + exit 77 fi export PYTHON=$(command -v "@PYTHON@" || true) if ! test -x "$PYTHON"; then - echo "Python interpreter is required for system tests." - exit 77 + echo "Python interpreter is required for system tests." + exit 77 fi # Load common values diff --git a/bin/tests/system/conftest.py b/bin/tests/system/conftest.py index 50510a0..034b2c8 100644 --- a/bin/tests/system/conftest.py +++ b/bin/tests/system/conftest.py @@ -9,631 +9,642 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +from functools import partial import logging import os +from pathlib import Path +import re +import shutil +import subprocess +import tempfile +import time +from typing import Any, Dict, List, Optional + import pytest -# ======================= LEGACY=COMPATIBLE FIXTURES ========================= -# The following fixtures are designed to work with both pytest system test -# runner and the legacy system test framework. -# -# FUTURE: Rewrite the individual port fixtures to re-use the `ports` fixture. +pytest.register_assert_rewrite("isctest") + + +# Silence warnings caused by passing a pytest fixture to another fixture. +# pylint: disable=redefined-outer-name + + +# ----------------- Older pytest / xdist compatibility ------------------- +# As of 2023-01-11, the minimal supported pytest / xdist versions are +# determined by what is available in EL8/EPEL8: +# - pytest 3.4.2 +# - pytest-xdist 1.24.1 +_pytest_ver = pytest.__version__.split(".") +_pytest_major_ver = int(_pytest_ver[0]) +if _pytest_major_ver < 7: + # pytest.Stash/pytest.StashKey mechanism has been added in 7.0.0 + # for older versions, use regular dictionary with string keys instead + FIXTURE_OK = "fixture_ok" # type: Any +else: + FIXTURE_OK = pytest.StashKey[bool]() # pylint: disable=no-member + +# ----------------------- Globals definition ----------------------------- + +LOG_FORMAT = "%(asctime)s %(levelname)7s:%(name)s %(message)s" +XDIST_WORKER = os.environ.get("PYTEST_XDIST_WORKER", "") +FILE_DIR = os.path.abspath(Path(__file__).parent) +ENV_RE = re.compile(b"([^=]+)=(.*)") +PORT_MIN = 5001 +PORT_MAX = 32767 +PORTS_PER_TEST = 20 +PRIORITY_TESTS = [ + # Tests that are scheduled first. Speeds up parallel execution. + "dupsigs/", + "rpz/", + "rpzrecurse/", + "serve-stale/", + "timeouts/", + "upforwd/", +] +PRIORITY_TESTS_RE = re.compile("|".join(PRIORITY_TESTS)) +CONFTEST_LOGGER = logging.getLogger("conftest") +SYSTEM_TEST_DIR_GIT_PATH = "bin/tests/system" +SYSTEM_TEST_NAME_RE = re.compile(f"{SYSTEM_TEST_DIR_GIT_PATH}" + r"/([^/]+)") +SYMLINK_REPLACEMENT_RE = re.compile(r"/tests(_.*)\.py") + +# ---------------------- Module initialization --------------------------- + + +def init_pytest_conftest_logger(conftest_logger): + """ + This initializes the conftest logger which is used for pytest setup + and configuration before tests are executed -- aka any logging in this + file that is _not_ module-specific. + """ + conftest_logger.setLevel(logging.DEBUG) + file_handler = logging.FileHandler("pytest.conftest.log.txt") + file_handler.setLevel(logging.DEBUG) + file_handler.setFormatter(logging.Formatter(LOG_FORMAT)) + conftest_logger.addHandler(file_handler) + + +init_pytest_conftest_logger(CONFTEST_LOGGER) + + +def avoid_duplicated_logs(): + """ + Remove direct root logger output to file descriptors. + This default is causing duplicates because all our messages go through + regular logging as well and are thus displayed twice. + """ + todel = [] + for handler in logging.root.handlers: + if handler.__class__ == logging.StreamHandler: + # Beware: As for pytest 7.2.2, LiveLogging and LogCapture + # handlers inherit from logging.StreamHandler + todel.append(handler) + for handler in todel: + logging.root.handlers.remove(handler) + + +def parse_env(env_bytes): + """Parse the POSIX env format into Python dictionary.""" + out = {} + for line in env_bytes.splitlines(): + match = ENV_RE.match(line) + if match: + # EL8+ workaround for https://access.redhat.com/solutions/6994985 + # FUTURE: can be removed when we no longer need to parse env vars + if match.groups()[0] in [b"which_declare", b"BASH_FUNC_which%%"]: + continue + out[match.groups()[0]] = match.groups()[1] + return out + + +def get_env_bytes(cmd): + try: + proc = subprocess.run( + [cmd], + shell=True, + check=True, + cwd=FILE_DIR, + stdout=subprocess.PIPE, + ) + except subprocess.CalledProcessError as exc: + CONFTEST_LOGGER.error("failed to get shell env: %s", exc) + raise exc + env_bytes = proc.stdout + return parse_env(env_bytes) + + +# Read common environment variables for running tests from conf.sh. +# FUTURE: Remove conf.sh entirely and define all variables in pytest only. +CONF_ENV = get_env_bytes(". ./conf.sh && env") +os.environb.update(CONF_ENV) +CONFTEST_LOGGER.debug("variables in env: %s", ", ".join([str(key) for key in CONF_ENV])) + +# --------------------------- pytest hooks ------------------------------- + + +def pytest_addoption(parser): + parser.addoption( + "--noclean", + action="store_true", + default=False, + help="don't remove the temporary test directories with artifacts", + ) + + +def pytest_configure(config): + # Ensure this hook only runs on the main pytest instance if xdist is + # used to spawn other workers. + if not XDIST_WORKER: + if config.pluginmanager.has_plugin("xdist") and config.option.numprocesses: + # system tests depend on module scope for setup & teardown + # enforce use "loadscope" scheduler or disable paralelism + try: + import xdist.scheduler.loadscope # pylint: disable=unused-import + except ImportError: + CONFTEST_LOGGER.debug( + "xdist is too old and does not have " + "scheduler.loadscope, disabling parallelism" + ) + config.option.dist = "no" + else: + config.option.dist = "loadscope" + + +def pytest_ignore_collect(path): + # System tests are executed in temporary directories inside + # bin/tests/system. These temporary directories contain all files + # needed for the system tests - including tests_*.py files. Make sure to + # ignore these during test collection phase. Otherwise, test artifacts + # from previous runs could mess with the runner. Also ignore the + # convenience symlinks to those test directories. In both of those + # cases, the system test name (directory) contains an underscore, which + # is otherwise and invalid character for a system test name. + match = SYSTEM_TEST_NAME_RE.search(str(path)) + if match is None: + CONFTEST_LOGGER.warning("unexpected test path: %s (ignored)", path) + return True + system_test_name = match.groups()[0] + return "_" in system_test_name + + +def pytest_collection_modifyitems(items): + """Schedule long-running tests first to get more benefit from parallelism.""" + priority = [] + other = [] + for item in items: + if PRIORITY_TESTS_RE.search(item.nodeid): + priority.append(item) + else: + other.append(item) + items[:] = priority + other + + +class NodeResult: + def __init__(self, report=None): + self.outcome = None + self.messages = [] + if report is not None: + self.update(report) + + def update(self, report): + if self.outcome is None or report.outcome != "passed": + self.outcome = report.outcome + if report.longreprtext: + self.messages.append(report.longreprtext) + + +@pytest.hookimpl(tryfirst=True, hookwrapper=True) +def pytest_runtest_makereport(item): + """Hook that is used to expose test results to session (for use in fixtures).""" + # execute all other hooks to obtain the report object + outcome = yield + report = outcome.get_result() + + # Set the test outcome in session, so we can access it from module-level + # fixture using nodeid. Note that this hook is called three times: for + # setup, call and teardown. We only care about the overall result so we + # merge the results together and preserve the information whether a test + # passed. + test_results = {} + try: + test_results = getattr(item.session, "test_results") + except AttributeError: + setattr(item.session, "test_results", test_results) + node_result = test_results.setdefault(item.nodeid, NodeResult()) + node_result.update(report) + + +# --------------------------- Fixtures ----------------------------------- + + +@pytest.fixture(scope="session") +def modules(): + """ + Sorted list of ALL modules. + + The list includes even test modules that are not tested in the current + session. It is used to determine port distribution. Using a complete + list of all possible test modules allows independent concurrent pytest + invocations. + """ + mods = [] + for dirpath, _dirs, files in os.walk(FILE_DIR): + for file in files: + if file.startswith("tests_") and file.endswith(".py"): + mod = f"{dirpath}/{file}" + if not pytest_ignore_collect(mod): + mods.append(mod) + return sorted(mods) + + +@pytest.fixture(scope="session") +def module_base_ports(modules): + """ + Dictionary containing assigned base port for every module. + + The port numbers are deterministically assigned before any testing + starts. This fixture MUST return the same value when called again + during the same test session. When running tests in parallel, this is + exactly what happens - every worker thread will call this fixture to + determine test ports. + """ + port_min = PORT_MIN + port_max = PORT_MAX - len(modules) * PORTS_PER_TEST + if port_max < port_min: + raise RuntimeError("not enough ports to assign unique port set to each module") + + # Rotate the base port value over time to detect possible test issues + # with using random ports. This introduces a very slight race condition + # risk. If this value changes between pytest invocation and spawning + # worker threads, multiple tests may have same port values assigned. If + # these tests are then executed simultaneously, the test results will + # be misleading. + base_port = int(time.time() // 3600) % (port_max - port_min) + port_min + + return {mod: base_port + i * PORTS_PER_TEST for i, mod in enumerate(modules)} @pytest.fixture(scope="module") -def named_port(): - return int(os.environ.get("PORT", default=5300)) +def base_port(request, module_base_ports): + """Start of the port range assigned to a particular test module.""" + port = module_base_ports[request.fspath] + return port @pytest.fixture(scope="module") -def named_tlsport(): - return int(os.environ.get("TLSPORT", default=8853)) +def ports(base_port): + """Dictionary containing port names and their assigned values.""" + return { + "PORT": base_port, + "TLSPORT": base_port + 1, + "HTTPPORT": base_port + 2, + "HTTPSPORT": base_port + 3, + "EXTRAPORT1": base_port + 4, + "EXTRAPORT2": base_port + 5, + "EXTRAPORT3": base_port + 6, + "EXTRAPORT4": base_port + 7, + "EXTRAPORT5": base_port + 8, + "EXTRAPORT6": base_port + 9, + "EXTRAPORT7": base_port + 10, + "EXTRAPORT8": base_port + 11, + "CONTROLPORT": base_port + 12, + } @pytest.fixture(scope="module") -def named_httpsport(): - return int(os.environ.get("HTTPSPORT", default=4443)) +def named_port(ports): + return ports["PORT"] @pytest.fixture(scope="module") -def control_port(): - return int(os.environ.get("CONTROLPORT", default=9953)) +def named_tlsport(ports): + return ports["TLSPORT"] -if os.getenv("LEGACY_TEST_RUNNER", "0") != "0": +@pytest.fixture(scope="module") +def named_httpsport(ports): + return ports["HTTPSPORT"] - @pytest.fixture - def logger(request): - """Logging facility specific to a particular test.""" - return logging.getLogger(request.node.name) -else: - # ======================= PYTEST SYSTEM TEST RUNNER ========================== - # From this point onward, any setting, fixtures or functions only apply to the - # new pytest runner. Ideally, these would be in a separate file. However, due - # to how pytest works and how it's used by the legacy runner, the best approach - # is to have everything in this file to avoid duplication and set the - # LEGACY_TEST_RUNNER if pytest is executed from the legacy framework. - # - # FUTURE: Once legacy runner is no longer supported, remove the env var and - # don't branch the code. - - from functools import partial - from pathlib import Path - import re - import shutil - import subprocess - import tempfile - import time - from typing import Any, Dict, List, Optional - - # Silence warnings caused by passing a pytest fixture to another fixture. - # pylint: disable=redefined-outer-name - - # ----------------- Older pytest / xdist compatibility ------------------- - # As of 2023-01-11, the minimal supported pytest / xdist versions are - # determined by what is available in EL8/EPEL8: - # - pytest 3.4.2 - # - pytest-xdist 1.24.1 - _pytest_ver = pytest.__version__.split(".") - _pytest_major_ver = int(_pytest_ver[0]) - if _pytest_major_ver < 7: - # pytest.Stash/pytest.StashKey mechanism has been added in 7.0.0 - # for older versions, use regular dictionary with string keys instead - FIXTURE_OK = "fixture_ok" # type: Any - else: - FIXTURE_OK = pytest.StashKey[bool]() # pylint: disable=no-member - - # ----------------------- Globals definition ----------------------------- - - LOG_FORMAT = "%(asctime)s %(levelname)7s:%(name)s %(message)s" - XDIST_WORKER = os.environ.get("PYTEST_XDIST_WORKER", "") - FILE_DIR = os.path.abspath(Path(__file__).parent) - ENV_RE = re.compile(b"([^=]+)=(.*)") - PORT_MIN = 5001 - PORT_MAX = 32767 - PORTS_PER_TEST = 20 - PRIORITY_TESTS = [ - # Tests that are scheduled first. Speeds up parallel execution. - "dupsigs/", - "rpz/", - "rpzrecurse/", - "serve-stale/", - "timeouts/", - "upforwd/", - ] - PRIORITY_TESTS_RE = re.compile("|".join(PRIORITY_TESTS)) - CONFTEST_LOGGER = logging.getLogger("conftest") - SYSTEM_TEST_DIR_GIT_PATH = "bin/tests/system" - SYSTEM_TEST_NAME_RE = re.compile(f"{SYSTEM_TEST_DIR_GIT_PATH}" + r"/([^/]+)") - SYMLINK_REPLACEMENT_RE = re.compile(r"/tests(_sh(?=_))?(.*)\.py") - - # ---------------------- Module initialization --------------------------- - - def init_pytest_conftest_logger(conftest_logger): - """ - This initializes the conftest logger which is used for pytest setup - and configuration before tests are executed -- aka any logging in this - file that is _not_ module-specific. - """ - conftest_logger.setLevel(logging.DEBUG) - file_handler = logging.FileHandler("pytest.conftest.log.txt") - file_handler.setLevel(logging.DEBUG) - file_handler.setFormatter(logging.Formatter(LOG_FORMAT)) - conftest_logger.addHandler(file_handler) - - init_pytest_conftest_logger(CONFTEST_LOGGER) - - def avoid_duplicated_logs(): - """ - Remove direct root logger output to file descriptors. - This default is causing duplicates because all our messages go through - regular logging as well and are thus displayed twice. - """ - todel = [] - for handler in logging.root.handlers: - if handler.__class__ == logging.StreamHandler: - # Beware: As for pytest 7.2.2, LiveLogging and LogCapture - # handlers inherit from logging.StreamHandler - todel.append(handler) - for handler in todel: - logging.root.handlers.remove(handler) - - def parse_env(env_bytes): - """Parse the POSIX env format into Python dictionary.""" - out = {} - for line in env_bytes.splitlines(): - match = ENV_RE.match(line) - if match: - # EL8+ workaround for https://access.redhat.com/solutions/6994985 - # FUTURE: can be removed when we no longer need to parse env vars - if match.groups()[0] in [b"which_declare", b"BASH_FUNC_which%%"]: - continue - out[match.groups()[0]] = match.groups()[1] - return out - - def get_env_bytes(cmd): - try: - proc = subprocess.run( - [cmd], - shell=True, - check=True, - cwd=FILE_DIR, - stdout=subprocess.PIPE, - ) - except subprocess.CalledProcessError as exc: - CONFTEST_LOGGER.error("failed to get shell env: %s", exc) - raise exc - env_bytes = proc.stdout - return parse_env(env_bytes) - - # Read common environment variables for running tests from conf.sh. - # FUTURE: Remove conf.sh entirely and define all variables in pytest only. - CONF_ENV = get_env_bytes(". ./conf.sh && env") - os.environb.update(CONF_ENV) - CONFTEST_LOGGER.debug( - "variables in env: %s", ", ".join([str(key) for key in CONF_ENV]) - ) +@pytest.fixture(scope="module") +def control_port(ports): + return ports["CONTROLPORT"] - # --------------------------- pytest hooks ------------------------------- - def pytest_addoption(parser): - parser.addoption( - "--noclean", - action="store_true", - default=False, - help="don't remove the temporary test directories with artifacts", - ) +@pytest.fixture(scope="module") +def env(ports): + """Dictionary containing environment variables for the test.""" + env = os.environ.copy() + for portname, portnum in ports.items(): + env[portname] = str(portnum) + env["builddir"] = f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" + env["srcdir"] = f"{env['TOP_SRCDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" + return env - def pytest_configure(config): - # Ensure this hook only runs on the main pytest instance if xdist is - # used to spawn other workers. - if not XDIST_WORKER: - if config.pluginmanager.has_plugin("xdist") and config.option.numprocesses: - # system tests depend on module scope for setup & teardown - # enforce use "loadscope" scheduler or disable paralelism - try: - import xdist.scheduler.loadscope # pylint: disable=unused-import - except ImportError: - CONFTEST_LOGGER.debug( - "xdist is too old and does not have " - "scheduler.loadscope, disabling parallelism" - ) - config.option.dist = "no" - else: - config.option.dist = "loadscope" - - def pytest_ignore_collect(path): - # System tests are executed in temporary directories inside - # bin/tests/system. These temporary directories contain all files - # needed for the system tests - including tests_*.py files. Make sure to - # ignore these during test collection phase. Otherwise, test artifacts - # from previous runs could mess with the runner. Also ignore the - # convenience symlinks to those test directories. In both of those - # cases, the system test name (directory) contains an underscore, which - # is otherwise and invalid character for a system test name. - match = SYSTEM_TEST_NAME_RE.search(str(path)) - if match is None: - CONFTEST_LOGGER.warning("unexpected test path: %s (ignored)", path) - return True - system_test_name = match.groups()[0] - return "_" in system_test_name - - def pytest_collection_modifyitems(items): - """Schedule long-running tests first to get more benefit from parallelism.""" - priority = [] - other = [] - for item in items: - if PRIORITY_TESTS_RE.search(item.nodeid): - priority.append(item) - else: - other.append(item) - items[:] = priority + other - - class NodeResult: - def __init__(self, report=None): - self.outcome = None - self.messages = [] - if report is not None: - self.update(report) - - def update(self, report): - if self.outcome is None or report.outcome != "passed": - self.outcome = report.outcome - if report.longreprtext: - self.messages.append(report.longreprtext) - - @pytest.hookimpl(tryfirst=True, hookwrapper=True) - def pytest_runtest_makereport(item): - """Hook that is used to expose test results to session (for use in fixtures).""" - # execute all other hooks to obtain the report object - outcome = yield - report = outcome.get_result() - - # Set the test outcome in session, so we can access it from module-level - # fixture using nodeid. Note that this hook is called three times: for - # setup, call and teardown. We only care about the overall result so we - # merge the results together and preserve the information whether a test - # passed. - test_results = {} + +@pytest.fixture(scope="module") +def system_test_name(request): + """Name of the system test directory.""" + path = Path(request.fspath) + return path.parent.name + + +@pytest.fixture(scope="module") +def mlogger(system_test_name): + """Logging facility specific to this test module.""" + avoid_duplicated_logs() + return logging.getLogger(system_test_name) + + +@pytest.fixture +def logger(request, system_test_name): + """Logging facility specific to a particular test.""" + return logging.getLogger(f"{system_test_name}.{request.node.name}") + + +@pytest.fixture(scope="module") +def system_test_dir( + request, env, system_test_name, mlogger +): # pylint: disable=too-many-statements,too-many-locals + """ + Temporary directory for executing the test. + + This fixture is responsible for creating (and potentially removing) a + copy of the system test directory which is used as a temporary + directory for the test execution. + + FUTURE: This removes the need to have clean.sh scripts. + """ + + def get_test_result(): + """Aggregate test results from all individual tests from this module + into a single result: failed > skipped > passed.""" try: - test_results = getattr(item.session, "test_results") + all_test_results = request.session.test_results except AttributeError: - setattr(item.session, "test_results", test_results) - node_result = test_results.setdefault(item.nodeid, NodeResult()) - node_result.update(report) - - # --------------------------- Fixtures ----------------------------------- - - @pytest.fixture(scope="session") - def modules(): - """Sorted list of all modules. Used to determine port distribution.""" - mods = [] - for dirpath, _dirs, files in os.walk(os.getcwd()): - for file in files: - if file.startswith("tests_") and file.endswith(".py"): - mod = f"{dirpath}/{file}" - mods.append(mod) - return sorted(mods) - - @pytest.fixture(scope="session") - def module_base_ports(modules): - """ - Dictionary containing assigned base port for every module. - - Note that this is a session-wide fixture. The port numbers are - deterministically assigned before any testing starts. This fixture MUST - return the same value when called again during the same test session. - When running tests in parallel, this is exactly what happens - every - worker thread will call this fixture to determine test ports. - """ - port_min = PORT_MIN - port_max = PORT_MAX - len(modules) * PORTS_PER_TEST - if port_max < port_min: - raise RuntimeError( - "not enough ports to assign unique port set to each module" + # This may happen if pytest execution is interrupted and + # pytest_runtest_makereport() is never called. + mlogger.debug("can't obtain test results, test run was interrupted") + return "error" + test_results = { + node.nodeid: all_test_results[node.nodeid] + for node in request.node.collect() + if node.nodeid in all_test_results + } + assert len(test_results) + messages = [] + for node, result in test_results.items(): + mlogger.debug("%s %s", result.outcome.upper(), node) + messages.extend(result.messages) + for message in messages: + mlogger.debug("\n" + message) + failed = any(res.outcome == "failed" for res in test_results.values()) + skipped = any(res.outcome == "skipped" for res in test_results.values()) + if failed: + return "failed" + if skipped: + return "skipped" + assert all(res.outcome == "passed" for res in test_results.values()) + return "passed" + + def unlink(path): + try: + path.unlink() # missing_ok=True isn't available on Python 3.6 + except FileNotFoundError: + pass + + # Create a temporary directory with a copy of the original system test dir contents + system_test_root = Path(f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}") + testdir = Path( + tempfile.mkdtemp(prefix=f"{system_test_name}_tmp_", dir=system_test_root) + ) + shutil.rmtree(testdir) + shutil.copytree(system_test_root / system_test_name, testdir) + + # Create a convenience symlink with a stable and predictable name + module_name = SYMLINK_REPLACEMENT_RE.sub(r"\1", request.node.name) + symlink_dst = system_test_root / module_name + unlink(symlink_dst) + symlink_dst.symlink_to(os.path.relpath(testdir, start=system_test_root)) + + # Configure logger to write to a file inside the temporary test directory + mlogger.handlers.clear() + mlogger.setLevel(logging.DEBUG) + handler = logging.FileHandler(testdir / "pytest.log.txt", mode="w") + formatter = logging.Formatter(LOG_FORMAT) + handler.setFormatter(formatter) + mlogger.addHandler(handler) + + # System tests are meant to be executed from their directory - switch to it. + old_cwd = os.getcwd() + os.chdir(testdir) + mlogger.debug("switching to tmpdir: %s", testdir) + try: + yield testdir # other fixtures / tests will execute here + finally: + os.chdir(old_cwd) + mlogger.debug("changed workdir to: %s", old_cwd) + + result = get_test_result() + + # Clean temporary dir unless it should be kept + keep = False + if request.config.getoption("--noclean"): + mlogger.debug( + "--noclean requested, keeping temporary directory %s", testdir ) + keep = True + elif result == "failed": + mlogger.debug( + "test failure detected, keeping temporary directory %s", testdir + ) + keep = True + elif not request.node.stash[FIXTURE_OK]: + mlogger.debug( + "test setup/teardown issue detected, keeping temporary directory %s", + testdir, + ) + keep = True - # Rotate the base port value over time to detect possible test issues - # with using random ports. This introduces a very slight race condition - # risk. If this value changes between pytest invocation and spawning - # worker threads, multiple tests may have same port values assigned. If - # these tests are then executed simultaneously, the test results will - # be misleading. - base_port = int(time.time() // 3600) % (port_max - port_min) + port_min - - return {mod: base_port + i * PORTS_PER_TEST for i, mod in enumerate(modules)} - - @pytest.fixture(scope="module") - def base_port(request, module_base_ports): - """Start of the port range assigned to a particular test module.""" - port = module_base_ports[request.fspath] - return port - - @pytest.fixture(scope="module") - def ports(base_port): - """Dictionary containing port names and their assigned values.""" - return { - "PORT": str(base_port), - "TLSPORT": str(base_port + 1), - "HTTPPORT": str(base_port + 2), - "HTTPSPORT": str(base_port + 3), - "EXTRAPORT1": str(base_port + 4), - "EXTRAPORT2": str(base_port + 5), - "EXTRAPORT3": str(base_port + 6), - "EXTRAPORT4": str(base_port + 7), - "EXTRAPORT5": str(base_port + 8), - "EXTRAPORT6": str(base_port + 9), - "EXTRAPORT7": str(base_port + 10), - "EXTRAPORT8": str(base_port + 11), - "CONTROLPORT": str(base_port + 12), - } + if keep: + mlogger.info( + "test artifacts in: %s", symlink_dst.relative_to(system_test_root) + ) + else: + mlogger.debug("deleting temporary directory") + handler.flush() + handler.close() + shutil.rmtree(testdir) + unlink(symlink_dst) + + +def _run_script( # pylint: disable=too-many-arguments + env, + mlogger, + system_test_dir: Path, + interpreter: str, + script: str, + args: Optional[List[str]] = None, +): + """Helper function for the shell / perl script invocations (through fixtures below).""" + if args is None: + args = [] + path = Path(script) + if not path.is_absolute(): + # make sure relative paths are always relative to system_dir + path = system_test_dir.parent / path + script = str(path) + cwd = os.getcwd() + if not path.exists(): + raise FileNotFoundError(f"script {script} not found in {cwd}") + mlogger.debug("running script: %s %s %s", interpreter, script, " ".join(args)) + mlogger.debug(" workdir: %s", cwd) + returncode = 1 + + cmd = [interpreter, script] + args + with subprocess.Popen( + cmd, + env=env, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + bufsize=1, + universal_newlines=True, + errors="backslashreplace", + ) as proc: + if proc.stdout: + for line in proc.stdout: + mlogger.info(" %s", line.rstrip("\n")) + proc.communicate() + returncode = proc.returncode + if returncode: + raise subprocess.CalledProcessError(returncode, cmd) + mlogger.debug(" exited with %d", returncode) - @pytest.fixture(scope="module") - def env(ports): - """Dictionary containing environment variables for the test.""" - env = os.environ.copy() - env.update(ports) - env["builddir"] = f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" - env["srcdir"] = f"{env['TOP_SRCDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" - return env - - @pytest.fixture(scope="module") - def system_test_name(request): - """Name of the system test directory.""" - path = Path(request.fspath) - return path.parent.name - - @pytest.fixture(scope="module") - def mlogger(system_test_name): - """Logging facility specific to this test module.""" - avoid_duplicated_logs() - return logging.getLogger(system_test_name) - - @pytest.fixture - def logger(request, system_test_name): - """Logging facility specific to a particular test.""" - return logging.getLogger(f"{system_test_name}.{request.node.name}") - - @pytest.fixture(scope="module") - def system_test_dir( - request, env, system_test_name, mlogger - ): # pylint: disable=too-many-statements,too-many-locals - """ - Temporary directory for executing the test. - - This fixture is responsible for creating (and potentially removing) a - copy of the system test directory which is used as a temporary - directory for the test execution. - - FUTURE: This removes the need to have clean.sh scripts. - """ - - def get_test_result(): - """Aggregate test results from all individual tests from this module - into a single result: failed > skipped > passed.""" - try: - all_test_results = request.session.test_results - except AttributeError: - # This may happen if pytest execution is interrupted and - # pytest_runtest_makereport() is never called. - mlogger.debug("can't obtain test results, test run was interrupted") - return "error" - test_results = { - node.nodeid: all_test_results[node.nodeid] - for node in request.node.collect() - if node.nodeid in all_test_results - } - assert len(test_results) - messages = [] - for node, result in test_results.items(): - mlogger.debug("%s %s", result.outcome.upper(), node) - messages.extend(result.messages) - for message in messages: - mlogger.debug("\n" + message) - failed = any(res.outcome == "failed" for res in test_results.values()) - skipped = any(res.outcome == "skipped" for res in test_results.values()) - if failed: - return "failed" - if skipped: - return "skipped" - assert all(res.outcome == "passed" for res in test_results.values()) - return "passed" - - def unlink(path): - try: - path.unlink() # missing_ok=True isn't available on Python 3.6 - except FileNotFoundError: - pass - - # Create a temporary directory with a copy of the original system test dir contents - system_test_root = Path(f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}") - testdir = Path( - tempfile.mkdtemp(prefix=f"{system_test_name}_tmp_", dir=system_test_root) - ) - shutil.rmtree(testdir) - shutil.copytree(system_test_root / system_test_name, testdir) - - # Create a convenience symlink with a stable and predictable name - module_name = SYMLINK_REPLACEMENT_RE.sub(r"\2", request.node.name) - symlink_dst = system_test_root / module_name - unlink(symlink_dst) - symlink_dst.symlink_to(os.path.relpath(testdir, start=system_test_root)) - - # Configure logger to write to a file inside the temporary test directory - mlogger.handlers.clear() - mlogger.setLevel(logging.DEBUG) - handler = logging.FileHandler(testdir / "pytest.log.txt", mode="w") - formatter = logging.Formatter(LOG_FORMAT) - handler.setFormatter(formatter) - mlogger.addHandler(handler) - - # System tests are meant to be executed from their directory - switch to it. - old_cwd = os.getcwd() - os.chdir(testdir) - mlogger.debug("switching to tmpdir: %s", testdir) - try: - yield testdir # other fixtures / tests will execute here - finally: - os.chdir(old_cwd) - mlogger.debug("changed workdir to: %s", old_cwd) - - result = get_test_result() - - # Clean temporary dir unless it should be kept - keep = False - if request.config.getoption("--noclean"): - mlogger.debug( - "--noclean requested, keeping temporary directory %s", testdir - ) - keep = True - elif result == "failed": - mlogger.debug( - "test failure detected, keeping temporary directory %s", testdir - ) - keep = True - elif not request.node.stash[FIXTURE_OK]: - mlogger.debug( - "test setup/teardown issue detected, keeping temporary directory %s", - testdir, - ) - keep = True - if keep: - mlogger.info( - "test artifacts in: %s", symlink_dst.relative_to(system_test_root) - ) - else: - mlogger.debug("deleting temporary directory") - handler.flush() - handler.close() - shutil.rmtree(testdir) - unlink(symlink_dst) - - def _run_script( # pylint: disable=too-many-arguments - env, - mlogger, - system_test_dir: Path, - interpreter: str, - script: str, - args: Optional[List[str]] = None, - ): - """Helper function for the shell / perl script invocations (through fixtures below).""" - if args is None: - args = [] - path = Path(script) - if not path.is_absolute(): - # make sure relative paths are always relative to system_dir - path = system_test_dir.parent / path - script = str(path) - cwd = os.getcwd() - if not path.exists(): - raise FileNotFoundError(f"script {script} not found in {cwd}") - mlogger.debug("running script: %s %s %s", interpreter, script, " ".join(args)) - mlogger.debug(" workdir: %s", cwd) - returncode = 1 - - cmd = [interpreter, script] + args - with subprocess.Popen( - cmd, - env=env, - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - bufsize=1, - universal_newlines=True, - errors="backslashreplace", - ) as proc: - if proc.stdout: - for line in proc.stdout: - mlogger.info(" %s", line.rstrip("\n")) - proc.communicate() - returncode = proc.returncode - if returncode: - raise subprocess.CalledProcessError(returncode, cmd) - mlogger.debug(" exited with %d", returncode) - - @pytest.fixture(scope="module") - def shell(env, system_test_dir, mlogger): - """Function to call a shell script with arguments.""" - return partial(_run_script, env, mlogger, system_test_dir, env["SHELL"]) - - @pytest.fixture(scope="module") - def perl(env, system_test_dir, mlogger): - """Function to call a perl script with arguments.""" - return partial(_run_script, env, mlogger, system_test_dir, env["PERL"]) - - @pytest.fixture(scope="module") - def run_tests_sh(system_test_dir, shell): - """Utility function to execute tests.sh as a python test.""" - - def run_tests(): - shell(f"{system_test_dir}/tests.sh") - - return run_tests - - @pytest.fixture(scope="module", autouse=True) - def system_test( # pylint: disable=too-many-arguments,too-many-statements - request, - env: Dict[str, str], - mlogger, - system_test_dir, - shell, - perl, - ): - """ - Driver of the test setup/teardown process. Used automatically for every test module. - - This is the most important one-fixture-to-rule-them-all. Note the - autouse=True which causes this fixture to be loaded by every test - module without the need to explicitly specify it. - - When this fixture is used, it utilizes other fixtures, such as - system_test_dir, which handles the creation of the temporary test - directory. - - Afterwards, it checks the test environment and takes care of starting - the servers. When everything is ready, that's when the actual tests are - executed. Once that is done, this fixture stops the servers and checks - for any artifacts indicating an issue (e.g. coredumps). - - Finally, when this fixture reaches an end (or encounters an exception, - which may be caused by fail/skip invocations), any fixtures which is - used by this one are finalized - e.g. system_test_dir performs final - checks and cleans up the temporary test directory. - """ - - def check_net_interfaces(): - try: - perl("testsock.pl", ["-p", env["PORT"]]) - except subprocess.CalledProcessError as exc: - mlogger.error("testsock.pl: exited with code %d", exc.returncode) - pytest.skip("Network interface aliases not set up.") +@pytest.fixture(scope="module") +def shell(env, system_test_dir, mlogger): + """Function to call a shell script with arguments.""" + return partial(_run_script, env, mlogger, system_test_dir, env["SHELL"]) - def check_prerequisites(): - try: - shell(f"{system_test_dir}/prereq.sh") - except FileNotFoundError: - pass # prereq.sh is optional - except subprocess.CalledProcessError: - pytest.skip("Prerequisites missing.") - def setup_test(): - try: - shell(f"{system_test_dir}/setup.sh") - except FileNotFoundError: - pass # setup.sh is optional - except subprocess.CalledProcessError as exc: - mlogger.error("Failed to run test setup") - pytest.fail(f"setup.sh exited with {exc.returncode}") - - def start_servers(): - try: - perl("start.pl", ["--port", env["PORT"], system_test_dir.name]) - except subprocess.CalledProcessError as exc: - mlogger.error("Failed to start servers") - pytest.fail(f"start.pl exited with {exc.returncode}") +@pytest.fixture(scope="module") +def perl(env, system_test_dir, mlogger): + """Function to call a perl script with arguments.""" + return partial(_run_script, env, mlogger, system_test_dir, env["PERL"]) - def stop_servers(): - try: - perl("stop.pl", [system_test_dir.name]) - except subprocess.CalledProcessError as exc: - mlogger.error("Failed to stop servers") - get_core_dumps() - pytest.fail(f"stop.pl exited with {exc.returncode}") - def get_core_dumps(): - try: - shell("get_core_dumps.sh", [system_test_dir.name]) - except subprocess.CalledProcessError as exc: - mlogger.error("Found core dumps or sanitizer reports") - pytest.fail(f"get_core_dumps.sh exited with {exc.returncode}") - - os.environ.update(env) # Ensure pytests have the same env vars as shell tests. - mlogger.info(f"test started: {request.node.name}") - port = int(env["PORT"]) - mlogger.info("using port range: <%d, %d>", port, port + PORTS_PER_TEST - 1) - - if not hasattr(request.node, "stash"): # compatibility with pytest<7.0.0 - request.node.stash = {} # use regular dict instead of pytest.Stash - request.node.stash[FIXTURE_OK] = True +@pytest.fixture(scope="module") +def run_tests_sh(system_test_dir, shell): + """Utility function to execute tests.sh as a python test.""" + + def run_tests(): + shell(f"{system_test_dir}/tests.sh") + + return run_tests + + +@pytest.fixture(scope="module", autouse=True) +def system_test( # pylint: disable=too-many-arguments,too-many-statements + request, + env: Dict[str, str], + mlogger, + system_test_dir, + shell, + perl, +): + """ + Driver of the test setup/teardown process. Used automatically for every test module. + + This is the most important one-fixture-to-rule-them-all. Note the + autouse=True which causes this fixture to be loaded by every test + module without the need to explicitly specify it. + + When this fixture is used, it utilizes other fixtures, such as + system_test_dir, which handles the creation of the temporary test + directory. + + Afterwards, it checks the test environment and takes care of starting + the servers. When everything is ready, that's when the actual tests are + executed. Once that is done, this fixture stops the servers and checks + for any artifacts indicating an issue (e.g. coredumps). + + Finally, when this fixture reaches an end (or encounters an exception, + which may be caused by fail/skip invocations), any fixtures which is + used by this one are finalized - e.g. system_test_dir performs final + checks and cleans up the temporary test directory. + """ + + def check_net_interfaces(): + try: + perl("testsock.pl", ["-p", env["PORT"]]) + except subprocess.CalledProcessError as exc: + mlogger.error("testsock.pl: exited with code %d", exc.returncode) + pytest.skip("Network interface aliases not set up.") - # Perform checks which may skip this test. - check_net_interfaces() - check_prerequisites() + def check_prerequisites(): + try: + shell(f"{system_test_dir}/prereq.sh") + except FileNotFoundError: + pass # prereq.sh is optional + except subprocess.CalledProcessError: + pytest.skip("Prerequisites missing.") - # Store the fact that this fixture hasn't successfully finished yet. - # This is checked before temporary directory teardown to decide whether - # it's okay to remove the directory. - request.node.stash[FIXTURE_OK] = False + def setup_test(): + try: + shell(f"{system_test_dir}/setup.sh") + except FileNotFoundError: + pass # setup.sh is optional + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to run test setup") + pytest.fail(f"setup.sh exited with {exc.returncode}") + + def start_servers(): + try: + perl("start.pl", ["--port", env["PORT"], system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to start servers") + pytest.fail(f"start.pl exited with {exc.returncode}") - setup_test() + def stop_servers(): try: - start_servers() - mlogger.debug("executing test(s)") - yield - finally: - mlogger.debug("test(s) finished") - stop_servers() + perl("stop.pl", [system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to stop servers") get_core_dumps() - request.node.stash[FIXTURE_OK] = True + pytest.fail(f"stop.pl exited with {exc.returncode}") + + def get_core_dumps(): + try: + shell("get_core_dumps.sh", [system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Found core dumps or sanitizer reports") + pytest.fail(f"get_core_dumps.sh exited with {exc.returncode}") + + os.environ.update(env) # Ensure pytests have the same env vars as shell tests. + mlogger.info(f"test started: {request.node.name}") + port = int(env["PORT"]) + mlogger.info("using port range: <%d, %d>", port, port + PORTS_PER_TEST - 1) + + if not hasattr(request.node, "stash"): # compatibility with pytest<7.0.0 + request.node.stash = {} # use regular dict instead of pytest.Stash + request.node.stash[FIXTURE_OK] = True + + # Perform checks which may skip this test. + check_net_interfaces() + check_prerequisites() + + # Store the fact that this fixture hasn't successfully finished yet. + # This is checked before temporary directory teardown to decide whether + # it's okay to remove the directory. + request.node.stash[FIXTURE_OK] = False + + setup_test() + try: + start_servers() + mlogger.debug("executing test(s)") + yield + finally: + mlogger.debug("test(s) finished") + stop_servers() + get_core_dumps() + request.node.stash[FIXTURE_OK] = True diff --git a/bin/tests/system/convert-junit-to-trs.py b/bin/tests/system/convert-junit-to-trs.py new file mode 100755 index 0000000..b3d44b5 --- /dev/null +++ b/bin/tests/system/convert-junit-to-trs.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# Convert JUnit pytest output to automake .trs files + +import argparse +import sys +from xml.etree import ElementTree + + +def junit_to_trs(junit_xml): + root = ElementTree.fromstring(junit_xml) + testcases = root.findall("./testsuite/testcase") + + if len(testcases) < 1: + print(":test-result: ERROR convert-junit-to-trs.py") + return 99 + + has_fail = False + has_error = False + has_skipped = False + for testcase in testcases: + filename = f"{testcase.attrib['classname'].replace('.', '/')}.py" + name = f"{filename}::{testcase.attrib['name']}" + res = "PASS" + for node in testcase: + if node.tag == "failure": + res = "FAIL" + has_fail = True + elif node.tag == "error": + res = "ERROR" + has_error = True + elif node.tag == "skipped": + if node.attrib.get("type") == "pytest.xfail": + res = "XFAIL" + else: + res = "SKIP" + has_skipped = True + print(f":test-result: {res} {name}") + + if has_error: + return 99 + if has_fail: + return 1 + if has_skipped: + return 77 + return 0 + + +def main(): + parser = argparse.ArgumentParser( + description="Convert JUnit XML to Automake TRS and exit with " + "the appropriate Automake-compatible exit code." + ) + parser.add_argument( + "junit_file", + type=argparse.FileType("r", encoding="utf-8"), + help="junit xml result file", + ) + args = parser.parse_args() + + junit_xml = args.junit_file.read() + sys.exit(junit_to_trs(junit_xml)) + + +if __name__ == "__main__": + main() diff --git a/bin/tests/system/cookie/prereq.sh b/bin/tests/system/cookie/prereq.sh new file mode 100644 index 0000000..b6b005f --- /dev/null +++ b/bin/tests/system/cookie/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh index 489a248..24984a3 100755 --- a/bin/tests/system/cookie/tests.sh +++ b/bin/tests/system/cookie/tests.sh @@ -16,87 +16,85 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 getcookie() { - awk '$2 == "COOKIE:" { + awk '$2 == "COOKIE:" { print $3; - }' < $1 + }' <$1 } fullcookie() { - awk 'BEGIN { n = 0 } + awk 'BEGIN { n = 0 } // { v[n++] = length(); } END { print (v[1] == v[2]); }' } havetc() { - grep 'flags:.* tc[^;]*;' $1 > /dev/null + grep 'flags:.* tc[^;]*;' $1 >/dev/null } -for bad in bad*.conf -do - n=$((n + 1)) - echo_i "checking that named-checkconf detects error in $bad ($n)" - ret=0 - $CHECKCONF $bad > /dev/null 2>&1 && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for bad in bad*.conf; do + n=$((n + 1)) + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + $CHECKCONF $bad >/dev/null 2>&1 && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for good in good*.conf -do - n=$((n + 1)) - echo_i "checking that named-checkconf detects accepts $good ($n)" - ret=0 - $CHECKCONF $good > /dev/null 2>&1 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for good in good*.conf; do + n=$((n + 1)) + echo_i "checking that named-checkconf detects accepts $good ($n)" + ret=0 + $CHECKCONF $good >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done n=$((n + 1)) echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 -grep COOKIE: dig.out.test$n > /dev/null && ret=1 -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 +grep COOKIE: dig.out.test$n >/dev/null && ret=1 +grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 -grep COOKIE: dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 +grep COOKIE: dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking COOKIE token is returned to empty COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 -grep COOKIE: dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 +grep COOKIE: dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking COOKIE is not returned when answer-cookie is false ($n)" ret=0 -$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n || ret=1 -grep COOKIE: dig.out.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 >dig.out.test$n || ret=1 +grep COOKIE: dig.out.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking response size without COOKIE ($n)" ret=0 -$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 +$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 havetc dig.out.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -104,36 +102,36 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking response size without valid COOKIE ($n)" ret=0 -$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 havetc dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking response size with COOKIE ($n)" ret=0 -$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l || ret=1 +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l || ret=1 cookie=$(getcookie dig.out.test$n.l) -$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 +$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 havetc dig.out.test$n && ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking response size with COOKIE recursive ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 +$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 havetc dig.out.test$n && ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking COOKIE is learnt for TCP retry ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n || ret=1 +$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n || ret=1 linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 3 ]; then ret=1; fi checkfull=$(getcookie dig.out.test$n | fullcookie) @@ -145,15 +143,15 @@ n=$((n + 1)) echo_i "checking for COOKIE value in adb ($n)" ret=0 rndc_dumpdb ns1 -grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking require-server-cookie default (no) ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n || ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n || ret=1 +grep BADCOOKIE dig.out.test$n >/dev/null && ret=1 linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi @@ -162,10 +160,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking require-server-cookie yes ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 -grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1 -grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 +grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1 +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 +grep BADCOOKIE dig.out.test$n >/dev/null || ret=1 linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi @@ -174,7 +172,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking +qr +showbadcookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 +$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) @@ -191,7 +189,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking +showbadcookie ($n)" ret=0 -$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 +$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) @@ -208,9 +206,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking require-server-cookie yes with rate-limit ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n || ret=1 -grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n || ret=1 +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 +grep BADCOOKIE dig.out.test$n >/dev/null || ret=1 linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi @@ -219,24 +217,24 @@ status=$((status + ret)) n=$((n + 1)) echo_i "send undersized cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1 -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1 +grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "send oversized for named cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1 -grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1 +grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "send oversized for named cookie with server requiring a good cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1 -grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1 +grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -260,8 +258,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "get NS4 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 ns4cookie=$(getcookie dig.out.test$n) test -n "$ns4cookie" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -270,8 +268,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "get NS5 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 ns5cookie=$(getcookie dig.out.test$n) test -n "$ns5cookie" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -280,8 +278,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "get NS6 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 ns6cookie=$(getcookie dig.out.test$n) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -289,54 +287,54 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test NS4 cookie on NS5 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS5 cookie on NS4 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS6 cookie on NS5 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -345,62 +343,62 @@ echo_i "check that test server is correctly configured ($n)" ret=0 pat="; COOKIE: ................................ (good)" #UDP -$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1 || ret=1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2 || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3 || ret=1 -grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4 || ret=1 -grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1 || ret=1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.1 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2 || ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3 || ret=1 +grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4 || ret=1 +grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1 #TCP -$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5 || ret=1 -grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6 -grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7 -grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8 -grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.8 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5 || ret=1 +grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.5 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6 +grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.6 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7 +grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8 +grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.8 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -411,17 +409,17 @@ ret=0 msg="missing expected cookie from" pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # spoofed response contains 10.53.0.10 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2 || ret=1 +$DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2 || ret=1 wait_for_log 5 "$msg" ns1/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -431,17 +429,17 @@ ret=0 msg="missing expected cookie from" pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # check the disabled server response nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2 +$DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2 wait_for_log 5 "$msg" ns1/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -450,17 +448,17 @@ echo_i "check that spoofed response with a TSIG is dropped when we have a server ret=0 pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # spoofed response contains 10.53.0.10 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2 || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 -nextpart ns1/named.run > named.run.test$n +$DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2 || ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 +nextpart ns1/named.run >named.run.test$n count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) test $count -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -470,56 +468,55 @@ if $PYTHON -c ' import dns.version, sys; if dns.version.MAJOR > 1: sys.exit(0); if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0); -sys.exit(1)' -then +sys.exit(1)'; then n=$((n + 1)) echo_i "check that TSIG test server is correctly configured ($n)" ret=0 pat="; COOKIE: ................................ (good)" key=hmac-sha256:foo:aaaaaaaaaaaa #UDP - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1 || ret=1 - grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2 || ret=1 - grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3 || ret=1 - grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1 || ret=1 + grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.1 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2 || ret=1 + grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3 || ret=1 + grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 #TCP - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5 || ret=1 - grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6 || ret=1 - grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7 || ret=1 - grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5 || ret=1 + grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.5 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6 || ret=1 + grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.6 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7 || ret=1 + grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -529,17 +526,17 @@ then ret=0 pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state - $DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1 - grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1 + grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 - grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 + grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # check the disabled server response nextpart ns1/named.run >/dev/null - $DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2 - grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 - nextpart ns1/named.run > named.run.test$n + $DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2 + grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 + nextpart ns1/named.run >named.run.test$n count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) test $count -eq 2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/custom-test-driver b/bin/tests/system/custom-test-driver index 7499aa0..a986dd8 100755 --- a/bin/tests/system/custom-test-driver +++ b/bin/tests/system/custom-test-driver @@ -2,7 +2,7 @@ # test-driver - basic testsuite driver script. -scriptversion=2021-09-20.08; # UTC +scriptversion=2021-09-20.08 # UTC # Copyright (C) 2011-2020 Free Software Foundation, Inc. # @@ -34,15 +34,13 @@ scriptversion=2021-09-20.08; # UTC # helps a lot in preventing typo-related bugs. set -u -usage_error () -{ +usage_error() { echo "$0: $*" >&2 print_usage >&2 exit 2 } -print_usage () -{ +print_usage() { cat <&1; echo $? > "$status_file") | tee $log_file + "$@" --junit-xml $PWD/$junit_file 2>&1 | tee $log_file else - "$@" >$log_file 2>&1; echo $? > "$status_file" + "$@" --junit-xml $PWD/$junit_file >$log_file 2>&1 fi -read -r estatus < "$status_file" -rm "$status_file" + +# Run junit to trs converter script. +./convert-junit-to-trs.py $junit_file >$trs_file +estatus=$? if test $enable_hard_errors = no && test $estatus -eq 99; then tweaked_estatus=1 @@ -128,12 +156,12 @@ else fi case $tweaked_estatus:$expect_failure in - 0:yes) col=$red res=XPASS recheck=yes gcopy=yes;; - 0:*) col=$grn res=PASS recheck=no gcopy=no;; - 77:*) col=$blu res=SKIP recheck=no gcopy=yes;; - 99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;; - *:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;; - *:*) col=$red res=FAIL recheck=yes gcopy=yes;; + 0:yes) col=$red res=XPASS recheck=yes gcopy=yes ;; + 0:*) col=$grn res=PASS recheck=no gcopy=no ;; + 77:*) col=$blu res=SKIP recheck=no gcopy=yes ;; + 99:*) col=$mgn res=ERROR recheck=yes gcopy=yes ;; + *:yes) col=$lgn res=XFAIL recheck=no gcopy=yes ;; + *:*) col=$red res=FAIL recheck=yes gcopy=yes ;; esac # Report the test outcome and exit status in the logs, so that one can @@ -145,11 +173,10 @@ echo "$res $test_name (exit status: $estatus)" >>$log_file # Report outcome to console. echo "${col}${res}${std}: $test_name" -# Register the test result, and other relevant metadata. -echo ":test-result: $res" > $trs_file -echo ":global-test-result: $res" >> $trs_file -echo ":recheck: $recheck" >> $trs_file -echo ":copy-in-global-log: $gcopy" >> $trs_file +# Register other relevant test metadata. +echo ":global-test-result: $res" >>$trs_file +echo ":recheck: $recheck" >>$trs_file +echo ":copy-in-global-log: $gcopy" >>$trs_file # Local Variables: # mode: shell-script diff --git a/bin/tests/system/database/tests.sh b/bin/tests/system/database/tests.sh index 408b094..efd352c 100644 --- a/bin/tests/system/database/tests.sh +++ b/bin/tests/system/database/tests.sh @@ -21,14 +21,14 @@ n=0 rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" -RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../common/rndc.conf" +RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../_common/rndc.conf" # Check the example. domain echo_i "checking pre reload zone ($n)" ret=0 -$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "hostmaster\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -39,14 +39,13 @@ $RNDCCMD reload 2>&1 >/dev/null echo_i "checking post reload zone ($n)" ret=1 try=0 -while test $try -lt 6 -do - sleep 1 - ret=0 - $DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 - grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 - try=$((try + 1)) - test $ret -eq 0 && break +while test $try -lt 6; do + sleep 1 + ret=0 + $DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1 + grep "marka\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1 + try=$((try + 1)) + test $ret -eq 0 && break done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/dialup/tests.sh b/bin/tests/system/dialup/tests.sh index b68c71e..943c8fb 100644 --- a/bin/tests/system/dialup/tests.sh +++ b/bin/tests/system/dialup/tests.sh @@ -23,21 +23,19 @@ DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}" # Check the example. domain -$DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1 +$DIG $DIGOPTS example. @10.53.0.1 soa >dig.out.ns1.test || ret=1 echo_i "checking that first zone transfer worked" ret=0 try=0 -while test $try -lt 120 -do - $DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1 - if grep SERVFAIL dig.out.ns2.test > /dev/null - then - try=$((try + 1)) - sleep 1 - else - digcomp dig.out.ns1.test dig.out.ns2.test || ret=1 - break; - fi +while test $try -lt 120; do + $DIG $DIGOPTS example. @10.53.0.2 soa >dig.out.ns2.test || ret=1 + if grep SERVFAIL dig.out.ns2.test >/dev/null; then + try=$((try + 1)) + sleep 1 + else + digcomp dig.out.ns1.test dig.out.ns2.test || ret=1 + break + fi done echo_i "try $try" if [ $ret != 0 ]; then echo_i "failed"; fi @@ -46,17 +44,15 @@ status=$((status + ret)) echo_i "checking that second zone transfer worked" ret=0 try=0 -while test $try -lt 120 -do - $DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1 - if grep SERVFAIL dig.out.ns3.test > /dev/null - then - try=$((try + 1)) - sleep 1 - else - digcomp dig.out.ns1.test dig.out.ns3.test || ret=1 - break; - fi +while test $try -lt 120; do + $DIG $DIGOPTS example. @10.53.0.3 soa >dig.out.ns3.test || ret=1 + if grep SERVFAIL dig.out.ns3.test >/dev/null; then + try=$((try + 1)) + sleep 1 + else + digcomp dig.out.ns1.test dig.out.ns3.test || ret=1 + break + fi done echo_i "try $try" if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/digdelv/ns2/named.conf.in b/bin/tests/system/digdelv/ns2/named.conf.in index 1391b73..0aa42a3 100644 --- a/bin/tests/system/digdelv/ns2/named.conf.in +++ b/bin/tests/system/digdelv/ns2/named.conf.in @@ -25,7 +25,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh index c8564b2..1dd513c 100644 --- a/bin/tests/system/digdelv/ns2/sign.sh +++ b/bin/tests/system/digdelv/ns2/sign.sh @@ -20,10 +20,10 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.) cp example.db.in example.db -"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1 +"$SIGNER" -Sz -f example.db -o example example.db.in >/dev/null 2>&1 -keyfile_to_key_id "$ksk" > keyid -grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata +keyfile_to_key_id "$ksk" >keyid +grep -Ev '^;' <"$ksk.key" | cut -f 7- -d ' ' >keydata -keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey -keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds +keyfile_to_initial_keys "$ksk" >../ns3/anchor.dnskey +keyfile_to_initial_ds "$ksk" >../ns3/anchor.ds diff --git a/bin/tests/system/digdelv/ns3/named.conf.in b/bin/tests/system/digdelv/ns3/named.conf.in index 66bb748..90a3fa3 100644 --- a/bin/tests/system/digdelv/ns3/named.conf.in +++ b/bin/tests/system/digdelv/ns3/named.conf.in @@ -24,5 +24,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/digdelv/prereq.sh b/bin/tests/system/digdelv/prereq.sh new file mode 100644 index 0000000..32889aa --- /dev/null +++ b/bin/tests/system/digdelv/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index dceced6..39b2b54 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -20,15 +20,15 @@ status=0 n=0 sendcmd() { - send "${1}" "$EXTRAPORT1" + send "${1}" "$EXTRAPORT1" } dig_with_opts() { - "$DIG" -p "$PORT" "$@" + "$DIG" -p "$PORT" "$@" } mdig_with_opts() { - "$MDIG" -p "$PORT" "$@" + "$MDIG" -p "$PORT" "$@" } # Check if response in file $1 has the correct TTL range. @@ -37,211 +37,216 @@ mdig_with_opts() { # the second word on the line. TTL position can be adjusted with # setting the position $4, but that requires updating this function. check_ttl_range() { - file=$1 - pos=$4 + file=$1 + pos=$4 - case "$pos" in + case "$pos" in "3") - { awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file; result=$?; } || true - ;; + { + awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' <$file + result=$? + } || true + ;; *) - { awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file; result=$?; } || true - ;; - esac - - [ $result -eq 0 ] || echo_i "ttl check failed" - return $result + { + awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' <$file + result=$? + } || true + ;; + esac + + [ $result -eq 0 ] || echo_i "ttl check failed" + return $result } # using delv insecure mode as not testing dnssec here delv_with_opts() { - "$DELV" +noroot -p "$PORT" "$@" + "$DELV" +noroot -p "$PORT" "$@" } KEYID="$(cat ns2/keyid)" -KEYDATA="$(< ns2/keydata sed -e 's/+/[+]/g')" -NOSPLIT="$(< ns2/keydata sed -e 's/+/[+]/g' -e 's/ //g')" +KEYDATA="$(sed /dev/null && HAS_PYYAML=1 +if [ -x "$PYTHON" ]; then + $PYTHON -c "import yaml" 2>/dev/null && HAS_PYYAML=1 fi # # test whether ans7/ans.pl will be able to send a UPDATE response. # if it can't, we will log that below. # -if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' > /dev/null 2>&1 -then - checkupdate=1 +if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' >/dev/null 2>&1; then + checkupdate=1 else - checkupdate=0 + checkupdate=0 fi -if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ] ; then +if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check nslookup handles UPDATE response ($n)" ret=0 - "$NSLOOKUP" -q=CNAME -timeout=1 "-port=$PORT" foo.bar 10.53.0.7 > nslookup.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" nslookup.out.test$n > /dev/null || ret=1 + "$NSLOOKUP" -q=CNAME -timeout=1 "-port=$PORT" foo.bar 10.53.0.7 >nslookup.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" nslookup.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$HOST" -a $checkupdate -eq 1 ] ; then +if [ -x "$HOST" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check host handles UPDATE response ($n)" ret=0 - "$HOST" -W 1 -t CNAME -p $PORT foo.bar 10.53.0.7 > host.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" host.out.test$n > /dev/null || ret=1 + "$HOST" -W 1 -t CNAME -p $PORT foo.bar 10.53.0.7 >host.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" host.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ] ; then +if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check nsupdate handles UPDATE response to QUERY ($n)" ret=0 res=0 - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || res=$? + $NSUPDATE <nsupdate.out.test$n 2>&1 || res=$? server 10.53.0.7 ${PORT} add x.example.com 300 in a 1.2.3.4 send EOF test $res -eq 1 || ret=1 - grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n > /dev/null || ret=1 + grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$DIG" ] ; then +if [ -x "$DIG" ]; then - if [ $checkupdate -eq 1 ] ; then + if [ $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check dig handles UPDATE response ($n)" ret=0 - dig_with_opts @10.53.0.7 +tries=1 +timeout=1 cname foo.bar > dig.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.7 +tries=1 +timeout=1 cname foo.bar >dig.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "Skipped UPDATE handling test" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig short form works ($n)" ret=0 - dig_with_opts @10.53.0.3 +short a a.example > dig.out.test$n || ret=1 - test "$(wc -l < dig.out.test$n)" -eq 1 || ret=1 + dig_with_opts @10.53.0.3 +short a a.example >dig.out.test$n || ret=1 + test "$(wc -l dig.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +split=4 -t sshfp foo.example >dig.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " /dev/null || ret=1 check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +unknownformat works ($n)" ret=0 - dig_with_opts @10.53.0.3 +unknownformat a a.example > dig.out.test$n || ret=1 - grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +unknownformat a a.example >dig.out.test$n || ret=1 + grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" /dev/null || ret=1 check_ttl_range dig.out.test$n "TYPE1" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig with reverse lookup works ($n)" ret=0 - dig_with_opts @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 -x 127.0.0.1 >dig.out.test$n 2>&1 || ret=1 # doesn't matter if has answer - grep -i "127\\.in-addr\\.arpa\\." < dig.out.test$n > /dev/null || ret=1 + grep -i "127\\.in-addr\\.arpa\\." /dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 86400 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig over TCP works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1 - grep "10\\.0\\.0\\.1$" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 a a.example >dig.out.test$n || ret=1 + grep "10\\.0\\.0\\.1$" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1 - grep "; serial" dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example >dig.out.test$n || ret=1 + grep "; serial" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null || ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +nosplit works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > dig.out.test$n || ret=1 - grep "$NOSPLIT" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example >dig.out.test$n || ret=1 + grep "$NOSPLIT" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" dig.out.nn.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti > dig.out.mn.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi > dig.out.nm.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi > dig.out.mm.$n || ret=1 - lcnn=$(wc -l < dig.out.nn.$n) - lcmn=$(wc -l < dig.out.mn.$n) - lcnm=$(wc -l < dig.out.nm.$n) - lcmm=$(wc -l < dig.out.mm.$n) + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +nomulti >dig.out.nn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti >dig.out.mn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi >dig.out.nm.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi >dig.out.mm.$n || ret=1 + lcnn=$(wc -l dig.out.test$n || ret=1 - grep "Got answer:" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +noheader-only A example >dig.out.test$n || ret=1 + grep "Got answer:" /dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" dig.out.test$n || ret=1 - grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +header-only example >dig.out.test$n || ret=1 + grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," /dev/null || ret=1 + grep "^;; QUESTION SECTION:" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +raflag works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +raflag +qr example > dig.out.test$n || ret=1 - grep "^;; flags: rd ra ad; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +raflag +qr example >dig.out.test$n || ret=1 + grep "^;; flags: rd ra ad; QUERY: 1, ANSWER: 0," /dev/null || ret=1 + grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," /dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +tcflag works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +tcflag +qr example > dig.out.test$n || ret=1 - grep "^;; flags: tc rd ad; QUERY: 1, ANSWER: 0" < dig.out.test$n > /dev/null || ret=1 - grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +tcflag +qr example >dig.out.test$n || ret=1 + grep "^;; flags: tc rd ad; QUERY: 1, ANSWER: 0" /dev/null || ret=1 + grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," /dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +header-only works (with class and type set) ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +header-only -c IN -t A example > dig.out.test$n || ret=1 - grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +header-only -c IN -t A example >dig.out.test$n || ret=1 + grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," /dev/null || ret=1 + grep "^;; QUESTION SECTION:" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +zflag works, and that BIND properly ignores it ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +zflag +qr A example > dig.out.test$n || ret=1 - sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" > /dev/null || ret=1 - sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +zflag +qr A example >dig.out.test$n || ret=1 + sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" >/dev/null || ret=1 + sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" >/dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +qr +ednsopt=08 does not cause an INSIST failure ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=08 +qr a a.example > dig.out.test$n || ret=1 - grep "INSIST" < dig.out.test$n > /dev/null && ret=1 - grep "FORMERR" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=08 +qr a a.example >dig.out.test$n || ret=1 + grep "INSIST" /dev/null && ret=1 + grep "FORMERR" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ttlunits works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ttlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 3w" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A days.example > dig.out.test$n || ret=1 - grep "^days.example. 3d" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A hours.example > dig.out.test$n || ret=1 - grep "^hours.example. 3h" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A minutes.example > dig.out.test$n || ret=1 - grep "^minutes.example. 45m" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A seconds.example > dig.out.test$n || ret=1 - grep "^seconds.example. 45s" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 3w" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A days.example >dig.out.test$n || ret=1 + grep "^days.example. 3d" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A hours.example >dig.out.test$n || ret=1 + grep "^hours.example. 3h" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A minutes.example >dig.out.test$n || ret=1 + grep "^minutes.example. 45m" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A seconds.example >dig.out.test$n || ret=1 + grep "^seconds.example. 45s" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig respects precedence of options with +ttlunits ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ttlunits +nottlid A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. IN" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +nottlid +ttlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 3w" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +nottlid +nottlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 1814400" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits +nottlid A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. IN" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +nottlid +ttlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 3w" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +nottlid +nottlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 1814400" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig preserves origin on TCP retries ($n)" ret=0 # Ask ans4 to still accept TCP connections, but not respond to queries echo "//" | sendcmd 10.53.0.4 - dig_with_opts -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo > dig.out.test$n 2>&1 && ret=1 + dig_with_opts -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo >dig.out.test$n 2>&1 && ret=1 test "$(grep -c "trying origin bar" dig.out.test$n)" -eq 2 || ret=1 - grep "using root origin" < dig.out.test$n > /dev/null && ret=1 + grep "using root origin" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig -6 -4 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 -4 -6 A a.example > dig.out.test$n 2>&1 && ret=1 - grep "only one of -4 and -6 allowed" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 -4 -6 A a.example >dig.out.test$n 2>&1 && ret=1 + grep "only one of -4 and -6 allowed" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig @IPv6addr -4 A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +tcp @fd92:7065:b8e:ffff::2 -4 A a.example > dig.out.test$n 2>&1 && ret=1 - grep "address family not supported" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @fd92:7065:b8e:ffff::2 -4 A a.example >dig.out.test$n 2>&1 && ret=1 + grep "address family not supported" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +tcp @IPv4addr -6 A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +tcp @10.53.0.2 -6 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.2 -6 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +notcp @IPv4addr -6 A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +notcp @10.53.0.2 -6 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +notcp @10.53.0.2 -6 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "CLIENT-SUBNET: 127.0.0.1/32/0" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet +subnet ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "CLIENT-SUBNET: 127.0.0.1/32/0" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet with various prefix lengths ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24; do - dig_with_opts +tcp @10.53.0.2 +subnet=255.255.255.255/$i A a.example > dig.out.$i.test$n 2>&1 || ret=1 - case $i in - 1|9|17) octet=128 ;; - 2|10|18) octet=192 ;; - 3|11|19) octet=224 ;; - 4|12|20) octet=240 ;; - 5|13|21) octet=248 ;; - 6|14|22) octet=252 ;; - 7|15|23) octet=254 ;; - 8|16|24) octet=255 ;; - esac - case $i in - 1|2|3|4|5|6|7|8) addr="${octet}.0.0.0";; - 9|10|11|12|13|14|15|16) addr="255.${octet}.0.0";; - 17|18|19|20|21|22|23|24) addr="255.255.${octet}.0" ;; - esac - grep "FORMERR" < dig.out.$i.test$n > /dev/null && ret=1 - grep "CLIENT-SUBNET: $addr/$i/0" < dig.out.$i.test$n > /dev/null || ret=1 - check_ttl_range dig.out.$i.test$n "A" 300 || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=255.255.255.255/$i A a.example >dig.out.$i.test$n 2>&1 || ret=1 + case $i in + 1 | 9 | 17) octet=128 ;; + 2 | 10 | 18) octet=192 ;; + 3 | 11 | 19) octet=224 ;; + 4 | 12 | 20) octet=240 ;; + 5 | 13 | 21) octet=248 ;; + 6 | 14 | 22) octet=252 ;; + 7 | 15 | 23) octet=254 ;; + 8 | 16 | 24) octet=255 ;; + esac + case $i in + 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8) addr="${octet}.0.0.0" ;; + 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16) addr="255.${octet}.0.0" ;; + 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24) addr="255.255.${octet}.0" ;; + esac + grep "FORMERR" /dev/null && ret=1 + grep "CLIENT-SUBNET: $addr/$i/0" /dev/null || ret=1 + check_ttl_range dig.out.$i.test$n "A" 300 || ret=1 done if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=0/0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=0/0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=0/0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" /dev/null || ret=1 + grep "CLIENT-SUBNET: 0.0.0.0/0/0" /dev/null || ret=1 + grep "10.0.0.1" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" /dev/null || ret=1 + grep "CLIENT-SUBNET: 0.0.0.0/0/0" /dev/null || ret=1 + grep "10.0.0.1" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=::/0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=::/0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: ::/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=::/0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" /dev/null || ret=1 + grep "CLIENT-SUBNET: ::/0/0" /dev/null || ret=1 + grep "10.0.0.1" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt=8:00000000 (family=0, source=0, scope=0) ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" /dev/null || ret=1 + grep "CLIENT-SUBNET: 0/0/0" /dev/null || ret=1 + grep "10.0.0.1" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt=8:00030000 (family=3, source=0, scope=0) ($n)" ret=0 - dig_with_opts +qr +tcp @10.53.0.2 +ednsopt=8:00030000 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: FORMERR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 00 03 00 00" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +qr +tcp @10.53.0.2 +ednsopt=8:00030000 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: FORMERR" /dev/null || ret=1 + grep "CLIENT-SUBNET: 00 03 00 00" /dev/null || ret=1 test "$(grep -c "CLIENT-SUBNET: 00 03 00 00" dig.out.test$n)" -eq 1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet with prefix lengths between byte boundaries ($n)" ret=0 for p in 9 10 11 12 13 14 15; do - dig_with_opts +tcp @10.53.0.2 +subnet=10.53/$p A a.example > dig.out.test.$p.$n 2>&1 || ret=1 - grep "FORMERR" < dig.out.test.$p.$n > /dev/null && ret=1 - grep "CLIENT-SUBNET.*/$p/0" < dig.out.test.$p.$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=10.53/$p A a.example >dig.out.test.$p.$n 2>&1 || ret=1 + grep "FORMERR" /dev/null && ret=1 + grep "CLIENT-SUBNET.*/$p/0" /dev/null || ret=1 check_ttl_range dig.out.test.$p.$n "A" 300 || ret=1 done if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +sp works as an abbreviated form of split ($n)" ret=0 - dig_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example > dig.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example >dig.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " /dev/null || ret=1 check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig -c works ($n)" ret=0 - dig_with_opts @10.53.0.3 -c CHAOS -t txt version.bind > dig.out.test$n || ret=1 - grep "version.bind. 0 CH TXT" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 -c CHAOS -t txt version.bind >dig.out.test$n || ret=1 + grep "version.bind. 0 CH TXT" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt with option number ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=3 a.example > dig.out.test$n 2>&1 || ret=1 - grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=3 a.example >dig.out.test$n 2>&1 || ret=1 + grep 'NSID: .* ("ns3")' dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt with option name ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=nsid a.example > dig.out.test$n 2>&1 || ret=1 - grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=nsid a.example >dig.out.test$n 2>&1 || ret=1 + grep 'NSID: .* ("ns3")' dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking ednsopt LLQ prints as expected ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example >dig.out.test$n 2>&1 || ret=1 pat='LLQ: Version: 1, Opcode: 2, Error: 0, Identifier: 1311768465173141112, Lifetime: 4278124286$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking that dig warns about .local queries ($n)" ret=0 - dig_with_opts @10.53.0.3 local soa > dig.out.test$n 2>&1 || ret=1 - grep ";; WARNING: .local is reserved for Multicast DNS" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 local soa >dig.out.test$n 2>&1 || ret=1 + grep ";; WARNING: .local is reserved for Multicast DNS" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag and FORMERR is returned ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: *$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: *$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag: ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: 1, 2$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: 1, 2$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag: and FORMERR is returned ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag:0001000201 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: 00 01 00 02 01" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag:0001000201 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: 00 01 00 02 01" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=client-tag:value ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG: 1$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:0001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG: 1$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too short client-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:01 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too long client-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:000001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=server-tag:value ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG: 1$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:0001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG: 1$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too short server-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:01 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too long server-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:000001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 0 is printed correctly ($n)" # First defined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 0 (Other): (foo)$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 24 is printed correctly ($n)" # Last defined EDE code, no additional text. - dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 24 (Invalid Data)$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 25 is printed correctly ($n)" # First undefined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 25: (foo)$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)" # EDE payload is too short - dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE:$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that invalid Extended DNS Error (length 1) is printed ($n)" # EDE payload is too short - dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 00 (".")$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check that +yaml Extended DNS Error 0 is printed correctly ($n)" # First defined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0000666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0018 a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 && ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that +yaml Extended DNS Error 25 is printed correctly ($n)" # First undefined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0019666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:00 a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 && ret=1 - grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=: a.example >dig.out.test$n 2>&1 && ret=1 + grep "ednsopt no code point specified" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig gracefully handles bad escape in domain name ($n)" ret=0 digstatus=0 - dig_with_opts @10.53.0.3 '\0.' > dig.out.test$n 2>&1 || digstatus=$? - echo digstatus=$digstatus >> dig.out.test$n + dig_with_opts @10.53.0.3 '\0.' >dig.out.test$n 2>&1 || digstatus=$? + echo digstatus=$digstatus >>dig.out.test$n test $digstatus -eq 10 || ret=1 - grep REQUIRE dig.out.test$n > /dev/null && ret=1 - grep "is not a legal name (bad escape)" dig.out.test$n > /dev/null || ret=1 + grep REQUIRE dig.out.test$n >/dev/null && ret=1 + grep "is not a legal name (bad escape)" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -q -m works ($n)" ret=0 - dig_with_opts @10.53.0.3 -q -m > dig.out.test$n 2>&1 + dig_with_opts @10.53.0.3 -q -m >dig.out.test$n 2>&1 pat='^;-m\..*IN.*A$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 - grep "Dump of all outstanding memory allocations" dig.out.test$n > /dev/null && ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 + grep "Dump of all outstanding memory allocations" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> immediate) ($n)" ret=0 echo "no_response no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> partial AXFR) ($n)" ret=0 echo "partial_axfr partial_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> partial AXFR) ($n)" ret=0 echo "no_response partial_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> immediate) ($n)" ret=0 echo "partial_axfr no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> complete AXFR) ($n)" ret=0 echo "no_response complete_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 || ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> complete AXFR) ($n)" ret=0 echo "partial_axfr complete_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 || ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking +tries=1 won't retry twice upon TCP EOF ($n)" ret=0 echo "no_response no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=1 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=1 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking +retry=0 won't retry twice upon TCP EOF ($n)" ret=0 - dig_with_opts @10.53.0.5 example AXFR +retry=0 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +retry=0 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +expandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:0b8e:ffff:0000:0000:0000:0002" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +expandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:0b8e:ffff:0000:0000:0000:0002" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +noexpandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +noexpandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +noexpandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig default for +[no]expandaaa (+noexpandaaaa) works ($n)" ret=0 - dig_with_opts @10.53.0.3 AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +short +expandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 pat='^fd92:7065:0b8e:ffff:0000:0000:0000:0002$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check dig +yaml output ($n)" ret=0 - dig_with_opts +qr +yaml @10.53.0.3 any ns2.example > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data status > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts +qr +yaml @10.53.0.3 any ns2.example >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data status >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 1 message response_message_data status >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 1 message response_message_data QUESTION_SECTION 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 1 message response_message_data ANSWER_SECTION 0 > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts +qr +yaml @10.53.0.3 aaaa d.example >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 1 message response_message_data ANSWER_SECTION 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 || ret=1 - grep "EDNS:" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +qr >dig.out.test$n 2>&1 || ret=1 + grep "EDNS:" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +bufsize restores default bufsize ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr >dig.out.test$n 2>&1 || ret=1 lines=$(grep "EDNS:.* udp:" dig.out.test$n | wc -l) lines1232=$(grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l) test $lines -eq 2 || ret=1 test $lines1232 -eq 2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig without -u displays 'Query time' in millseconds ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep ';; Query time: [0-9][0-9]* msec' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -u displays 'Query time' in microseconds ($n)" ret=0 - dig_with_opts -u @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts -u @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep ';; Query time: [0-9][0-9]* usec' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +yaml without -u displays timestamps in milliseconds ($n)" ret=0 - dig_with_opts +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +yaml @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep 'query_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1 grep 'response_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -u +yaml displays timestamps in microseconds ($n)" ret=0 - dig_with_opts -u +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts -u +yaml @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep 'query_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1 grep 'response_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) # See [GL #3020] for more information - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig handles UDP timeout followed by a SERVFAIL correctly ($n)" # Ask ans8 to be in "unstable" mode (switching between "silent" and "servfail" modes) echo "unstable" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +timeout=1 +nofail @10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 +nofail @10.53.0.8 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig handles TCP timeout followed by a SERVFAIL correctly ($n)" # Ask ans8 to be in "unstable" mode (switching between "silent" and "servfail" modes) echo "unstable" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +timeout=1 +nofail +tcp @10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 +nofail +tcp @10.53.0.8 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a UDP socket network unreachable error ($n)" ret=0 - dig_with_opts @192.0.2.128 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @192.0.2.128 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" -e "host unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a TCP socket network unreachable error ($n)" ret=0 - dig_with_opts +tcp @192.0.2.128 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +tcp @192.0.2.128 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" -e "host unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a UDP socket read error ($n)" ret=0 - dig_with_opts @10.53.0.99 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.99 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a TCP socket read error ($n)" # Ask ans8 to be in "close" mode, which closes the connection after accepting it echo "close" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +tcp @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.8 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) # Note that we combine TCP socket "connection error" and "timeout" cases in # one, because it is not trivial to simulate the timeout case in a system test @@ -1049,351 +1051,349 @@ if [ -x "$DIG" ] ; then # the connection establishment time does not differentiate between timeout and # other types of errors (unlike during reading), so this one check should be # sufficient for both cases. - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a TCP socket connection error/timeout ($n)" ret=0 - dig_with_opts +tcp @10.53.0.99 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +tcp @10.53.0.99 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after UDP socket read timeouts ($n)" # Ask ans8 to be in "silent" mode echo "silent" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +timeout=1 @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 @10.53.0.8 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after TCP socket read timeouts ($n)" # Ask ans8 to be in "silent" mode echo "silent" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +timeout=1 +tcp @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 +tcp @10.53.0.8 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) # See [GL #3248] for more information - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig correctly refuses to use a server with a IPv4 mapped IPv6 address after failing with a regular IP address ($n)" ret=0 - dig_with_opts @10.53.0.8 @::ffff:10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F ";; Skipping mapped address" dig.out.test$n > /dev/null || ret=1 - grep -F ";; No acceptable nameservers" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.8 @::ffff:10.53.0.8 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F ";; Skipping mapped address" dig.out.test$n >/dev/null || ret=1 + grep -F ";; No acceptable nameservers" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) # See [GL #3244] for more information - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig handles printing query information with +qr and +y when multiple queries are involved (including a failed query) ($n)" ret=0 - dig_with_opts +timeout=1 +qr +y @127.0.0.1 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "IN A 10.0.0.1" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 +qr +y @127.0.0.1 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "IN A 10.0.0.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "$DIG is needed, so skipping these dig tests" fi -if [ -x "$MDIG" ] ; then - n=$((n+1)) +if [ -x "$MDIG" ]; then + n=$((n + 1)) echo_i "check that mdig handles malformed option '+ednsopt=:' gracefully ($n)" ret=0 - mdig_with_opts @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1 - grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1 + mdig_with_opts @10.53.0.3 +ednsopt=: a.example >dig.out.test$n 2>&1 && ret=1 + grep "ednsopt no code point specified" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking mdig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example >dig.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking mdig +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1 - grep "; serial" < dig.out.test$n > /dev/null && ret=1 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example >dig.out.test$n || ret=1 + grep "; serial" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check mdig +yaml output ($n)" ret=0 - mdig_with_opts +yaml @10.53.0.3 -t any ns2.example > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message response_message_data status > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + mdig_with_opts +yaml @10.53.0.3 -t any ns2.example >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message response_message_data status >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 0 message response_message_data QUESTION_SECTION 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + delv_with_opts @10.53.0.3 +short a a.example >delv.out.test$n || ret=1 + test "$(wc -l delv.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +split=4 -t sshfp foo.example >delv.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " /dev/null || ret=1 check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +unknownformat works ($n)" ret=0 - delv_with_opts @10.53.0.3 +unknownformat a a.example > delv.out.test$n || ret=1 - grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +unknownformat a a.example >delv.out.test$n || ret=1 + grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" /dev/null || ret=1 check_ttl_range delv.out.test$n "TYPE1" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv -4 -6 ($n)" ret=0 - delv_with_opts @10.53.0.3 -4 -6 A a.example > delv.out.test$n 2>&1 && ret=1 - grep "only one of -4 and -6 allowed" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -4 -6 A a.example >delv.out.test$n 2>&1 && ret=1 + grep "only one of -4 and -6 allowed" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with IPv6 on IPv4 does not work ($n)" - if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null; then ret=0 # following should fail because @IPv4 overrides earlier @IPv6 above # and -6 forces IPv6 so this should fail, with a message # "Use of IPv4 disabled by -6" - delv_with_opts @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example > delv.out.test$n 2>&1 && ret=1 + delv_with_opts @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example >delv.out.test$n 2>&1 && ret=1 # it should have no results but error output - grep "testing" < delv.out.test$n > /dev/null && ret=1 - grep "Use of IPv4 disabled by -6" delv.out.test$n > /dev/null || ret=1 + grep "testing" /dev/null && ret=1 + grep "Use of IPv4 disabled by -6" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with IPv4 on IPv6 does not work ($n)" - if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null; then ret=0 # following should fail because @IPv6 overrides earlier @IPv4 above # and -4 forces IPv4 so this should fail, with a message # "Use of IPv6 disabled by -4" - delv_with_opts @10.53.0.3 @fd92:7065:b8e:ffff::3 -4 -t txt foo.example > delv.out.test$n 2>&1 && ret=1 + delv_with_opts @10.53.0.3 @fd92:7065:b8e:ffff::3 -4 -t txt foo.example >delv.out.test$n 2>&1 && ret=1 # it should have no results but error output - grep "testing" delv.out.test$n > /dev/null && ret=1 - grep "Use of IPv6 disabled by -4" delv.out.test$n > /dev/null || ret=1 + grep "testing" delv.out.test$n >/dev/null && ret=1 + grep "Use of IPv6 disabled by -4" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with reverse lookup works ($n)" ret=0 - delv_with_opts @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1 + delv_with_opts @10.53.0.3 -x 127.0.0.1 >delv.out.test$n 2>&1 || ret=1 # doesn't matter if has answer - grep -i "127\\.in-addr\\.arpa\\." < delv.out.test$n > /dev/null || ret=1 + grep -i "127\\.in-addr\\.arpa\\." /dev/null || ret=1 check_ttl_range delv.out.test$n '\\-ANY' 10800 3 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv over TCP works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 a a.example > delv.out.test$n || ret=1 - grep "10\\.0\\.0\\.1$" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 a a.example >delv.out.test$n || ret=1 + grep "10\\.0\\.0\\.1$" /dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null && ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments SOA example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null && ret=1 check_ttl_range delv.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null || ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +short +rrcomments works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" delv.out.test$n || ret=1 - grep -q "$NOSPLIT" < delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 - test "$(awk '{print NF}' < delv.out.test$n)" -eq 14 || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example >delv.out.test$n || ret=1 + grep -q "$NOSPLIT" delv.out.test$n || ret=1 - grep -q "$NOSPLIT\$" < delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 - test "$(awk '{print NF}' < delv.out.test$n)" -eq 4 || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY example >delv.out.test$n || ret=1 + grep -q "$NOSPLIT\$" delv.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example >delv.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " /dev/null || ret=1 check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +sh works as an abbriviated form of short ($n)" ret=0 - delv_with_opts @10.53.0.3 +sh a a.example > delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + delv_with_opts @10.53.0.3 +sh a a.example >delv.out.test$n || ret=1 + test "$(wc -l delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c IN -t a a.example >delv.out.test$n || ret=1 + grep "a.example." /dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv -c CH is ignored, and treated like IN ($n)" ret=0 - delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c CH -t a a.example >delv.out.test$n || ret=1 + grep "a.example." /dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv H is ignored, and treated like IN ($n)" ret=0 - delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c CH -t a a.example >delv.out.test$n || ret=1 + grep "a.example." /dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv -q -m works ($n)" ret=0 - delv_with_opts @10.53.0.3 -q -m > delv.out.test$n 2>&1 || ret=1 - grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n > /dev/null || ret=1 - grep "^add " delv.out.test$n > /dev/null && ret=1 - grep "^del " delv.out.test$n > /dev/null && ret=1 + delv_with_opts @10.53.0.3 -q -m >delv.out.test$n 2>&1 || ret=1 + grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n >/dev/null || ret=1 + grep "^add " delv.out.test$n >/dev/null && ret=1 + grep "^del " delv.out.test$n >/dev/null && ret=1 check_ttl_range delv.out.test$n '\\-ANY' 300 3 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv -t ANY works ($n)" ret=0 - delv_with_opts @10.53.0.3 -t ANY example > delv.out.test$n 2>&1 || ret=1 - grep "^example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -t ANY example >delv.out.test$n 2>&1 || ret=1 + grep "^example." /dev/null || ret=1 check_ttl_range delv.out.test$n NS 300 || ret=1 check_ttl_range delv.out.test$n SOA 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv loads key-style trust anchors ($n)" ret=0 - delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 - grep "fully validated" delv.out.test$n > /dev/null || ret=1 + delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example >delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv loads DS-style trust anchors ($n)" ret=0 - delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 - grep "fully validated" delv.out.test$n > /dev/null || ret=1 + delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example >delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check delv +yaml output ($n)" ret=0 - delv_with_opts +yaml @10.53.0.3 any ns2.example > delv.out.test$n || ret=1 - $PYTHON yamlget.py delv.out.test$n status > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + delv_with_opts +yaml @10.53.0.3 any ns2.example >delv.out.test$n || ret=1 + $PYTHON yamlget.py delv.out.test$n status >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py delv.out.test$n query_name >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n - count=$(echo $value | wc -w ) + $PYTHON yamlget.py delv.out.test$n records 0 answer_not_validated 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value ns1/ddns.key +$TSIGKEYGEN ddns-key.example.nil >ns1/ddns.key copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh index a86ea7e..031f76a 100644 --- a/bin/tests/system/dlzexternal/tests.sh +++ b/bin/tests/system/dlzexternal/tests.sh @@ -19,42 +19,42 @@ status=0 n=0 DIGOPTS="@10.53.0.1 -p ${PORT} +nocookie" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" newtest() { - n=$((n + 1)) - echo_i "${1} (${n})" - ret=0 + n=$((n + 1)) + echo_i "${1} (${n})" + ret=0 } test_update() { - host="$1" - type="$2" - cmd="$3" - digout="$4" - should_fail="$5" + host="$1" + type="$2" + cmd="$3" + digout="$4" + should_fail="$5" - cat < ns1/update.txt + cat <ns1/update.txt server 10.53.0.1 ${PORT} update add $host $cmd send EOF - newtest "testing update for $host $type $cmd${comment:+ }$comment" - $NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed for $host $type $cmd" - return 1 - } - - out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host") - lines=$(echo "$out" | grep "$digout" | wc -l) - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - return 0 + newtest "testing update for $host $type $cmd${comment:+ }$comment" + $NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed for $host $type $cmd" + return 1 + } + + out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host") + lines=$(echo "$out" | grep "$digout" | wc -l) + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 } test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 @@ -70,19 +70,19 @@ test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fai status=$((status + ret)) newtest "testing nxrrset" -$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n || ret=1 -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS testdc1.example.nil AAAA >dig.out.$n || ret=1 +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.$n >/dev/null || ret=1 status=$((status + ret)) newtest "testing prerequisites are checked correctly" -cat > ns1/update.txt << EOF +cat >ns1/update.txt < /dev/null 2>&1 && ret=1 +$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 && ret=1 out=$($DIG $DIGOPTS +short a testdc3.example.nil) [ "$out" = "10.53.0.12" ] && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" @@ -98,10 +98,10 @@ status=$((status + ret)) newtest "testing DLZ driver is cleaned up on reload" rndc_reload ns1 10.53.0.1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - grep 'dlz_example: shutting down zone example.nil' ns1/named.run > /dev/null 2>&1 || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + grep 'dlz_example: shutting down zone example.nil' ns1/named.run >/dev/null 2>&1 || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -111,53 +111,53 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 status=$((status + ret)) newtest "testing AXFR from DLZ drivers" -$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1 +$DIG $DIGOPTS +noall +answer axfr example.nil >dig.out.example.ns1.test$n || ret=1 lines=$(cat dig.out.example.ns1.test$n | wc -l) [ ${lines:-0} -eq 4 ] || ret=1 -$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1 +$DIG $DIGOPTS +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n || ret=1 lines=$(cat dig.out.alternate.ns1.test$n | wc -l) [ ${lines:-0} -eq 5 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing AXFR denied from DLZ drivers" -$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1 -grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1 -grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil >dig.out.example.ns1.test$n || ret=1 +grep "; Transfer failed" dig.out.example.ns1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n || ret=1 +grep "; Transfer failed" dig.out.alternate.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing AXFR denied based on view ACL" # 10.53.0.1 should be disallowed -$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1 || ret=1 -grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org >dig.out.example.ns1.test$n.1 || ret=1 +grep "; Transfer failed" dig.out.example.ns1.test$n.1 >/dev/null || ret=1 # 10.53.0.2 should be allowed -$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2 || ret=1 -grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1 +$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org >dig.out.example.ns1.test$n.2 || ret=1 +grep "; Transfer failed" dig.out.example.ns1.test$n.2 >/dev/null && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing unsearched/unregistered DLZ zone is not found" -$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n || ret=1 -grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer ns other.nil >dig.out.ns1.test$n || ret=1 +grep "3600.IN.NS.other.nil." dig.out.ns1.test$n >/dev/null && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing unsearched/registered DLZ zone is found" -$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1 -grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n || ret=1 +grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing unsearched/registered DLZ zone is found" -$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1 -grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n || ret=1 +grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing correct behavior with findzone returning ISC_R_NOMORE" -$DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +noall a test.example.com >/dev/null 2>&1 || ret=1 # we should only find one logged lookup per searched DLZ database lines=$(grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 @@ -167,13 +167,13 @@ lines=$(grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | status=$((status + ret)) newtest "testing findzone can return different results per client" -$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net >/dev/null 2>&1 || ret=1 # we should only find one logged lookup per searched DLZ database lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 -$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net >/dev/null 2>&1 || ret=1 # we should find several logged lookups this time lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l) [ $lines -gt 2 ] || ret=1 @@ -183,47 +183,47 @@ lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l status=$((status + ret)) newtest "testing zone returning oversized data" -$DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt too-long.example.nil >dig.out.ns1.test$n 2>&1 || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing zone returning oversized data at zone origin" -$DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt bigcname.domain >dig.out.ns1.test$n 2>&1 || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "checking redirected lookup for nonexistent name" -$DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 unexists a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "checking no redirected lookup for nonexistent type" -$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 exists aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "checking redirected lookup for a long nonexistent name" -$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1 lookups=$(grep "lookup #.*\.not\.there" ns1/named.run | wc -l) [ "$lookups" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "checking ECS data is passed to driver in clientinfo" -$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1 -grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1 -$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1 -grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt >dig.out.ns1.test$n.1 || ret=1 +grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 >/dev/null || ret=1 +$DIG $DIGOPTS +short source-addr.example.nil txt >dig.out.ns1.test$n.2 || ret=1 +grep "not.*present" dig.out.ns1.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/dns64/ns1/named.conf1.in b/bin/tests/system/dns64/ns1/named.conf1.in index aaf7aab..41950d9 100644 --- a/bin/tests/system/dns64/ns1/named.conf1.in +++ b/bin/tests/system/dns64/ns1/named.conf1.in @@ -13,7 +13,7 @@ // NS1 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/dns64/ns1/named.conf2.in b/bin/tests/system/dns64/ns1/named.conf2.in index f3fc40f..ff39dd1 100644 --- a/bin/tests/system/dns64/ns1/named.conf2.in +++ b/bin/tests/system/dns64/ns1/named.conf2.in @@ -13,7 +13,7 @@ // NS1 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/dns64/ns1/named.conf3.in b/bin/tests/system/dns64/ns1/named.conf3.in index cb6237b..a44c258 100644 --- a/bin/tests/system/dns64/ns1/named.conf3.in +++ b/bin/tests/system/dns64/ns1/named.conf3.in @@ -13,7 +13,7 @@ // NS1 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/dns64/ns1/sign.sh b/bin/tests/system/dns64/ns1/sign.sh index 348ca8a..1a0acfd 100644 --- a/bin/tests/system/dns64/ns1/sign.sh +++ b/bin/tests/system/dns64/ns1/sign.sh @@ -20,6 +20,6 @@ zonefile=signed.db key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone) key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null diff --git a/bin/tests/system/dns64/ns2/named.conf.in b/bin/tests/system/dns64/ns2/named.conf.in index be92d1a..263cc8a 100644 --- a/bin/tests/system/dns64/ns2/named.conf.in +++ b/bin/tests/system/dns64/ns2/named.conf.in @@ -62,7 +62,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "rpz" { diff --git a/bin/tests/system/dns64/tests.sh b/bin/tests/system/dns64/tests.sh index 4ee42dc..231e825 100644 --- a/bin/tests/system/dns64/tests.sh +++ b/bin/tests/system/dns64/tests.sh @@ -22,273 +22,271 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -for conf in conf/good*.conf -do - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/good*.conf; do + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done # Check the example. domain echo_i "checking non-excluded AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default exclude acl ignores mapped A records (all mapped) ($n)" ret=0 -$DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default exclude acl ignores mapped A records (some mapped) ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::4" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::ffff:1.2.3.4" dig.out.ns2.test$n > /dev/null && ret=1 -grep "::ffff:1.2.3.5" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a-and-aaaa-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::4" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::ffff:1.2.3.4" dig.out.ns2.test$n >/dev/null && ret=1 +grep "::ffff:1.2.3.5" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default exclude acl works with AAAA only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default exclude acl A only lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -297,212 +295,212 @@ status=$((status + ret)) echo_i "checking non-excluded AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:304" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -511,220 +509,220 @@ status=$((status + ret)) echo_i "checking non-excluded AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -733,181 +731,181 @@ status=$((status + ret)) echo_i "checking non-excluded AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -916,181 +914,181 @@ status=$((status + ret)) echo_i "checking non-excluded AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:304" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:304" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.signed." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1098,227 +1096,225 @@ status=$((status + ret)) # Check the signed. domain echo_i "checking non-excluded AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.signed." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking reverse mapping ($n)" ret=0 -$DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) list=$($DIG $DIGOPTS -b 10.53.0.6 @10.53.0.2 +short aaaa a-only.example | sort) -for a in $list -do - ret=0 - echo_i "checking reverse mapping of $a ($n)" - $DIG $DIGOPTS -x $a @10.53.0.2 > dig.out.ns2.test$n || ret=1 - grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n > /dev/null || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for a in $list; do + ret=0 + echo_i "checking reverse mapping of $a ($n)" + $DIG $DIGOPTS -x $a @10.53.0.2 >dig.out.ns2.test$n || ret=1 + grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done rev=$($ARPANAME 2001:aaaa::10.0.0.1) regex='..\(.*.IP6.ARPA\)' rev=$(expr "${rev}" : "${regex}") fin=$(expr "${rev}" : "............${regex}") -while test "${rev}" != "${fin}" -do - ret=0 - echo_i "checking $rev ($n)" - $DIG $DIGOPTS $rev ptr @10.53.0.2 > dig.out.ns2.test$n || ret=1 - grep -i "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 - grep -i "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - rev=$(expr "${rev}" : "${regex}") +while test "${rev}" != "${fin}"; do + ret=0 + echo_i "checking $rev ($n)" + $DIG $DIGOPTS $rev ptr @10.53.0.2 >dig.out.ns2.test$n || ret=1 + grep -i "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 + grep -i "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + rev=$(expr "${rev}" : "${regex}") done echo_i "checking dns64-server and dns64-contact ($n)" ret=0 -$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1326,7 +1322,7 @@ status=$((status + ret)) echo_i "checking TTL less than 600 from zone ($n)" ret=0 #expect 500 -$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1335,7 +1331,7 @@ status=$((status + ret)) echo_i "checking TTL more than 600 from zone ($n)" ret=0 #expect 700 -$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1344,7 +1340,7 @@ status=$((status + ret)) echo_i "checking TTL less than minimum from zone ($n)" ret=0 #expect 1100 -$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1353,7 +1349,7 @@ status=$((status + ret)) echo_i "checking TTL limited to minimum from zone ($n)" ret=0 #expect 1200 -$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1362,7 +1358,7 @@ status=$((status + ret)) echo_i "checking TTL less than 600 via cache ($n)" ret=0 #expect 500 -$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1371,7 +1367,7 @@ status=$((status + ret)) echo_i "checking TTL more than 600 via cache ($n)" ret=0 #expect 700 -$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1380,7 +1376,7 @@ status=$((status + ret)) echo_i "checking TTL less than minimum via cache ($n)" ret=0 #expect 1100 -$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1389,7 +1385,7 @@ status=$((status + ret)) echo_i "checking TTL limited to minimum via cache ($n)" ret=0 #expect 1200 -$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1397,16 +1393,16 @@ status=$((status + ret)) echo_i "checking synthesis of AAAA from RPZ-remapped A ($n)" ret=0 -$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking 'dig +dns64prefix' ($n)" -$DIG $DIGOPTS +dns64prefix @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '^2001:bbbb::/96$' dig.out.ns1.test$n > /dev/null || ret=1 -test $(wc -l < dig.out.ns1.test$n) -eq 1 || ret=1 +$DIG $DIGOPTS +dns64prefix @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '^2001:bbbb::/96$' dig.out.ns1.test$n >/dev/null || ret=1 +test $(wc -l dig.out.ns1.test$n || ret=1 -grep '^2001:bbbb::/96$' dig.out.ns1.test$n > /dev/null || ret=1 -grep '2001:aaaa::/64' dig.out.ns1.test$n > /dev/null || ret=1 -test $(wc -l < dig.out.ns1.test$n) -eq 2 || ret=1 +$DIG $DIGOPTS +dns64prefix @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '^2001:bbbb::/96$' dig.out.ns1.test$n >/dev/null || ret=1 +grep '2001:aaaa::/64' dig.out.ns1.test$n >/dev/null || ret=1 +test $(wc -l dig.out.ns1.test$n || ret=1 -test $(wc -l < dig.out.ns1.test$n) -eq 0 || ret=1 +$DIG $DIGOPTS +dns64prefix @10.53.0.1 >dig.out.ns1.test$n || ret=1 +test $(wc -l dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ipv4only.arpa -b 10.53.0.7 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i 'ipv4only.arpa.*IN.AAAA.2001:96::c000:aa' dig.out.ns2.test$n >/dev/null || ret=1 grep -i 'ipv4only.arpa.*IN.AAAA.2001:96::c000:ab' dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) @@ -1444,8 +1440,8 @@ status=$((status + ret)) echo_i "checking reverse of dns64 mapped ipv4only.arpa addresses returns ipv4only.arpa ($n)" ret=0 -$DIG $DIGOPTS ptr -x 2001:96::192.0.0.170 -b 10.53.0.7 @10.53.0.2 > dig.out.170.ns2.test$n || ret=1 -$DIG $DIGOPTS ptr -x 2001:96::192.0.0.171 -b 10.53.0.7 @10.53.0.2 > dig.out.171.ns2.test$n || ret=1 +$DIG $DIGOPTS ptr -x 2001:96::192.0.0.170 -b 10.53.0.7 @10.53.0.2 >dig.out.170.ns2.test$n || ret=1 +$DIG $DIGOPTS ptr -x 2001:96::192.0.0.171 -b 10.53.0.7 @10.53.0.2 >dig.out.171.ns2.test$n || ret=1 grep "ip6\.arpa\..*PTR.*ipv4only\.arpa\." dig.out.170.ns2.test$n >/dev/null || ret=1 grep "ip6\.arpa\..*PTR.*ipv4only\.arpa\." dig.out.171.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 21c6d71..32a1736 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -20,9 +20,9 @@ zone=. infile=root.db.in zonefile=root.db -(cd ../ns2 && $SHELL sign.sh ) -(cd ../ns6 && $SHELL sign.sh ) -(cd ../ns7 && $SHELL sign.sh ) +(cd ../ns2 && $SHELL sign.sh) +(cd ../ns6 && $SHELL sign.sh) +(cd ../ns7 && $SHELL sign.sh) echo_i "ns1/sign.sh" @@ -30,18 +30,18 @@ cp "../ns2/dsset-example." . cp "../ns2/dsset-in-addr.arpa." . cp "../ns2/dsset-too-many-iterations." . -grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." > "dsset-algroll." +grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll." cp "../ns6/dsset-optout-tld." . ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 # Configure the resolving server with a staitc key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf @@ -49,14 +49,14 @@ cp trusted.conf ../ns6/trusted.conf cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf -keyfile_to_trusted_keys "$ksk" > trusted.keys +keyfile_to_trusted_keys "$ksk" >trusted.keys # ...or with an initializing key. -keyfile_to_initial_ds "$ksk" > managed.conf +keyfile_to_initial_ds "$ksk" >managed.conf cp managed.conf ../ns4/managed.conf # # Save keyid for managed key id test. # -keyfile_to_key_id "$ksk" > managed.key.id +keyfile_to_key_id "$ksk" >managed.key.id diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 94928c1..a854a08 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "trusted" { diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 47248a4..05e8293 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -17,15 +17,14 @@ set -e # Sign child zones (served by ns3). -( cd ../ns3 && $SHELL sign.sh ) +(cd ../ns3 && $SHELL sign.sh) echo_i "ns2/sign.sh" # Get the DS records for the "trusted." and "managed." zones. -for subdomain in secure unsupported disabled enabled -do - cp "../ns3/dsset-$subdomain.managed." . - cp "../ns3/dsset-$subdomain.trusted." . +for subdomain in secure unsupported disabled enabled; do + cp "../ns3/dsset-$subdomain.managed." . + cp "../ns3/dsset-$subdomain.trusted." . done # Sign the "trusted." and "managed." zones. @@ -36,9 +35,9 @@ zonefile=managed.db keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 zone=trusted. infile=key.db.in @@ -47,9 +46,9 @@ zonefile=trusted.db keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # The "example." zone. zone=example. @@ -58,23 +57,22 @@ zonefile=example.db # Get the DS records for the "example." zone. for subdomain in secure badds bogus dynamic keyless nsec3 optout \ - nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ - kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ - ttlpatch split-dnssec split-smart expired expiring upper lower \ - dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ - dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded -do - cp "../ns3/dsset-$subdomain.example." . + nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ + kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ + dnskey-nsec3-unknown managed-future revkey \ + dname-at-apex-nsec3 occluded; do + cp "../ns3/dsset-$subdomain.example." . done # Sign the "example." zone. keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # lower/uppercase the signature bits with the exception of the last characters @@ -82,8 +80,8 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" # zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 -"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | -awk ' +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | awk ' tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { for (i = 1; i <= NF; i++ ) { if (i <= 12) { @@ -122,7 +120,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { next; } -{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" +{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" # # signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. @@ -134,8 +132,8 @@ zonefile=in-addr.arpa.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # Sign the badparam secure file @@ -146,11 +144,11 @@ zonefile=badparam.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 -sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" +sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad" # Sign the single-nsec3 secure zone with optout @@ -161,9 +159,9 @@ zonefile=single-nsec3.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # algroll has just has the old DNSKEY records removed and is waiting @@ -179,9 +177,9 @@ keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zon keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" +cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile" -"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 +"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1 # # Make a zone big enough that it takes several seconds to generate a new @@ -189,7 +187,7 @@ cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" # zone=nsec3chain-test zonefile=nsec3chain-test.db -cat > "$zonefile" << EOF +cat >"$zonefile" <> "$zonefile" + echo "host$i 10 IN NS ns.elsewhere" + i=$((i + 1)) +done >>"$zonefile" key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$key1.key" "$key2.key" >> "$zonefile" -"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 +cat "$key1.key" "$key2.key" >>"$zonefile" +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1 zone=cds.secure infile=cds.secure.db.in zonefile=cds.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-x.secure infile=cds.secure.db.in @@ -222,43 +220,43 @@ zonefile=cds-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key2.key" > "$key2.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" -"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$DSFROMKEY" -C "$key2.key" >"$key2.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile" +"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-update.secure infile=cds-update.secure.db.in zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-kskonly.secure infile=cds-kskonly.secure.db.in zonefile=cds-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cds-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cds-kskonly.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in zonefile=cds-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=cdnskey.secure infile=cdnskey.secure.db.in zonefile=cdnskey.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-x.secure infile=cdnskey.secure.db.in @@ -266,34 +264,34 @@ zonefile=cdnskey-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" -"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile" +"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-update.secure infile=cdnskey-update.secure.db.in zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-kskonly.secure infile=cdnskey-kskonly.secure.db.in zonefile=cdnskey-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in zonefile=cdnskey-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=updatecheck-kskonly.secure infile=template.secure.db.in @@ -301,14 +299,14 @@ zonefile=${zone}.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") # Save key id's for checking active key usage -keyfile_to_key_id "$key1" > $zone.ksk.id -keyfile_to_key_id "$key2" > $zone.zsk.id -echo "${key1}" > $zone.ksk.key -echo "${key2}" > $zone.zsk.key +keyfile_to_key_id "$key1" >$zone.ksk.id +keyfile_to_key_id "$key2" >$zone.zsk.id +echo "${key1}" >$zone.ksk.key +echo "${key2}" >$zone.zsk.key # Add CDS and CDNSKEY records -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile" # Don't sign, let auto-dnssec maintain do it. mv $zonefile "$zonefile.signed" @@ -317,8 +315,8 @@ infile=hours-vs-days.db.in zonefile=hours-vs-days.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" # # Negative result from this zone should come back as insecure. @@ -328,5 +326,5 @@ infile=too-many-iterations.db.in zonefile=too-many-iterations.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index cdc6e02..680cff5 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index ec39308..883e067 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -47,3 +47,8 @@ rrsigonly A 10.0.0.29 cnameandkey CNAME @ cnamenokey CNAME @ dnameandkey DNAME @ + +mixedcase A 10.0.0.30 +mixedCASE TXT "mixed case" +MIXEDcase AAAA 2002:: +mIxEdCaSe LOC 37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index f56edb2..14fc709 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -19,61 +19,60 @@ set -e echo_i "ns3/sign.sh" infile=key.db.in -for tld in managed trusted -do - # A secure zone to test. - zone=secure.${tld} - zonefile=${zone}.db - - keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname1.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor that matches disabled algorithm. - zone=disabled.${tld} - zonefile=${zone}.db - - keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") - cat "$infile" "$keyname2.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor that has disabled algorithm for other domain. - zone=enabled.${tld} - zonefile=${zone}.db - - keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") - cat "$infile" "$keyname3.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor with unsupported algorithm. - zone=unsupported.${tld} - zonefile=${zone}.db - - keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname4.key" > "$zonefile" - "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null - awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed - - # Make trusted-keys and managed keys conf sections for ns8. - mv ${keyname4}.key ${keyname4}.tmp - awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key - - # Zone to test trust anchor that is revoked. - zone=revoked.${tld} - zonefile=${zone}.db - - keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname5.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - case $tld in - "managed") - keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf - ;; - "trusted") - keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf - ;; - esac +for tld in managed trusted; do + # A secure zone to test. + zone=secure.${tld} + zonefile=${zone}.db + + keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname1.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor that matches disabled algorithm. + zone=disabled.${tld} + zonefile=${zone}.db + + keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname2.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor that has disabled algorithm for other domain. + zone=enabled.${tld} + zonefile=${zone}.db + + keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname3.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor with unsupported algorithm. + zone=unsupported.${tld} + zonefile=${zone}.db + + keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname4.key" >"$zonefile" + "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null + awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed + + # Make trusted-keys and managed keys conf sections for ns8. + mv ${keyname4}.key ${keyname4}.tmp + awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key + + # Zone to test trust anchor that is revoked. + zone=revoked.${tld} + zonefile=${zone}.db + + keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname5.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + case $tld in + "managed") + keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf + ;; + "trusted") + keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf + ;; + esac done echo_i "ns3/sign.sh: example zones" @@ -86,9 +85,11 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone") keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" +cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null +cat "$zonefile" "$zonefile".signed >"$zonefile".tmp +mv "$zonefile".tmp "$zonefile".signed zone=bogus.example. infile=bogus.example.db.in @@ -96,9 +97,9 @@ zonefile=bogus.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null zone=dynamic.example. infile=dynamic.example.db.in @@ -107,9 +108,9 @@ zonefile=dynamic.example.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -o "$zone" "$zonefile" >/dev/null zone=keyless.example. infile=generic.example.db.in @@ -117,16 +118,16 @@ zonefile=keyless.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # Change the signer field of the a.b.keyless.example RRSIG A # to point to a provably nonexistent DNSKEY record. zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 mv "$zonefile.signed" "$zonefiletmp" -<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/ - if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed" +"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/ + if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed" rm -f "$zonefiletmp" # @@ -138,9 +139,9 @@ zonefile=secure.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # # NSEC3/NSEC3 test zone @@ -151,9 +152,9 @@ zonefile=nsec3.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC3 test zone @@ -164,9 +165,9 @@ zonefile=optout.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null # # A nsec3 zone (non-optout). @@ -177,9 +178,9 @@ zonefile=nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC test zone @@ -190,9 +191,9 @@ zonefile=secure.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC3 test zone @@ -203,9 +204,9 @@ zonefile=nsec3.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/OPTOUT test zone @@ -216,9 +217,9 @@ zonefile=optout.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null # # A optout nsec3 zone. @@ -229,9 +230,9 @@ zonefile=optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" >/dev/null # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -242,9 +243,9 @@ zonefile=nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" >/dev/null # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -255,9 +256,9 @@ zonefile=optout-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" >/dev/null # # A zone that is signed with an unknown DNSKEY algorithm. @@ -269,14 +270,14 @@ zonefile=dnskey-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A zone that is signed with an unsupported DNSKEY algorithm (3). @@ -288,14 +289,14 @@ zonefile=dnskey-unsupported.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A zone with a published unsupported DNSKEY algorithm (Reserved). @@ -308,9 +309,9 @@ zonefile=dnskey-unsupported-2.example.db ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile" -"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null +"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -322,14 +323,14 @@ zonefile=dnskey-nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A multiple parameter nsec3 zone. @@ -340,20 +341,20 @@ zonefile=multiple.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC -"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3 -"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null -cat NSEC NSEC3 >> "$zonefile".signed +"$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC +"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3 +"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null +cat NSEC NSEC3 >>"$zonefile".signed # # A RSASHA256 zone. @@ -364,9 +365,9 @@ zonefile=rsasha256.example.db keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A RSASHA512 zone. @@ -377,9 +378,9 @@ zonefile=rsasha512.example.db keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A zone with the DNSKEY set only signed by the KSK @@ -390,8 +391,8 @@ zonefile=kskonly.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null # # A zone with the expired signatures @@ -402,8 +403,8 @@ zonefile=expired.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null rm -f "$kskname.*" "$zskname.*" # @@ -415,8 +416,8 @@ zonefile=update-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # A NSEC signed zone that will have auto-dnssec enabled and @@ -430,8 +431,8 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A NSEC3 signed zone that will have auto-dnssec enabled and @@ -445,8 +446,8 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone" zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # Secure below cname test zone. @@ -455,8 +456,8 @@ zone=secure.below-cname.example. infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$keyname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # Patched TTL test zone. @@ -468,11 +469,11 @@ signedfile=ttlpatch.example.db.signed patchedfile=ttlpatch.example.db.patched keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null -$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \ - awk '{$2 = "3600"; print}' > $patchedfile +"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null +$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \ + | awk '{$2 = "3600"; print}' >$patchedfile # # Separate DNSSEC records. @@ -483,10 +484,10 @@ zonefile=split-dnssec.example.db signedfile=split-dnssec.example.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" -echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" -: > "$signedfile" -"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$keyname.key" >"$zonefile" +echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" +: >"$signedfile" +"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null # # Separate DNSSEC records smart signing. @@ -499,9 +500,9 @@ signedfile=split-smart.example.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cp "$infile" "$zonefile" # shellcheck disable=SC2016 -echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" -: > "$signedfile" -"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null +echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" +: >"$signedfile" +"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null # # Zone with signatures about to expire, but no private key to replace them @@ -513,7 +514,7 @@ signedfile="expiring.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null mv -f "${zskname}.private" "${zskname}.private.moved" mv -f "${kskname}.private" "${kskname}.private.moved" @@ -528,9 +529,9 @@ signedfile="upper.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null -$CHECKZONE -D upper.example $lower 2>/dev/null | \ - sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile +"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null +$CHECKZONE -D upper.example $lower 2>/dev/null \ + | sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile # # Check that the signer's name is in lower case when zone name is in @@ -543,7 +544,7 @@ signedfile="lower.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null # # Zone with signatures about to expire, and dynamic, but configured @@ -556,11 +557,11 @@ signedfile="nosign.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" >/dev/null # preserve a normalized copy of the NS RRSIG for comparison later -$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ - awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ - sed 's/[ ][ ]*/ /g'> ../nosign.before +$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null \ + | awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' \ + | sed 's/[ ][ ]*/ /g' >../nosign.before # # An inline signing zone @@ -581,7 +582,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -o "$zone" "$zonefile" >/dev/null # # A zone which will change its sig-validity-interval @@ -603,10 +604,10 @@ zonefile=badds.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example. +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null +sed -e 's/bogus/badds/g' dsset-badds.example. # # A zone with future signatures. @@ -616,8 +617,8 @@ infile=future.example.db.in zonefile=future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null cp -f "$kskname.key" trusted-future.key # @@ -628,8 +629,8 @@ infile=managed-future.example.db.in zonefile=managed-future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null # # A zone with a revoked key @@ -643,8 +644,8 @@ ksk1=$("$REVOKE" "$ksk1") ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone") -cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # Check that NSEC3 are correctly signed and returned from below a DNAME @@ -656,7 +657,7 @@ zonefile=dname-at-apex-nsec3.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone") cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # A NSEC zone with occuded data at the delegation @@ -668,7 +669,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone") dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone") keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") -$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}." +$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}." cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ - "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index 280217e..113e3bb 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -50,7 +50,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "corp" { diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index b01979b..56bdfe4 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -38,5 +38,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index 3a64e9d..e160d37 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 5d3bf3f..d192ceb 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -48,7 +48,7 @@ view rec { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone secure.example { diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in index ccb3de9..ef371e1 100644 --- a/bin/tests/system/dnssec/ns5/named1.conf.in +++ b/bin/tests/system/dnssec/ns5/named1.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index df0b208..65105d0 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -25,15 +25,15 @@ zonefile=root.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") # copy the KSK out first, then revoke it -keyfile_to_initial_ds "$keyname" > revoked.conf +keyfile_to_initial_ds "$keyname" >revoked.conf -"$SETTIME" -R now "${keyname}.key" > /dev/null +"$SETTIME" -R now "${keyname}.key" >/dev/null # create a current set of keys, and sign the root zone -"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null -"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null -"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1 +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone >/dev/null +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone >/dev/null +"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" >/dev/null 2>&1 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in index 4bdc79c..2818b79 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.in +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "optout-tld" { diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 6102e52..e3ff2d2 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -24,6 +24,6 @@ zonefile=optout-tld.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in index 55cbec9..b352846 100644 --- a/bin/tests/system/dnssec/ns7/named.conf.in +++ b/bin/tests/system/dnssec/ns7/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "nsec3.example" { diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh index 551b217..5e30050 100644 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -25,7 +25,7 @@ zonefile=split-rrsig.db k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$k1.key" "$k2.key" > "$zonefile" +cat "$infile" "$k1.key" "$k2.key" >"$zonefile" # The awk script below achieves two goals: # @@ -37,8 +37,8 @@ cat "$infile" "$k1.key" "$k2.key" > "$zonefile" # - it places a copy of one of the RRSIG(SOA) records somewhere else than at the # zone apex; the test then checks whether such signatures are automatically # removed from the zone after it is loaded. -"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 awk 'BEGIN { r = ""; } $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } { print } - END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed" + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.in index d0278ca..2590de1 100644 --- a/bin/tests/system/dnssec/ns8/named.conf.in +++ b/bin/tests/system/dnssec/ns8/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "managed.conf"; diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh new file mode 100644 index 0000000..32889aa --- /dev/null +++ b/bin/tests/system/dnssec/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 6aa0cd0..db0913d 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -32,21 +32,21 @@ copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf ( - cd ns1 - $SHELL sign.sh - { - echo "a.bogus.example. A 10.0.0.22" - echo "b.bogus.example. A 10.0.0.23" - echo "c.bogus.example. A 10.0.0.23" - } >>../ns3/bogus.example.db.signed + cd ns1 + $SHELL sign.sh + { + echo "a.bogus.example. A 10.0.0.22" + echo "b.bogus.example. A 10.0.0.23" + echo "c.bogus.example. A 10.0.0.23" + } >>../ns3/bogus.example.db.signed ) ( - cd ns3 - cp -f siginterval1.conf siginterval.conf + cd ns3 + cp -f siginterval1.conf siginterval.conf ) ( - cd ns5 - $SHELL sign.sh + cd ns5 + $SHELL sign.sh ) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 97bffb5..02040b9 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -22,41 +22,41 @@ n=1 rm -f dig.out.* dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } dig_with_additionalopts() { - "$DIG" +noall +additional +dnssec -p "$PORT" "$@" + "$DIG" +noall +additional +dnssec -p "$PORT" "$@" } dig_with_answeropts() { - "$DIG" +noall +answer +dnssec -p "$PORT" "$@" + "$DIG" +noall +answer +dnssec -p "$PORT" "$@" } delv_with_opts() { - "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" + "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" } rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # TODO: Move loadkeys_on to conf.sh.common dnssec_loadkeys_on() { - nsidx=$1 - zone=$2 - nextpart ns${nsidx}/named.run > /dev/null - rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run >/dev/null + rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 } # convert private-type records to readable form -showprivate () { - echo "-- $* --" - dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' | - while read -r record; do - # shellcheck disable=SC2016 - $PERL -e 'my $rdata = pack("H*", @ARGV[0]); +showprivate() { + echo "-- $* --" + dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' \ + | while read -r record; do + # shellcheck disable=SC2016 + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); my $action = "signing"; @@ -64,40 +64,40 @@ showprivate () { my $state = " (incomplete)"; $state = " (complete)" if $complete; print ("$action: alg: $alg, key: $key$state\n");' "$record" - done + done } # check that signing records are marked as complete -checkprivate () { - for i in 1 2 3 4 5 6 7 8 9 10; do - showprivate "$@" | grep -q incomplete || return 0 - sleep 1 - done - echo_d "$1 signing incomplete" - return 1 +checkprivate() { + for i in 1 2 3 4 5 6 7 8 9 10; do + showprivate "$@" | grep -q incomplete || return 0 + sleep 1 + done + echo_d "$1 signing incomplete" + return 1 } # check that a zone file is raw format, version 0 -israw0 () { - # shellcheck disable=SC2016 - < "$1" $PERL -e 'binmode STDIN; +israw0() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); exit 1 if ($style != 2 || $version != 0);' || return $? } # check that a zone file is raw format, version 1 -israw1 () { - # shellcheck disable=SC2016 - < "$1" $PERL -e 'binmode STDIN; +israw1() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); exit 1 if ($style != 2 || $version != 1);' || return $? } # strip NS and RRSIG NS from input -stripns () { - awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" +stripns() { + awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" } # @@ -106,8 +106,8 @@ stripns () { # "Negative trust anchors:". # Ensure there is not a blank line before "Secure roots:". # -check_secroots_layout () { - awk '$0 == "" { if (empty) exit(1); empty=1; next } +check_secroots_layout() { + awk '$0 == "" { if (empty) exit(1); empty=1; next } /Start view/ { if (!empty) exit(1) } /Secure roots:/ { if (empty) exit(1) } /Negative trust anchors:/ { if (!empty) exit(1) } @@ -119,781 +119,803 @@ check_secroots_layout () { # in the additional section echo_i "checking that additional glue is returned for unsigned delegation ($n)" ret=0 -$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Check the example. domain echo_i "checking that zone transfer worked ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 - dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 + dig_with_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done -digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +digcomp dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # test AD bit: # - dig +adflag asks for authentication (ad in response) echo_i "checking AD bit asking for validation ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # test AD bit: # - dig +noadflag echo_i "checking that AD is not set without +adflag or +dnssec ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for AD in authoritative answer ($n)" ret=0 -dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" ret=0 -grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1 -grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1 -grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - ret=0 - echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" - "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example > delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1 +grep "fetch: example/DS" ns4/named.run >/dev/null && ret=1 +grep "validating example/DS: starting" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.example >delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + ret=0 + echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" + "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example >delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive validation NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 - grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 + grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive validation OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) SP="[[:space:]]+" -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.optout.example >delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard validation NSEC ($n)" ret=0 -dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +dig_with_opts a.wild.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 -grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1 - grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 - grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n >/dev/null || ret=1 +grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.example >delv.out$n || ret=1 + grep "a.wild.example..*10.0.0.27" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive wildcard validation NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 - grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.nsec3.example >delv.out$n || ret=1 + grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard validation OPTOUT ($n)" ret=0 dig_with_opts a.wild.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts a.wild.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 - grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.optout.example >delv.out$n || ret=1 + grep "a.wild.optout.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 + grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi +echo_i "checking RRSIG covered type in negative cache entry ($n)" +ret=0 +rndc_dumpdb ns4 +grep -F '; example. RRSIG NSEC ...' ns4/named_dump.db.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 dig_with_opts +noauth q.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth q.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation NSEC ($n)" ret=0 -dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation NSEC3 ($n)" ret=0 -dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation OPTOUT ($n)" ret=0 dig_with_opts b.wild.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts b.wild.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.optout.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi # Check the insecure.example domain echo_i "checking 1-server insecurity proof NSEC ($n)" ret=0 -dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 - grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.example >delv.out$n || ret=1 + grep "a.insecure.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server insecurity proof NSEC3 ($n)" ret=0 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 - grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.nsec3.example >delv.out$n || ret=1 + grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server insecurity proof OPTOUT ($n)" ret=0 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 - grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.optout.example >delv.out$n || ret=1 + grep "a.insecure.optout.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 dig_with_opts q.insecure.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" ret=0 dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" ret=0 dig_with_opts q.insecure.optout.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.optout.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" ret=0 dig_with_opts r.insecure.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" ret=0 dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" ret=0 dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the secure.example domain echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) + +echo_i "checking mixed-case positive validation ($n)" +ret=0 +for type in a txt aaaa loc; do + dig_with_opts +noauth mixedcase.secure.example. \ + @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1 + dig_with_opts +noauth mixedcase.secure.example. \ + @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1 + digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1 + grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1 + grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1 +done +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 dig_with_opts +noauth empty.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth empty.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the bogus domain echo_i "checking failed validation ($n)" ret=0 -dig_with_opts a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.bogus.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking failed validation using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking failed validation using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.bogus.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: RRSIG failed to verify" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi # Try validating with a bad trusted key. @@ -901,69 +923,69 @@ fi echo_i "checking that validation fails with a misconfigured trusted key ($n)" ret=0 -dig_with_opts example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" ret=0 -dig_with_opts example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" ret=0 -dig_with_opts a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation fails when key record is missing ($n)" ret=0 -dig_with_opts a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking that validation fails when key record is missing using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: insecurity proof failed" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking that validation fails when key record is missing using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.b.keyless.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: insecurity proof failed" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking that validation succeeds when a revoked key is encountered ($n)" ret=0 -dig_with_opts revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 - grep "fully validated" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +dig_with_opts revkey.example soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags: .* ad" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 soa revkey.example >delv.out$n 2>&1 || ret=1 + grep "fully validated" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" ret=0 #prime -dig_with_opts +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd bad-cname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="a.example. 10.0.0.1" @@ -971,16 +993,16 @@ ans=$(dig_with_opts +cd +nodnssec +short bad-cname.example. @10.53.0.4) || ret=1 test "$ans" = "$expect" || ret=1 test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" ret=0 #prime -dig_with_opts +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd a.bad-dname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="example. a.example. @@ -989,436 +1011,435 @@ ans=$(dig_with_opts +cd +nodnssec +short a.bad-dname.example. @10.53.0.4) || ret test "$ans" = "$expect" || ret=1 test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the insecure.secure.example domain (insecurity proof) echo_i "checking 2-server insecurity proof ($n)" ret=0 dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check a negative response in insecure.secure.example echo_i "checking 2-server insecurity proof with a negative answer ($n)" ret=0 -dig_with_opts q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ - || ret=1 -dig_with_opts q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ - || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ + || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" ret=0 -dig_with_opts r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ - || ret=1 -dig_with_opts r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ - || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.2 soa >dig.out.ns2.test$n \ + || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.4 soa >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the query for a security root is successful and has ad set echo_i "checking security root query ($n)" ret=0 -dig_with_opts . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the setting the cd bit works echo_i "checking cd bit on a positive answer ($n)" ret=0 dig_with_opts +noauth example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a negative answer ($n)" ret=0 -dig_with_opts q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 +dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking insecurity proof works using negative cache ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_opts +cd @10.53.0.4 insecure.example. ds > dig.out.ns4.test$n.1 || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts @10.53.0.4 nonexistent.insecure.example. > dig.out.ns4.test$n.2 || ret=1 - if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then - break - fi - sleep 1 +dig_with_opts +cd @10.53.0.4 insecure.example. ds >dig.out.ns4.test$n.1 || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + dig_with_opts @10.53.0.4 nonexistent.insecure.example. >dig.out.ns4.test$n.2 || ret=1 + if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then + break + fi + sleep 1 done grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" ret=0 -dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a query that should fail ($n)" ret=0 dig_with_opts a.bogus.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on an insecurity proof ($n)" ret=0 dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a negative insecurity proof ($n)" ret=0 dig_with_opts q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query works ($n)" ret=0 -dig_with_opts +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.4 >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # 2 records in the zone, 1 NXT, 3 SIGs -grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 6" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of a query returning a CNAME works ($n)" ret=0 dig_with_opts +noauth cname1.example. txt @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth cname1.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # the CNAME & its sig, the TXT and its SIG -grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of a query returning a DNAME works ($n)" ret=0 dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. # It would be nice to test that the CNAME is being synthesized by the # recursive server and not cached, but I don't know how. -grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 5" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query returning a CNAME works ($n)" ret=0 dig_with_opts +noauth cname2.example. any @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth cname2.example. any @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # The CNAME, NXT, and their SIGs -grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query returning a DNAME works ($n)" ret=0 dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that lookups succeed after disabling an algorithm ($n)" ret=0 dig_with_opts +noauth example. SOA @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth example. SOA @10.53.0.6 \ - > dig.out.ns6.test$n || ret=1 + >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns6.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking a non-cachable NODATA works ($n)" ret=0 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ - > dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 + >dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking a non-cachable NXDOMAIN works ($n)" ret=0 dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \ - > dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 + >dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can load a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can transfer a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "basic dnssec-signzone checks:" echo_ic "two DNSKEYs ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "one non-KSK DNSKEY ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "one KSK DNSKEY ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "three DNSKEY ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "three DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "four DNSKEY ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "two DNSKEY, both private keys missing ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "two DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) get_default_algorithm_key_ids_from_sigs() { - zone=$1 + zone=$1 - awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' NF < 8 { next } $(NF-5) != "RRSIG" { next } $(NF-3) != alg { next } @@ -1441,64 +1462,64 @@ zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone") zskid1=$(keyfile_to_key_id "$zsk1") zskid2=$(keyfile_to_key_id "$zsk2") ( -cd signer || exit 1 -# Set times such that the current set of keys are introduced 60 days ago and -# start signing now. The successor key is prepublished now and will be active -# next day. -$SETTIME -P now-60d -A now $ksk > /dev/null -$SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 > /dev/null -$SETTIME -S $zsk1 -i 1h $zsk2.key > /dev/null -$SETTIME -P now -A now+1d $zsk2.key > /dev/null -# Sign the zone with initial keys and prepublish successor. The zone signatures -# are valid for 30 days and the DNSKEY signature is valid for 60 days. -cp -f $zone.db.in $zone.db -$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null -echo "\$INCLUDE \"$zone.db.signed\"" >> $zone.db + cd signer || exit 1 + # Set times such that the current set of keys are introduced 60 days ago and + # start signing now. The successor key is prepublished now and will be active + # next day. + $SETTIME -P now-60d -A now $ksk >/dev/null + $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null + $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null + $SETTIME -P now -A now+1d $zsk2.key >/dev/null + # Sign the zone with initial keys and prepublish successor. The zone signatures + # are valid for 30 days and the DNSKEY signature is valid for 60 days. + cp -f $zone.db.in $zone.db + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null + echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" ret=0 zone=prepub ( -cd signer || exit 1 -# Roll the ZSK. The predecessor is inactive from now on and the successor is -# activated. The zone signatures are valid for 30 days and the DNSKEY -# signature is valid for 60 days. Because of the predecessor/successor -# relationship, the signatures of the predecessor are retained and no new -# signatures with the successor should be generated. -$SETTIME -A now-30d -I now -D now+30d $zsk1 > /dev/null -$SETTIME -A now $zsk2 > /dev/null -$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null + cd signer || exit 1 + # Roll the ZSK. The predecessor is inactive from now on and the successor is + # activated. The zone signatures are valid for 30 days and the DNSKEY + # signature is valid for 60 days. Because of the predecessor/successor + # relationship, the signatures of the predecessor are retained and no new + # signatures with the successor should be generated. + $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null + $SETTIME -A now $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" ret=0 zone=prepub ( -cd signer || exit 1 -# After some time the signatures should be replaced. When signing, set the -# interval to 30 days plus one second, meaning all predecessor signatures -# are within the refresh interval and should be replaced with successor -# signatures. -$SETTIME -A now-50d -I now-20d -D now+10d $zsk1 > /dev/null -$SETTIME -A now-20d $zsk2 > /dev/null -$SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db > /dev/null + cd signer || exit 1 + # After some time the signatures should be replaced. When signing, set the + # interval to 30 days plus one second, meaning all predecessor signatures + # are within the refresh interval and should be replaced with successor + # signatures. + $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null + $SETTIME -A now-20d $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" ret=0 @@ -1506,40 +1527,40 @@ zone=example # If dnssec-keygen fails, the test script will exit immediately. Prevent that # from happening, and also trigger a test failure if dnssec-keygen unexpectedly # succeeds, by using "&& ret=1". -$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1 +$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" ret=0 zone=example # Fake an unsupported algorithm key unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key # If dnssec-dsfromkey fails, the test script will exit immediately. Prevent # that from happening, and also trigger a test failure if dnssec-dsfromkey # unexpectedly succeeds, by using "&& ret=1". -$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" ret=0 ret=0 -cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db +cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db # If dnssec-signzone fails, the test script will exit immediately. Prevent that # from happening, and also trigger a test failure if dnssec-signzone # unexpectedly succeeds, by using "&& ret=1". -$SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can sign a zone with out-of-zone records ($n)" ret=0 @@ -1547,13 +1568,13 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db example.db > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db example.db >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" ret=0 @@ -1561,10 +1582,10 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null -awk '/^IQF9LQTLK/ { + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null + awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { if (getline <= 0) @@ -1572,13 +1593,13 @@ awk '/^IQF9LQTLK/ { printf (" %s", $0); } printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out -grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" ret=0 @@ -1586,11 +1607,11 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example3.db -echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db -$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null -awk '/^IQF9LQTLK/ { + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example3.db + echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db + $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null + awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { if (getline <= 0) @@ -1598,13 +1619,13 @@ awk '/^IQF9LQTLK/ { printf (" %s", $0); } printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out -grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" ret=0 @@ -1612,16 +1633,16 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db.before example.db > /dev/null -sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed -$SIGNER -o example -f example.db.after example.db.changed > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db.before example.db >/dev/null + sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed + $SIGNER -o example -f example.db.after example.db.changed >/dev/null ) -grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after > /dev/null || ret=1 -n=$((n+1)) +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" ret=0 @@ -1632,160 +1653,160 @@ keyid2=$(keyfile_to_key_id "$key2") key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) keyid3=$(keyfile_to_key_id "$key3") ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -D -o example example.db > /dev/null - -# now switch out key2 for key3 and resign the zone -cat example.db.in "$key1.key" "$key3.key" > example.db -echo "\$INCLUDE \"example.db.signed\"" >> example.db -$SIGNER -D -o example example.db > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -D -o example example.db >/dev/null + + # now switch out key2 for key3 and resign the zone + cat example.db.in "$key1.key" "$key3.key" >example.db + echo "\$INCLUDE \"example.db.signed\"" >>example.db + $SIGNER -D -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -RD -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -RD -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" ret=0 zone=example ( -cd signer || exit 1 -cp -f example.db.in example.db -$SIGNER -SD -o example example.db > /dev/null -echo "\$INCLUDE \"example.db.signed\"" >> example.db -# now retire key2 and resign the zone -$SETTIME -I now "$key2" > /dev/null 2>&1 -$SIGNER -SD -o example example.db > /dev/null + cd signer || exit 1 + cp -f example.db.in example.db + $SIGNER -SD -o example example.db >/dev/null + echo "\$INCLUDE \"example.db.signed\"" >>example.db + # now retire key2 and resign the zone + $SETTIME -I now "$key2" >/dev/null 2>&1 + $SIGNER -SD -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -SDQ -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -SDQ -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone retains unexpired signatures ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -Sxt -o example example.db > signer.out.1 -$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 + cd signer || exit 1 + $SIGNER -Sxt -o example example.db >signer.out.1 + $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 ) || ret=1 gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) -[ "$retain2" -eq $((gen1+retain1)) ] || ret=1 +[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 [ "$gen2" -eq 0 ] || ret=1 [ "$drop2" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" ret=0 ( -cd signer || exit 1 -# remove NSEC-only keys -rm -f Kexample.+005* -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + # remove NSEC-only keys + rm -f Kexample.+005* + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -touch example2.db.signed -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 ( -cd signer || exit 1 -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN NS sub1.example. sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=$((n+1)) +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" ret=0 ( -cd signer || exit 1 -rm -f example2.db.signed -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + rm -f example2.db.signed + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -touch example2.db.signed -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 ( -cd signer || exit 1 -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN NS sub1.example. sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=$((n+1)) +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone output format ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null -$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null -$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null -$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null -$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null + cd signer || exit 1 + $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null + $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null + $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null + $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null + $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null ) || ret=1 awk 'BEGIN { found = 0; } $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } @@ -1796,46 +1817,46 @@ awk 'BEGIN { found = 0; } israw1 signer/signer.out.5 || ret=1 israw0 signer/signer.out.6 || ret=1 israw1 signer/signer.out.7 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null ) || ret=1 awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -N date ($n)" ret=0 ( -cd signer || exit 1 -TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null + cd signer || exit 1 + TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null ) || ret=1 # shellcheck disable=SC2016 now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) [ "$now" -eq "$serial" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validated data are not cached longer than originalttl ($n)" ret=0 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 -grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "3600.IN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "300.IN" dig.out.ns3.test$n >/dev/null && ret=1 +grep "300.IN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "3600.IN" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Test that "rndc secroots" is able to dump trusted keys echo_i "checking rndc secroots ($n)" @@ -1846,27 +1867,27 @@ cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) [ "$linecount" -eq 1 ] || ret=1 -linecount=$(< named.secroots.test$n wc -l) +linecount=$(wc /dev/null || ret=1 +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a >/dev/null || ret=1 ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1 -expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ) || ret=1 +expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A') || ret=1 test "$ans" = "$expect" || ret=1 # also check that RA is set -dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check direct query for RRSIG: If it's not cached with other records, # it should result in an empty response. @@ -1875,70 +1896,70 @@ ret=0 ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1 test -z "$ans" || ret=1 # also check that RA is cleared -dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # RT21868 regression test. # echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" ret=0 -dig_with_opts non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts non-exist.badparam. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # RT22007 regression test. # echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" ret=0 -dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" ret=0 -dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" ret=0 -dig_with_opts +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)" ret=0 -dig_with_opts ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts ns algroll. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validate-except in an insecure local domain ($n)" ret=0 -dig_with_opts ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts ns www.corp @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive and negative validation with negative trust anchors ($n)" ret=0 @@ -1946,16 +1967,16 @@ ret=0 # # check correct initial behavior # -dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -1965,48 +1986,48 @@ rndccmd 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i # reconfig should maintain NTAs rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 +lines=$(wc -l &1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i # reload should maintain NTAs rndc_reload ns4 10.53.0.4 -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 -lines=$(wc -l < rndc.out.ns4.test$n.2) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 +lines=$(wc -l dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1 -dig_with_opts a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 >/dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.6 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.6 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 >/dev/null && ret=1 +dig_with_opts a.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.7 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 >/dev/null && ret=1 echo_i "dumping secroots" rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -grep "bogus.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "badds.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "fakenode.secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 +grep "bogus.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "badds.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "fakenode.secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "waiting for NTA rechecks/expirations" @@ -2020,18 +2041,18 @@ echo_i "waiting for NTA rechecks/expirations" # # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -dig_with_opts b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1 -dig_with_opts b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1 +dig_with_opts b.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.8 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.8 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 >/dev/null || ret=1 +dig_with_opts b.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.9 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n.9 >/dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.10 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.10 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 >/dev/null && ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -2042,22 +2063,22 @@ ret=0 # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check nta table -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n._11 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n._11 lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true) [ "$lines" -le 2 ] || ret=1 -grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1 -dig_with_opts c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null || ret=1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null && ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.11 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.11 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.12 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.12 >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 >/dev/null && ret=1 +dig_with_opts c.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.13 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.13 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -2066,87 +2087,87 @@ ret=0 # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check correct behavior after bogus.example expiry -dig_with_opts d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1 -dig_with_opts c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1 +dig_with_opts d.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.14 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.14 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 >/dev/null || ret=1 +dig_with_opts c.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.15 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.15 >/dev/null || ret=1 # check nta table has been cleaned up now -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true) [ "$lines" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "testing NTA removals ($n)" rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1 -grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1 -rndccmd 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2 -grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1 -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 >/dev/null || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null && ret=1 +grep "^a.badds.example." dig.out.ns4.test$n.1 >/dev/null || ret=1 +rndccmd 10.53.0.4 nta -remove badds.example >rndc.out.ns4.test$n.2 +grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 >/dev/null || ret=1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "remove non-existent NTA three times" -rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1 -rndccmd 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1 -rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1 -grep "not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.4 2>&1 +rndccmd 10.53.0.4 nta -remove foo >rndc.out.ns4.test$n.5 2>&1 +rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.6 2>&1 +grep "not found" rndc.out.ns4.test$n.6 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing NTA with bogus lifetimes ($n)" echo_i "check with no nta lifetime specified" -rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l "" foo >rndc.out.ns4.test$n.1 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "check with bad nta lifetime" -rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l garbage foo >rndc.out.ns4.test$n.2 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "check with too long nta lifetime" -rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 || true -grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l 7d1h foo >rndc.out.ns4.test$n.3 2>&1 || true +grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check NTA persistence across restarts # -n=$((n+1)) +n=$((n + 1)) echo_i "testing NTA persistence across restarts ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true) [ "$lines" -eq 0 ] || ret=1 rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true) [ "$lines" -eq 2 ] || ret=1 # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "killing ns4 with SIGTERM" @@ -2162,12 +2183,12 @@ echo_i "waiting till 14s have passed since NTAs were added before restarting ns4 $PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2179,37 +2200,37 @@ sleep 4 # startup (as it had already expired), the fact that it's ignored should # be logged. # -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -lines=$(wc -l < rndc.out.ns4.test$n.3) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 +lines=$(wc -l /dev/null || ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1 -grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null || ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null || ret=1 +grep "ignoring expired NTA at badds.example" ns4/named.run >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6 +rndccmd 10.53.0.4 nta -remove bogus.example >rndc.out.ns4.test$n.6 if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check "regular" attribute in NTA file works as expected at named # startup. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading regular attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 echo_i "killing ns4 with SIGTERM" kill -TERM "$(cat ns4/named.pid)" @@ -2222,18 +2243,18 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the regular attribute and some future timestamp. # -future="$(($(date +%Y)+20))0101010000" -echo "secure.example. regular $future" > ns4/_default.nta +future="$(($(date +%Y) + 20))0101010000" +echo "secure.example. regular $future" >ns4/_default.nta # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 9s, so at t=12 the NTAs for @@ -2244,30 +2265,30 @@ $PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $del # secure.example. should now return an AD=1 answer (still validates) as # the NTA has been lifted. -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check "forced" attribute in NTA file works as expected at named # startup. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading forced attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 echo_i "killing ns4 with SIGTERM" kill -TERM "$(cat ns4/named.pid)" @@ -2280,16 +2301,16 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the forced attribute and some future timestamp. # -echo "secure.example. forced $future" > ns4/_default.nta +echo "secure.example. forced $future" >ns4/_default.nta start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 9s, but even at t=12 the NTAs for @@ -2300,21 +2321,21 @@ $PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $del # secure.example. should now return an AD=0 answer (non-authenticated) # as the NTA is still there. -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null && ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check that NTA lifetime read from file is clamped to 1 week. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading out of bounds lifetime from NTA file ($n)" echo_i "killing ns4 with SIGTERM" @@ -2328,16 +2349,16 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with a lifetime well into the future. # -echo "secure.example. forced $future" > ns4/_default.nta +echo "secure.example. forced $future" >ns4/_default.nta added=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2345,101 +2366,102 @@ sleep 4 # dump the NTA to a file (omit validate-except entries) echo_i "testing 'rndc nta -d' with NTA" -rndccmd 10.53.0.4 nta -d | grep -v ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null +rndccmd 10.53.0.4 nta -d | grep -v ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be # removed by the grep -v above. only "secure.example" should appear in # the dump. -lines=$(wc -l < rndc.out.ns4.test$n.1) +lines=$(wc -l /dev/null || ret=1 -ts=$(awk '{print $3" "$4}' < rndc.out.ns4.test$n.1) +grep 'secure.example' rndc.out.ns4.test$n.1 >/dev/null || ret=1 +ts=$(awk '{print $3" "$4}' rndc.out.ns4.test$n.2 -echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2 -echo "added=$added" >> rndc.out.ns4.test$n.2 -if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null -then - # ntadiff.pl computes $ts_with_zone - ($added + 1week) - d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") - echo "d=$d" >> rndc.out.ns4.test$n.2 - # diff from $added(now) + 1week to the clamped NTA lifetime should be - # less than a few seconds (handle daylight saving changes by adding 3600). - [ "$d" -lt 3610 ] || ret=1 +echo "ts=$ts" >rndc.out.ns4.test$n.2 +echo "ts_with_zone=$ts_with_zone" >>rndc.out.ns4.test$n.2 +echo "added=$added" >>rndc.out.ns4.test$n.2 +if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null; then + # ntadiff.pl computes $ts_with_zone - ($added + 1week) + d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") + echo "d=$d" >>rndc.out.ns4.test$n.2 + # diff from $added(now) + 1week to the clamped NTA lifetime should be + # less than a few seconds (handle daylight saving changes by adding 3600). + [ "$d" -lt 3610 ] || ret=1 else - echo_i "skipped ntadiff test; install PERL module Time::Piece" + echo_i "skipped ntadiff test; install PERL module Time::Piece" fi echo_i "testing 'rndc nta' lifetime clamping" -rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null +rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be # the only entry in the dump. -lines=$(wc -l < rndc.out.ns4.test$n.1) +lines=$(wc -l /dev/null || ret=1 +grep 'corp/_default' rndc.out.ns4.test$n.1 >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.3 2>/dev/null -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing 'rndc nta -d' displays validate-except entries" -rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l /dev/null || ret=1 -n=$((n+1)) +grep 'corp/_default' rndc.out.ns4.test$n.1 >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" ret=0 # Sanity check behavior without an NTA in place. -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.1 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.1 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.1 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 > /dev/null && ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.1 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.1 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.1 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 >/dev/null && ret=1 # Add an NTA, expecting that to cause resolution to succeed. -rndccmd 10.53.0.9 nta badds.example > rndc.out.ns9.test$n.1 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.2 || ret=1 -grep "NOERROR" dig.out.ns9.test$n.2 > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns9.test$n.2 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 > /dev/null && ret=1 +rndccmd 10.53.0.9 nta badds.example >rndc.out.ns9.test$n.1 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.2 || ret=1 +grep "NOERROR" dig.out.ns9.test$n.2 >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns9.test$n.2 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 >/dev/null && ret=1 # Remove the NTA, expecting that to cause resolution to fail again. -rndccmd 10.53.0.9 nta -remove badds.example > rndc.out.ns9.test$n.2 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.3 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.3 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.3 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 > /dev/null && ret=1 +rndccmd 10.53.0.9 nta -remove badds.example >rndc.out.ns9.test$n.2 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.3 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.3 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.3 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 >/dev/null && ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "completed NTA tests" # Run a minimal update test if possible. This is really just # a regression test for RT #2399; more tests should be added. -if $PERL -e 'use Net::DNS;' 2>/dev/null -then - echo_i "running DNSSEC update test" - ret=0 - { output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.); rc=$?; } || true - test "$rc" -eq 0 || ret=1 - echo "$output" | cat_i - [ $ret -eq 1 ] && status=1 +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + echo_i "running DNSSEC update test" + ret=0 + { + output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) + rc=$? + } || true + test "$rc" -eq 0 || ret=1 + echo "$output" | cat_i + [ $ret -eq 1 ] && status=1 else - echo_i "The DNSSEC update test requires the Net::DNS library." >&2 + echo_i "The DNSSEC update test requires the Net::DNS library." >&2 fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking managed key maintenance has not started yet ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Reconfigure caching server to use "dnssec-validation auto", and repeat # some of the DNSSEC validation tests to ensure that it works correctly. @@ -2454,133 +2476,133 @@ sleep 5 echo_i "checking managed key maintenance timer has now started ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking negative validation ($n)" ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that root DS queries validate ($n)" ret=0 -dig_with_opts +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 -dig_with_opts +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.1 ds >dig.out.ns1.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.4 ds >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" ret=0 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 -grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 -grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 +grep "RRSIG.SOA" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking expired signatures do not validate ($n)" ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( -cd ns3 || exit 1 -kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) -( -echo zone update-nsec3.example -echo server 10.53.0.3 "$PORT" -grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' -echo send -) | $NSUPDATE + cd ns3 || exit 1 + kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) + ( + echo zone update-nsec3.example + echo server 10.53.0.3 "$PORT" + grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' + echo send + ) | $NSUPDATE ) -dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 @@ -2589,177 +2611,177 @@ checkprivate update-nsec3.example 10.53.0.3 || ret=1 checkprivate auto-nsec3.example 10.53.0.3 || ret=1 checkprivate expiring.example 10.53.0.3 || ret=1 checkprivate auto-nsec.example 10.53.0.3 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing' without arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -list' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -list >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -clear >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -clear all >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param none >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "FFFF" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "FFFF" ]; then + break + fi + echo_i "sleeping ...." + sleep 1 +done [ "$salt" = "FFFF" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "-" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "-" ]; then + break + fi + echo_i "sleeping ...." + sleep 1 +done [ "$salt" = "-" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "-" ] && break - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ "$salt" != "-" ] && [ "${#salt}" -eq 16 ] && break + echo_i "sleeping ...." + sleep 1 +done [ "$salt" != "-" ] || ret=1 [ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" ret=0 oldsalt=$salt -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ "$salt" != "$oldsalt" ] && [ "${#salt}" -eq 16 ] && break + echo_i "sleeping ...." + sleep 1 +done [ "$salt" != "$oldsalt" ] || ret=1 [ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check rndc signing -list output ($n)" ret=0 -{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out; } 2>&1 +{ rndccmd 10.53.0.3 signing -list dynamic.example >signing.out; } 2>&1 grep -q "No signing records found" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i + ret=1 + sed 's/^/ns3 /' signing.out | cat_i } -{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 +{ rndccmd 10.53.0.3 signing -list update-nsec3.example >signing.out; } 2>&1 grep -q "Done signing with key .*/$DEFAULT_ALGORITHM" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i + ret=1 + sed 's/^/ns3 /' signing.out | cat_i } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "clear signing records ($n)" -{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example > /dev/null; } 2>&1 || ret=1 +{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example >/dev/null; } 2>&1 || ret=1 check_no_signing_record_found() { - { rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 + { rndccmd 10.53.0.3 signing -list update-nsec3.example >signing.out; } 2>&1 grep -q "No signing records found" signing.out || { sed 's/^/ns3 /' signing.out | cat_i return 1 @@ -2767,110 +2789,105 @@ check_no_signing_record_found() { return 0 } retry_quiet 5 check_no_signing_record_found || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a insecure zone beneath a cname resolves ($n)" ret=0 -dig_with_opts soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa insecure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a secure zone beneath a cname resolves ($n)" ret=0 -dig_with_opts soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa secure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) my_dig() { - "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" + "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" } echo_i "checking DNSKEY query with no data still gets put in cache ($n)" ret=0 -firstVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') +firstVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') sleep 1 -secondVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') -if [ "${firstVal:-0}" -eq "${secondVal:-0}" ] -then - sleep 1 - thirdVal=$(my_dig insecure.example. dnskey|awk '$1 != ";;" { print $2 }') - if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ] - then - echo_i "cannot confirm query answer still in cache" - ret=1 - fi +secondVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') +if [ "${firstVal:-0}" -eq "${secondVal:-0}" ]; then + sleep 1 + thirdVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') + if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ]; then + echo_i "cannot confirm query answer still in cache" + ret=1 + fi fi -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a split dnssec dnssec-signzone work ($n)" ret=0 -dig_with_opts soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa split-dnssec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a smart split dnssec dnssec-signzone work ($n)" ret=0 -dig_with_opts soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa split-smart.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" ret=0 ( -echo zone nsec3chain-test -echo server 10.53.0.2 "$PORT" -echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 -echo send + echo zone nsec3chain-test + echo server 10.53.0.2 "$PORT" + echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 + echo send ) | $NSUPDATE -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 - if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null - then - break; - fi - echo_i "sleeping ...." - sleep 3 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + dig_with_opts nsec3param nsec3chain-test @10.53.0.2 >dig.out.ns2.test$n || ret=1 + if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null; then + break + fi + echo_i "sleeping ...." + sleep 3 done -grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "nsec3 chain generation not complete"; fi -dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 >dig.out.ns2.test$n || ret=1 s2=$(awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n) -for i in 1 2 3 4 5 6 7 8 9 10 -do - dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 - s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) - test "$s2" = "$s3" && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 >dig.out.ns3.test$n || ret=1 + s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) + test "$s2" = "$s3" && break + sleep 1 done digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-dsfromkey from stdin ($n)" ret=0 -dig_with_opts dnskey algroll. @10.53.0.2 | \ - $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 +dig_with_opts dnskey algroll. @10.53.0.2 \ + | $DSFROMKEY -f - algroll. >dig.out.ns2.test$n || ret=1 NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) [ "${NF}" = 7 ] || ret=1 # make canonical @@ -2878,16 +2895,16 @@ awk '{ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < dig.out.ns2.test$n > canonical1.$n || ret=1 +}' canonical1.$n || ret=1 awk '{ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < ns1/dsset-algroll. > canonical2.$n || ret=1 -diff -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) +}' canonical2.$n || ret=1 +diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Intentionally strip ".key" from keyfile name to ensure the error message # includes it anyway to avoid confusion (RT #21731) @@ -2895,157 +2912,157 @@ echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" ret=0 key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1 mv "$key.key" "$key" -$DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1 -grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1 -n=$((n+1)) +$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-dsfromkey with revoked key ($n)" ret=0 -dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK -grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK -grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK +dig_with_opts revkey.example dnskey @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "DNSKEY.256 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # ZSK +grep "DNSKEY.385 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # revoked KSK +grep "DNSKEY.257 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # KSK test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 -$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1 -test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1 -n=$((n+1)) +$DSFROMKEY -f dig.out.ns4.test$n revkey.example. >dsfromkey.out.test$n || ret=1 +test $(wc -l dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG >dig.out.ns3.test$n 2>&1 # there must be a signature here [ -s dig.out.ns3.test$n ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing new records are signed with 'no-resign' ($n)" ret=0 ( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add new.nosign.example 300 in txt "hi there" -echo send + echo zone nosign.example + echo server 10.53.0.3 "$PORT" + echo update add new.nosign.example 300 in txt "hi there" + echo send ) | $NSUPDATE sleep 1 dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 -grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) + >dig.out.ns3.test$n 2>&1 +grep RRSIG dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" ret=0 -dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \ - grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 \ + | grep RRSIG | sed 's/[ ][ ]*/ /g' >dig.out.ns3.test$n 2>&1 # the NS RRSIG should not be changed -diff nosign.before dig.out.ns3.test$n > /dev/null|| ret=1 -n=$((n+1)) +diff nosign.before dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates fail with no private key ($n)" ret=0 rm -f ns3/Knosign.example.*.private ( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add fail.nosign.example 300 in txt "reject me" -echo send -) | $NSUPDATE > /dev/null 2>&1 && ret=1 + echo zone nosign.example + echo server 10.53.0.3 "$PORT" + echo update add fail.nosign.example 300 in txt "reject me" + echo send +) | $NSUPDATE >/dev/null 2>&1 && ret=1 dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 + >dig.out.ns3.test$n 2>&1 [ -s dig.out.ns3.test$n ] && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing legacy upper case signer name validation ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 -grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n 2>&1 || ret=1 +grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing that we lower case signer name ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 -grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n 2>&1 || ret=1 +grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time ($n)" ret=0 rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i ( -cd ns3 || exit 1 -for file in K*.moved; do - mv "$file" "$(basename "$file" .moved)" -done -$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null + cd ns3 || exit 1 + for file in K*.moved; do + mv "$file" "$(basename "$file" .moved)" + done + $SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db >/dev/null ) || ret=1 rndc_reload ns3 10.53.0.3 expiring.example rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "${ttl}" -eq 300 ] || ret=1 + [ "${ttl}" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "${ttl}" -le 60 ] || ret=1 + [ "${ttl}" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -dig_with_additionalopts +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example ns @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example ns @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) copy_setports ns4/named3.conf.in ns4/named.conf rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i @@ -3054,205 +3071,202 @@ sleep 3 echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" ret=0 -dig_with_answeropts +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expired.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expired.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expired.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 + [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing DNSKEY lookup via CNAME ($n)" ret=0 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 + @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 + @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup at CNAME (present) ($n)" ret=0 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup at CNAME (not present) ($n)" ret=0 dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing DNSKEY lookup via DNAME ($n)" ret=0 dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 + @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 + @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup via DNAME ($n)" ret=0 dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that named doesn't loop when all private keys are not available ($n)" ret=0 lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true) test "${lines:-1000}" -lt 15 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check against against missing nearest provable proof ($n)" dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1 + @10.53.0.6 ds >dig.out.ds.ns6.test$n || ret=1 nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true) [ "$nsec3" -eq 2 ] || ret=1 dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 A > dig.out.ns6.test$n || ret=1 + @10.53.0.6 A >dig.out.ns6.test$n || ret=1 nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true) [ "$nsec3" -eq 1 ] || ret=1 dig_with_opts optout-tld. \ - @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1 + @10.53.0.4 SOA >dig.out.soa.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n >/dev/null || ret=1 dig_with_opts b.c.d.optout-tld. \ - @10.53.0.4 A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) + @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that key id are logged when dumping the cache ($n)" ret=0 rndc_dumpdb ns4 -grep "; key id = " ns4/named_dump.db.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "; key id = " ns4/named_dump.db.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" # force the managed-keys zone to be written out rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - if test -f ns4/managed-keys.bind - then - grep KEYDATA ns4/managed-keys.bind > /dev/null && - grep "next refresh:" ns4/managed-keys.bind > /dev/null && - break - fi - ret=1 - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + if test -f ns4/managed-keys.bind; then + grep KEYDATA ns4/managed-keys.bind >/dev/null \ + && grep "next refresh:" ns4/managed-keys.bind >/dev/null \ + && break + fi + ret=1 + sleep 1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dig's +nocrypto flag ($n)" ret=0 dig_with_opts +norec +nocrypto DNSKEY . \ - @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 -grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 -grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + @10.53.0.1 >dig.out.dnskey.ns1.test$n || ret=1 +grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 +grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 dig_with_opts +norec +nocrypto DS example \ - @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 -grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n > /dev/null || ret=1 -n=$((n+1)) + @10.53.0.1 >dig.out.ds.ns1.test$n || ret=1 +grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" ret=0 cnt=0 -while : -do -dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n -keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) -test "$keys" -gt 2 && break -cnt=$((cnt+1)) -test "$cnt" -gt 120 && break -sleep 1 +while :; do + dig_with_opts publish-inactive.example @10.53.0.3 dnskey >dig.out.ns3.test$n + keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) + test "$keys" -gt 2 && break + cnt=$((cnt + 1)) + test "$cnt" -gt 120 && break + sleep 1 done test "$keys" -gt 2 || ret=1 sigs=$(grep -c RRSIG dig.out.ns3.test$n || true) -n=$((n+1)) +n=$((n + 1)) test "$sigs" -eq 2 || ret=1 -if test "$ret" -ne 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test "$ret" -ne 0; then echo_i "failed"; fi +status=$((status + ret)) echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" ret=0 @@ -3261,41 +3275,44 @@ cp ns3/siginterval2.conf ns3/siginterval.conf rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i i=10 while [ "$i" -ge 0 ]; do -after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) -test "$before" != "$after" && break -sleep 1 -i=$((i-1)) + after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) + test "$before" != "$after" && break + sleep 1 + i=$((i - 1)) done -n=$((n+1)) -if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi -status=$((status+ret)) +n=$((n + 1)) +if test "$before" = "$after"; then + echo_i "failed" + ret=1 +fi +status=$((status + ret)) if [ -x "$PYTHON" ]; then - echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" - ret=0 - rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i - # convert expiry date to a comma-separated list of integers python can - # use as input to date(). strip leading 0s in months and days so - # python3 will recognize them as integers. - $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n || ret=1 - soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n | - sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g') - $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n || ret=1 - dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n | - sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g') - $PYTHON > python.out.$n <&1 | sed 's/^/ns3 /' | cat_i + # convert expiry date to a comma-separated list of integers python can + # use as input to date(). strip leading 0s in months and days so + # python3 will recognize them as integers. + $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example >dig.out.soa.test$n || ret=1 + soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n \ + | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ + | sed 's/ 0/ /g') + $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example >dig.out.dnskey.test$n || ret=1 + dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n \ + | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ + | sed 's/ 0/ /g') + $PYTHON >python.out.$n < dig.out.ns4.1.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1 + @10.53.0.4 >dig.out.ns4.1.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.1.test$n >/dev/null && ret=1 dig_with_opts ns secure.example \ - @10.53.0.4 > dig.out.ns4.2.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1 -n=$((n+1)) + @10.53.0.4 >dig.out.ns4.2.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.2.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check the acceptance of seconds as inception and expiration times ($n)" ret=0 @@ -3322,14 +3339,14 @@ exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPO out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') [ "$out" = "$exp" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check the correct resigning time is reported in zonestatus ($n)" ret=0 rndccmd 10.53.0.3 \ - zonestatus secure.example > rndc.out.ns3.test$n + zonestatus secure.example >rndc.out.ns3.test$n # next resign node: secure.example/DNSKEY qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,') qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,') @@ -3339,194 +3356,194 @@ time=$(awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g') -dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 > dig.out.test$n +dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 >dig.out.test$n expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n) inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n) $PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that split rrsigs are handled ($n)" ret=0 -dig_with_opts split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig soa @10.53.0.7 >dig.out.test$n || ret=1 awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)" ret=0 -dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig AXFR @10.53.0.7 >dig.out.test$n || ret=1 grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" ret=0 alg=1 -until test $alg -eq 256 -do - zone="keygen-$alg." - case $alg in - 2) # Diffie Helman - alg=$((alg+1)) - continue;; - 157|160|161|162|163|164|165) # private - non standard - alg=$((alg+1)) - continue;; - 1|5|7|8|10) # RSA algorithms - key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2> "keygen-$alg.err" || true) - ;; - 15|16) - key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - ;; - *) - key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - esac - if grep "unsupported algorithm" "keygen-$alg.err" > /dev/null - then - alg=$((alg+1)) - continue - fi - if test -z "$key1" - then - echo_i "'$KEYGEN -a $alg': failed" - cat "keygen-$alg.err" - ret=1 - alg=$((alg+1)) - continue - fi - $SETTIME -I now+4d "$key1.private" > /dev/null - key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2> /dev/null) - test -f "$key2.key" -a -f "$key2.private" || { - ret=1 - echo_i "'dnssec-keygen -S' failed for algorithm: $alg" - } - alg=$((alg+1)) +until test $alg -eq 256; do + zone="keygen-$alg." + case $alg in + 2) # Diffie Helman + alg=$((alg + 1)) + continue + ;; + 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard + alg=$((alg + 1)) + continue + ;; + 1 | 5 | 7 | 8 | 10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + 15 | 16) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + *) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + esac + if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if test -z "$key1"; then + echo_i "'$KEYGEN -a $alg': failed" + cat "keygen-$alg.err" + ret=1 + alg=$((alg + 1)) + continue + fi + $SETTIME -I now+4d "$key1.private" >/dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg + 1)) done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a CDS deletion record is accepted ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo update add cds-update.secure 0 CDS 0 0 0 00 -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo update add cds-update.secure 0 CDS 0 0 0 00 + echo send +) | $NSUPDATE >nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cds-kskonly.secure.id) ( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure | -sed "s/^/update add /" -echo send + echo zone cds-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-kskonly.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS deletion records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cds-kskonly.secure.id) ( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo update add cds-kskonly.secure 0 CDS 0 0 0 00 -echo send + echo zone cds-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-kskonly.secure CDS + echo update add cds-kskonly.secure 0 CDS 0 0 0 00 + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) @@ -3535,125 +3552,125 @@ lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | -sed "s/^/update add /" -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | -$DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' \ + | $DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 4 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY >dig.out.test$n +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # TODO: test case for GL #1689. # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) @@ -3665,86 +3682,86 @@ status=$((status+ret)) echo_i "check that a CDNSKEY deletion record is accepted ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== + echo send +) | $NSUPDATE >nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send + echo zone cdnskey-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-kskonly.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY deletion records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== -echo send + echo zone cdnskey-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-kskonly.secure CDNSKEY + echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) @@ -3753,184 +3770,188 @@ lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking initialization with a revoked managed key ($n)" ret=0 copy_setports ns5/named2.conf.in ns5/named.conf rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i sleep 3 -dig_with_opts +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n -grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n +grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' -echo send + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer || exit 1 -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove > /dev/null -$KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove > /dev/null -echo > remove.db.signed -$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n + cd signer || exit 1 + $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null + $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null + echo >remove.db.signed + $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null || { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer || exit 1 -$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n + cd signer || exit 1 + $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null && { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer || exit 1 -echo > remove.db.signed -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n + cd signer || exit 1 + echo >remove.db.signed + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null || { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer || exit 1 -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n + cd signer || exit 1 + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null && { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" ret=0 -dig_with_opts managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1 -n=$((n+1)) +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run >/dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run >/dev/null && ret=1 stop_server ns1 || ret=1 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns1 || ret=1 -n=$(($n+1)) +n=$(($n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "waiting for root server to finish reloading ($n)" ret=0 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -n=$(($n+1)) +n=$(($n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 -grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "view rec: *validat" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" ret=0 -dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)" ret=0 -dig_with_opts axfr occluded.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts axfr occluded.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)" ret=0 -dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1 -dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1 +dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1 +dig_with_opts any zz.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1 # DNSKEY+RRSIG, NSEC+RRSIG -grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # DNSSEC tests related to unsupported, disabled and revoked trust anchors. @@ -3950,9 +3971,9 @@ grep -q "ignoring static-key for 'revoked\.trusted\.': bad key type" ns8/named.r grep -q "ignoring initial-key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1 grep -q "ignoring initial-key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1 grep -q "ignoring initial-key for 'revoked\.managed\.': bad key type" ns8/named.run || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two tests are fairly normal DNSSEC queries to signed zones with a # default algorithm. First, a query is made against the server that is @@ -3961,25 +3982,25 @@ status=$((status+ret)) # return an authentic data positive response. echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.secure.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using a supported algorithm validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.secure.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY with an unsupported # algorithm will yield insecure positive responses. These trust anchors in ns8 are @@ -3987,25 +4008,25 @@ status=$((status+ret)) # in the response. echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.unsupported.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.unsupported.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY that the nameserver # has a disabled algorithm match for will yield insecure positive responses. @@ -4013,25 +4034,25 @@ status=$((status+ret)) # The AD bit should not be set in the response. echo_i "checking that a trusted key using a disabled algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.disabled.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.disabled.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using a disabled algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.disabled.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.disabled.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY that the # nameserver has a disabled algorithm for, but for a different domain, will @@ -4041,50 +4062,50 @@ status=$((status+ret)) # bit set. echo_i "checking that a trusted key using an algorithm disabled for another domain validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.enabled.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.enabled.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using an algorithm disabled for another domain validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.enabled.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.enabled.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # A configured revoked trust anchor is ignored and thus the two queries below # should result in insecure responses, since no trust points for the # "revoked.trusted." and "revoked.managed." zones are created. echo_i "checking that a trusted key that is revoked validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.revoked.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.revoked.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key that is revoked validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.revoked.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.revoked.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ### ### Additional checks for when the KSK is offline. @@ -4102,59 +4123,58 @@ echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" # Print IDs of keys used for generating RRSIG records for RRsets of type $1 # found in dig output file $2. get_keys_which_signed() { - qtype=$1 - output=$2 - # The key ID is the 11th column of the RRSIG record line. - awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$output" + qtype=$1 + output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$output" } # Basic checks to make sure everything is fine before the KSK is made offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 -dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n +dig_with_opts $SECTIONS @10.53.0.2 soa $zone >dig.out.test$n lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1 -n=$((n+1)) +get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 +get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Roll the ZSK. zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 +keyfile_to_key_id "$zsk2" >ns2/$zone.zsk.id2 ZSK_ID2=$(cat ns2/$zone.zsk.id2) echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" ret=0 dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Make new ZSK active. echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" ret=0 -$SETTIME -I now -K ns2 $ZSK > /dev/null -$SETTIME -A now -K ns2 $zsk2 > /dev/null +$SETTIME -I now -K ns2 $ZSK >/dev/null +$SETTIME -A now -K ns2 $zsk2 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" @@ -4164,41 +4184,39 @@ mv ns2/$KSK.private ns2/$KSK.private.bak # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me" + echo send ) | $NSUPDATE # Redo the tests now that the zone is updated and the KSK is offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done # Put back the KSK. @@ -4208,18 +4226,18 @@ mv ns2/$KSK.private.bak ns2/$KSK.private # Roll the ZSK again. zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3 +keyfile_to_key_id "$zsk3" >ns2/$zone.zsk.id3 ZSK_ID3=$(cat ns2/$zone.zsk.id3) # Schedule the new ZSK (ZSK3) to become active. echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -D now -K ns2 $ZSK > /dev/null -$SETTIME -I +3600 -K ns2 $zsk2 > /dev/null -$SETTIME -A +3600 -K ns2 $zsk3 > /dev/null +$SETTIME -D now -K ns2 $ZSK >/dev/null +$SETTIME -I +3600 -K ns2 $zsk2 >/dev/null +$SETTIME -A +3600 -K ns2 $zsk3 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" @@ -4229,110 +4247,106 @@ mv ns2/$KSK.private ns2/$KSK.private.bak # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me again" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me again" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me again" + echo send ) | $NSUPDATE # Redo the tests now that the ZSK roll has deleted the old key. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -I +1 -K ns2 $zsk2 > /dev/null -$SETTIME -A +1 -K ns2 $zsk3 > /dev/null +$SETTIME -I +1 -K ns2 $zsk2 >/dev/null +$SETTIME -A +1 -K ns2 $zsk3 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Wait for newest ZSK to become active. echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive" for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run > /dev/null || ret=1 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run > /dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me one more time" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me one more time" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me one more time" + echo send ) | $NSUPDATE -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Redo the tests one more time. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null || ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null || ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done echo_i "checking secroots output with multiple views ($n)" @@ -4340,89 +4354,89 @@ ret=0 rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking sig-validity-interval second field hours vs days ($n)" ret=0 # zone configured with 'sig-validity-interval 500 499;' # 499 days in the future w/ a 20 minute runtime to now allowance min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') -dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n +dig_with_opts @10.53.0.2 hours-vs-days AXFR >dig.out.ns2.test$n awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validation succeeds during transition to signed ($n)" ret=0 -dig_with_opts @10.53.0.4 inprogress A > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.4 inprogress A >dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)" ret=0 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the validating resolver will fallback to insecure if the answer # contains NSEC3 records with high iteration count. echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)" ret=0 -dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)" ret=0 -dig_with_opts @10.53.0.2 a.too-many-iterations txt > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 a.too-many-iterations txt > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 a.too-many-iterations txt >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 a.too-many-iterations txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)" ret=0 -dig_with_opts @10.53.0.2 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)" ret=0 -dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that a query against a validating resolver succeeds when there is # a negative cache entry with trust level "pending" for the DS. Prime @@ -4430,17 +4444,17 @@ status=$((status+ret)) # query that uses that entry as part of the validation process. [GL #3279] echo_i "check that pending negative DS cache entry validates ($n)" ret=0 -dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds >dig.out.prime.ns4.test$n || ret=1 grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1 -dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n >/dev/null || ret=1 +dig_with_opts @10.53.0.4 a.insecure2.example. a >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n >/dev/null || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnstap/ns2/named.conf.in b/bin/tests/system/dnstap/ns2/named.conf.in index badc225..cc05db0 100644 --- a/bin/tests/system/dnstap/ns2/named.conf.in +++ b/bin/tests/system/dnstap/ns2/named.conf.in @@ -43,7 +43,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/dnstap/ns3/named.conf.in b/bin/tests/system/dnstap/ns3/named.conf.in index a5ee2ed..1626030 100644 --- a/bin/tests/system/dnstap/ns3/named.conf.in +++ b/bin/tests/system/dnstap/ns3/named.conf.in @@ -46,5 +46,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnstap/ns4/named.conf.in b/bin/tests/system/dnstap/ns4/named.conf.in index e2a9207..4a1debf 100644 --- a/bin/tests/system/dnstap/ns4/named.conf.in +++ b/bin/tests/system/dnstap/ns4/named.conf.in @@ -45,5 +45,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnstap/prereq.sh b/bin/tests/system/dnstap/prereq.sh index f0748f3..747f448 100644 --- a/bin/tests/system/dnstap/prereq.sh +++ b/bin/tests/system/dnstap/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --enable-dnstap || { - echo_i "This test requires dnstap support." >&2 - exit 255 + echo_i "This test requires dnstap support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/dnstap/tests.sh b/bin/tests/system/dnstap/tests.sh index c5d4f0a..ac40a38 100644 --- a/bin/tests/system/dnstap/tests.sh +++ b/bin/tests/system/dnstap/tests.sh @@ -16,44 +16,53 @@ set -e . ../conf.sh DIGOPTS="+short -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf" status=0 # dnstap_data_ready # Flushes capture_file and checks wheter its size is >= min_file_size. dnstap_data_ready() { - # Process id of running fstrm_capture. - fstrm_capture_pid=$1 - # Output file provided to fstrm_capture via -w switch. - capture_file=$2 - # Minimum expected file size. - min_size_expected=$3 - - kill -HUP $fstrm_capture_pid - file_size=$(wc -c < "$capture_file" | tr -d ' ') - if [ $file_size -lt $min_size_expected ]; then - return 1 - fi -} - - -for bad in bad-*.conf -do - ret=0 - echo_i "checking that named-checkconf detects error in $bad" - { $CHECKCONF $bad > /dev/null 2>&1; rc=$?; } || true - if [ $rc != 1 ]; then echo_i "failed"; ret=1; fi - status=$((status + ret)) + # Process id of running fstrm_capture. + fstrm_capture_pid=$1 + # Output file provided to fstrm_capture via -w switch. + capture_file=$2 + # Minimum expected file size. + min_size_expected=$3 + + kill -HUP $fstrm_capture_pid + file_size=$(wc -c <"$capture_file" | tr -d ' ') + if [ $file_size -lt $min_size_expected ]; then + return 1 + fi +} + +for bad in bad-*.conf; do + ret=0 + echo_i "checking that named-checkconf detects error in $bad" + { + $CHECKCONF $bad >/dev/null 2>&1 + rc=$? + } || true + if [ $rc != 1 ]; then + echo_i "failed" + ret=1 + fi + status=$((status + ret)) done -for good in good-*.conf -do - ret=0 - echo_i "checking that named-checkconf detects no error in $good" - { $CHECKCONF $good > /dev/null 2>&1; rc=$?; } || true - if [ $rc != 0 ]; then echo_i "failed"; ret=1; fi - status=$((status + ret)) +for good in good-*.conf; do + ret=0 + echo_i "checking that named-checkconf detects no error in $good" + { + $CHECKCONF $good >/dev/null 2>&1 + rc=$? + } || true + if [ $rc != 0 ]; then + echo_i "failed" + ret=1 + fi + status=$((status + ret)) done echo_i "wait for servers to finish loading" @@ -71,7 +80,7 @@ status=$((status + ret)) echo_i "prime cache" ret=0 -$DIG $DIGOPTS @10.53.0.3 a.example > dig.out || true +$DIG $DIGOPTS @10.53.0.3 a.example >dig.out || true wait_for_log 20 "(.): reset client" ns1/named.run || true if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -81,15 +90,15 @@ status=$((status + ret)) mv ns1/dnstap.out ns1/dnstap.out.save mv ns2/dnstap.out ns2/dnstap.out.save -if [ -n "$FSTRM_CAPTURE" ] ; then - ret=0 - echo_i "starting fstrm_capture" - $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ - -w dnstap.out > fstrm_capture.out.1 2>&1 & - fstrm_capture_pid=$! - wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -n "$FSTRM_CAPTURE" ]; then + ret=0 + echo_i "starting fstrm_capture" + $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ + -w dnstap.out >fstrm_capture.out.1 2>&1 & + fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "reopen/roll capture streams" @@ -101,10 +110,10 @@ $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i echo_i "send test traffic" ret=0 -$DIG $DIGOPTS @10.53.0.3 a.example > dig.out || ret=1 +$DIG $DIGOPTS @10.53.0.3 a.example >dig.out || ret=1 # send an UPDATE to ns2 -$NSUPDATE <<- EOF +$NSUPDATE <<-EOF server 10.53.0.2 ${PORT} zone example update add b.example 3600 in a 10.10.10.10 @@ -161,16 +170,16 @@ ur3=$($DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 [ $udp1 -eq 0 ] || { - echo_i "ns1 $udp1 expected 0" - ret=1 + echo_i "ns1 $udp1 expected 0" + ret=1 } [ $udp2 -eq 2 ] || { - echo_i "ns2 $udp2 expected 2" - ret=1 + echo_i "ns2 $udp2 expected 2" + ret=1 } [ $udp3 -eq 4 ] || { - echo_i "ns3 $udp3 expected 4" - ret=1 + echo_i "ns3 $udp3 expected 4" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -178,16 +187,16 @@ status=$((status + ret)) echo_i "checking TCP message counts" ret=0 [ $tcp1 -eq 6 ] || { - echo_i "ns1 $tcp1 expected 6" - ret=1 + echo_i "ns1 $tcp1 expected 6" + ret=1 } [ $tcp2 -eq 2 ] || { - echo_i "ns2 $tcp2 expected 2" - ret=1 + echo_i "ns2 $tcp2 expected 2" + ret=1 } [ $tcp3 -eq 6 ] || { - echo_i "ns3 $tcp3 expected 6" - ret=1 + echo_i "ns3 $tcp3 expected 6" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -195,16 +204,16 @@ status=$((status + ret)) echo_i "checking AUTH_QUERY message counts" ret=0 [ $aq1 -eq 3 ] || { - echo_i "ns1 $aq1 exepcted 3" - ret=1 + echo_i "ns1 $aq1 exepcted 3" + ret=1 } [ $aq2 -eq 2 ] || { - echo_i "ns2 $aq2 expected 2" - ret=1 + echo_i "ns2 $aq2 expected 2" + ret=1 } [ $aq3 -eq 1 ] || { - echo_i "ns3 $aq3 expected 1" - ret=1 + echo_i "ns3 $aq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -212,16 +221,16 @@ status=$((status + ret)) echo_i "checking AUTH_RESPONSE message counts" ret=0 [ $ar1 -eq 2 ] || { - echo_i "ns1 $ar1 expected 2" - ret=1 + echo_i "ns1 $ar1 expected 2" + ret=1 } [ $ar2 -eq 1 ] || { - echo_i "ns2 $ar2 expected 1" - ret=1 + echo_i "ns2 $ar2 expected 1" + ret=1 } [ $ar3 -eq 0 ] || { - echo_i "ns3 $ar3 expected 0" - ret=1 + echo_i "ns3 $ar3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -229,16 +238,16 @@ status=$((status + ret)) echo_i "checking CLIENT_QUERY message counts" ret=0 [ $cq1 -eq 0 ] || { - echo_i "ns1 $cq1 expected 0" - ret=1 + echo_i "ns1 $cq1 expected 0" + ret=1 } [ $cq2 -eq 0 ] || { - echo_i "ns2 $cq2 expected 0" - ret=1 + echo_i "ns2 $cq2 expected 0" + ret=1 } [ $cq3 -eq 1 ] || { - echo_i "ns3 $cq3 expected 1" - ret=1 + echo_i "ns3 $cq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -246,16 +255,16 @@ status=$((status + ret)) echo_i "checking CLIENT_RESPONSE message counts" ret=0 [ $cr1 -eq 1 ] || { - echo_i "ns1 $cr1 expected 1" - ret=1 + echo_i "ns1 $cr1 expected 1" + ret=1 } [ $cr2 -eq 1 ] || { - echo_i "ns2 $cr2 expected 1" - ret=1 + echo_i "ns2 $cr2 expected 1" + ret=1 } [ $cr3 -eq 2 ] || { - echo_i "ns3 $cr3 expected 2" - ret=1 + echo_i "ns3 $cr3 expected 2" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -263,16 +272,16 @@ status=$((status + ret)) echo_i "checking RESOLVER_QUERY message counts" ret=0 [ $rq1 -eq 0 ] || { - echo_i "ns1 $rq1 expected 0" - ret=1 + echo_i "ns1 $rq1 expected 0" + ret=1 } [ $rq2 -eq 0 ] || { - echo_i "ns2 $rq2 expected 0" - ret=1 + echo_i "ns2 $rq2 expected 0" + ret=1 } [ $rq3 -eq 3 ] || { - echo_i "ns3 $rq3 expected 3" - ret=1 + echo_i "ns3 $rq3 expected 3" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -280,16 +289,16 @@ status=$((status + ret)) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 [ $rr1 -eq 0 ] || { - echo_i "ns1 $rr1 expected 0" - ret=1 + echo_i "ns1 $rr1 expected 0" + ret=1 } [ $rr2 -eq 0 ] || { - echo_i "ns2 $rr2 expected 0" - ret=1 + echo_i "ns2 $rr2 expected 0" + ret=1 } [ $rr3 -eq 3 ] || { - echo_i "ns3 $rr3 expected 3" - ret=1 + echo_i "ns3 $rr3 expected 3" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -297,16 +306,16 @@ status=$((status + ret)) echo_i "checking UPDATE_QUERY message counts" ret=0 [ $uq1 -eq 0 ] || { - echo_i "ns1 $uq1 expected 0" - ret=1 + echo_i "ns1 $uq1 expected 0" + ret=1 } [ $uq2 -eq 0 ] || { - echo_i "ns2 $uq2 expected 0" - ret=1 + echo_i "ns2 $uq2 expected 0" + ret=1 } [ $uq3 -eq 0 ] || { - echo_i "ns3 $uq3 expected 0" - ret=1 + echo_i "ns3 $uq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -314,16 +323,16 @@ status=$((status + ret)) echo_i "checking UPDATE_RESPONSE message counts" ret=0 [ $ur1 -eq 0 ] || { - echo_i "ns1 $ur1 expected 0" - ret=1 + echo_i "ns1 $ur1 expected 0" + ret=1 } [ $ur2 -eq 0 ] || { - echo_i "ns2 $ur2 expected 0" - ret=1 + echo_i "ns2 $ur2 expected 0" + ret=1 } [ $ur3 -eq 0 ] || { - echo_i "ns3 $ur3 expected 0" - ret=1 + echo_i "ns3 $ur3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -366,16 +375,16 @@ ur3=$($DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 [ $udp1 -eq 0 ] || { - echo_i "ns1 $udp1 expected 0" - ret=1 + echo_i "ns1 $udp1 expected 0" + ret=1 } [ $udp2 -eq 2 ] || { - echo_i "ns2 $udp2 expected 2" - ret=1 + echo_i "ns2 $udp2 expected 2" + ret=1 } [ $udp3 -eq 2 ] || { - echo_i "ns3 $udp3 expected 2" - ret=1 + echo_i "ns3 $udp3 expected 2" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -383,16 +392,16 @@ status=$((status + ret)) echo_i "checking TCP message counts" ret=0 [ $tcp1 -eq 0 ] || { - echo_i "ns1 $tcp1 expected 0" - ret=1 + echo_i "ns1 $tcp1 expected 0" + ret=1 } [ $tcp2 -eq 0 ] || { - echo_i "ns2 $tcp2 expected 0" - ret=1 + echo_i "ns2 $tcp2 expected 0" + ret=1 } [ $tcp3 -eq 0 ] || { - echo_i "ns3 $tcp3 expected 0" - ret=1 + echo_i "ns3 $tcp3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -400,16 +409,16 @@ status=$((status + ret)) echo_i "checking AUTH_QUERY message counts" ret=0 [ $aq1 -eq 0 ] || { - echo_i "ns1 $aq1 exepcted 0" - ret=1 + echo_i "ns1 $aq1 exepcted 0" + ret=1 } [ $aq2 -eq 0 ] || { - echo_i "ns2 $aq2 expected 0" - ret=1 + echo_i "ns2 $aq2 expected 0" + ret=1 } [ $aq3 -eq 0 ] || { - echo_i "ns3 $aq3 expected 0" - ret=1 + echo_i "ns3 $aq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -417,16 +426,16 @@ status=$((status + ret)) echo_i "checking AUTH_RESPONSE message counts" ret=0 [ $ar1 -eq 0 ] || { - echo_i "ns1 $ar1 expected 0" - ret=1 + echo_i "ns1 $ar1 expected 0" + ret=1 } [ $ar2 -eq 0 ] || { - echo_i "ns2 $ar2 expected 0" - ret=1 + echo_i "ns2 $ar2 expected 0" + ret=1 } [ $ar3 -eq 0 ] || { - echo_i "ns3 $ar3 expected 0" - ret=1 + echo_i "ns3 $ar3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -434,16 +443,16 @@ status=$((status + ret)) echo_i "checking CLIENT_QUERY message counts" ret=0 [ $cq1 -eq 0 ] || { - echo_i "ns1 $cq1 expected 0" - ret=1 + echo_i "ns1 $cq1 expected 0" + ret=1 } [ $cq2 -eq 0 ] || { - echo_i "ns2 $cq2 expected 0" - ret=1 + echo_i "ns2 $cq2 expected 0" + ret=1 } [ $cq3 -eq 1 ] || { - echo_i "ns3 $cq3 expected 1" - ret=1 + echo_i "ns3 $cq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -451,16 +460,16 @@ status=$((status + ret)) echo_i "checking CLIENT_RESPONSE message counts" ret=0 [ $cr1 -eq 0 ] || { - echo_i "ns1 $cr1 expected 0" - ret=1 + echo_i "ns1 $cr1 expected 0" + ret=1 } [ $cr2 -eq 0 ] || { - echo_i "ns2 $cr2 expected 0" - ret=1 + echo_i "ns2 $cr2 expected 0" + ret=1 } [ $cr3 -eq 1 ] || { - echo_i "ns3 $cr3 expected 1" - ret=1 + echo_i "ns3 $cr3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -468,16 +477,16 @@ status=$((status + ret)) echo_i "checking RESOLVER_QUERY message counts" ret=0 [ $rq1 -eq 0 ] || { - echo_i "ns1 $rq1 expected 0" - ret=1 + echo_i "ns1 $rq1 expected 0" + ret=1 } [ $rq2 -eq 0 ] || { - echo_i "ns2 $rq2 expected 0" - ret=1 + echo_i "ns2 $rq2 expected 0" + ret=1 } [ $rq3 -eq 0 ] || { - echo_i "ns3 $rq3 expected 0" - ret=1 + echo_i "ns3 $rq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -485,16 +494,16 @@ status=$((status + ret)) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 [ $rr1 -eq 0 ] || { - echo_i "ns1 $rr1 expected 0" - ret=1 + echo_i "ns1 $rr1 expected 0" + ret=1 } [ $rr2 -eq 0 ] || { - echo_i "ns2 $rr2 expected 0" - ret=1 + echo_i "ns2 $rr2 expected 0" + ret=1 } [ $rr3 -eq 0 ] || { - echo_i "ns3 $rr3 expected 0" - ret=1 + echo_i "ns3 $rr3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -502,16 +511,16 @@ status=$((status + ret)) echo_i "checking UPDATE_QUERY message counts" ret=0 [ $uq1 -eq 0 ] || { - echo_i "ns1 $uq1 expected 0" - ret=1 + echo_i "ns1 $uq1 expected 0" + ret=1 } [ $uq2 -eq 1 ] || { - echo_i "ns2 $uq2 expected 1" - ret=1 + echo_i "ns2 $uq2 expected 1" + ret=1 } [ $uq3 -eq 0 ] || { - echo_i "ns3 $uq3 expected 0" - ret=1 + echo_i "ns3 $uq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -519,16 +528,16 @@ status=$((status + ret)) echo_i "checking UPDATE_RESPONSE message counts" ret=0 [ $ur1 -eq 0 ] || { - echo_i "ns1 $ur1 expected 0" - ret=1 + echo_i "ns1 $ur1 expected 0" + ret=1 } [ $ur2 -eq 1 ] || { - echo_i "ns2 $ur2 expected 1" - ret=1 + echo_i "ns2 $ur2 expected 1" + ret=1 } [ $ur3 -eq 0 ] || { - echo_i "ns3 $ur3 expected 0" - ret=1 + echo_i "ns3 $ur3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -540,271 +549,271 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) HAS_PYYAML=0 -if [ -x "$PYTHON" ] ; then - $PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1 +if [ -x "$PYTHON" ]; then + $PYTHON -c "import yaml" 2>/dev/null && HAS_PYYAML=1 fi -if [ $HAS_PYYAML -ne 0 ] ; then - echo_i "checking dnstap-read YAML output" - ret=0 - { - $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" > ydump.out || ret=1 - } | cat_i - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ $HAS_PYYAML -ne 0 ]; then + echo_i "checking dnstap-read YAML output" + ret=0 + { + $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" >ydump.out || ret=1 + } | cat_i + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking dnstap-read hex output" ret=0 hex=$($DNSTAPREAD -x ns3/dnstap.out | tail -1) -echo $hex | $WIRETEST > dnstap.hex -grep 'status: NOERROR' dnstap.hex > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex > /dev/null 2>&1 || ret=1 +echo $hex | $WIRETEST >dnstap.hex +grep 'status: NOERROR' dnstap.hex >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -n "$FSTRM_CAPTURE" ] ; then - $DIG $DIGOPTS @10.53.0.4 a.example > dig.out +if [ -n "$FSTRM_CAPTURE" ]; then + $DIG $DIGOPTS @10.53.0.4 a.example >dig.out - # send an UPDATE to ns4 - $NSUPDATE <<- EOF > nsupdate.out 2>&1 && ret=1 + # send an UPDATE to ns4 + $NSUPDATE <<-EOF >nsupdate.out 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone example update add b.example 3600 in a 10.10.10.10 send EOF - grep "update failed: NOTAUTH" nsupdate.out > /dev/null || ret=1 - - echo_i "checking unix socket message counts" - sleep 2 - retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || { - echo_i "dnstap output file smaller than expected" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - kill $fstrm_capture_pid - wait - udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) - tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) - aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) - ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) - cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) - cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) - rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) - rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) - uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) - ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) - - echo_i "checking UDP message counts" - ret=0 - [ $udp4 -eq 4 ] || { - echo_i "ns4 $udp4 expected 4" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking TCP message counts" - ret=0 - [ $tcp4 -eq 0 ] || { - echo_i "ns4 $tcp4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking AUTH_QUERY message counts" - ret=0 - [ $aq4 -eq 0 ] || { - echo_i "ns4 $aq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking AUTH_RESPONSE message counts" - ret=0 - [ $ar4 -eq 0 ] || { - echo_i "ns4 $ar4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking CLIENT_QUERY message counts" - ret=0 - [ $cq4 -eq 1 ] || { - echo_i "ns4 $cq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking CLIENT_RESPONSE message counts" - ret=0 - [ $cr4 -eq 1 ] || { - echo_i "ns4 $cr4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking RESOLVER_QUERY message counts" - ret=0 - [ $rq4 -eq 0 ] || { - echo_i "ns4 $rq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking RESOLVER_RESPONSE message counts" - ret=0 - [ $rr4 -eq 0 ] || { - echo_i "ns4 $rr4 expected 0" - ret=1 - } - - echo_i "checking UPDATE_QUERY message counts" - ret=0 - [ $uq4 -eq 1 ] || { - echo_i "ns4 $uq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking UPDATE_RESPONSE message counts" - ret=0 - [ $ur4 -eq 1 ] || { - echo_i "ns4 $ur4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - mv dnstap.out dnstap.out.save - - echo_i "restarting fstrm_capture" - $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ - -w dnstap.out > fstrm_capture.out.2 2>&1 & - fstrm_capture_pid=$! - wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || { - echo_i "failed" - ret=1 - } - $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i - $DIG $DIGOPTS @10.53.0.4 a.example > dig.out - - echo_i "checking reopened unix socket message counts" - sleep 2 - retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || { - echo_i "dnstap output file smaller than expected" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - kill $fstrm_capture_pid - wait - udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) - tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) - aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) - ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) - cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) - cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) - rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) - rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) - uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) - ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) - - echo_i "checking UDP message counts" - ret=0 - [ $udp4 -eq 2 ] || { - echo_i "ns4 $udp4 expected 2" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking TCP message counts" - ret=0 - [ $tcp4 -eq 0 ] || { - echo_i "ns4 $tcp4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking AUTH_QUERY message counts" - ret=0 - [ $aq4 -eq 0 ] || { - echo_i "ns4 $aq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking AUTH_RESPONSE message counts" - ret=0 - [ $ar4 -eq 0 ] || { - echo_i "ns4 $ar4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking CLIENT_QUERY message counts" - ret=0 - [ $cq4 -eq 1 ] || { - echo_i "ns4 $cq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking CLIENT_RESPONSE message counts" - ret=0 - [ $cr4 -eq 1 ] || { - echo_i "ns4 $cr4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking RESOLVER_QUERY message counts" - ret=0 - [ $rq4 -eq 0 ] || { - echo_i "ns4 $rq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking RESOLVER_RESPONSE message counts" - ret=0 - [ $rr4 -eq 0 ] || { - echo_i "ns4 $rr4 expected 0" - ret=1 - } - - echo_i "checking UPDATE_QUERY message counts" - ret=0 - [ $uq4 -eq 0 ] || { - echo_i "ns4 $uq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking UPDATE_RESPONSE message counts" - ret=0 - [ $ur4 -eq 0 ] || { - echo_i "ns4 $ur4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + grep "update failed: NOTAUTH" nsupdate.out >/dev/null || ret=1 + + echo_i "checking unix socket message counts" + sleep 2 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + kill $fstrm_capture_pid + wait + udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) + tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) + aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) + ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) + cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) + cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) + rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) + rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) + uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) + ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) + + echo_i "checking UDP message counts" + ret=0 + [ $udp4 -eq 4 ] || { + echo_i "ns4 $udp4 expected 4" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking TCP message counts" + ret=0 + [ $tcp4 -eq 0 ] || { + echo_i "ns4 $tcp4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking AUTH_QUERY message counts" + ret=0 + [ $aq4 -eq 0 ] || { + echo_i "ns4 $aq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking AUTH_RESPONSE message counts" + ret=0 + [ $ar4 -eq 0 ] || { + echo_i "ns4 $ar4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking CLIENT_QUERY message counts" + ret=0 + [ $cq4 -eq 1 ] || { + echo_i "ns4 $cq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking CLIENT_RESPONSE message counts" + ret=0 + [ $cr4 -eq 1 ] || { + echo_i "ns4 $cr4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking RESOLVER_QUERY message counts" + ret=0 + [ $rq4 -eq 0 ] || { + echo_i "ns4 $rq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking RESOLVER_RESPONSE message counts" + ret=0 + [ $rr4 -eq 0 ] || { + echo_i "ns4 $rr4 expected 0" + ret=1 + } + + echo_i "checking UPDATE_QUERY message counts" + ret=0 + [ $uq4 -eq 1 ] || { + echo_i "ns4 $uq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking UPDATE_RESPONSE message counts" + ret=0 + [ $ur4 -eq 1 ] || { + echo_i "ns4 $ur4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + mv dnstap.out dnstap.out.save + + echo_i "restarting fstrm_capture" + $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ + -w dnstap.out >fstrm_capture.out.2 2>&1 & + fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || { + echo_i "failed" + ret=1 + } + $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i + $DIG $DIGOPTS @10.53.0.4 a.example >dig.out + + echo_i "checking reopened unix socket message counts" + sleep 2 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + kill $fstrm_capture_pid + wait + udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) + tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) + aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) + ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) + cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) + cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) + rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) + rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) + uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) + ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) + + echo_i "checking UDP message counts" + ret=0 + [ $udp4 -eq 2 ] || { + echo_i "ns4 $udp4 expected 2" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking TCP message counts" + ret=0 + [ $tcp4 -eq 0 ] || { + echo_i "ns4 $tcp4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking AUTH_QUERY message counts" + ret=0 + [ $aq4 -eq 0 ] || { + echo_i "ns4 $aq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking AUTH_RESPONSE message counts" + ret=0 + [ $ar4 -eq 0 ] || { + echo_i "ns4 $ar4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking CLIENT_QUERY message counts" + ret=0 + [ $cq4 -eq 1 ] || { + echo_i "ns4 $cq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking CLIENT_RESPONSE message counts" + ret=0 + [ $cr4 -eq 1 ] || { + echo_i "ns4 $cr4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking RESOLVER_QUERY message counts" + ret=0 + [ $rq4 -eq 0 ] || { + echo_i "ns4 $rq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking RESOLVER_RESPONSE message counts" + ret=0 + [ $rr4 -eq 0 ] || { + echo_i "ns4 $rr4 expected 0" + ret=1 + } + + echo_i "checking UPDATE_QUERY message counts" + ret=0 + [ $uq4 -eq 0 ] || { + echo_i "ns4 $uq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking UPDATE_RESPONSE message counts" + ret=0 + [ $ur4 -eq 0 ] || { + echo_i "ns4 $ur4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking large packet printing" @@ -817,30 +826,28 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) _test_dnstap_roll() ( - ip="$1" - ns="$2" - n="$3" + ip="$1" + ns="$2" + n="$3" - $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i && - files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) && - test "$files" -eq "${n}" && test "$files" -ge "1" || return 1 + $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i \ + && files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) \ + && test "$files" -eq "${n}" && test "$files" -ge "1" || return 1 ) - test_dnstap_roll() { - echo_i "checking 'rndc -roll $4' ($1)" - ret=0 - - try=0 - while test $try -lt 12 - do - touch "$3/dnstap.out.$try" - try=$((try + 1)) - done - - _repeat 10 _test_dnstap_roll $2 $3 $4 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + echo_i "checking 'rndc -roll $4' ($1)" + ret=0 + + try=0 + while test $try -lt 12; do + touch "$3/dnstap.out.$try" + try=$((try + 1)) + done + + _repeat 10 _test_dnstap_roll $2 $3 $4 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } start_server --noclean --restart --port "${PORT}" ns3 diff --git a/bin/tests/system/dnstap/tests_dnstap.py b/bin/tests/system/dnstap/tests_dnstap.py index ca687b0..0dbf2aa 100644 --- a/bin/tests/system/dnstap/tests_dnstap.py +++ b/bin/tests/system/dnstap/tests_dnstap.py @@ -28,7 +28,7 @@ def run_rndc(server, rndc_command): rndc = os.getenv("RNDC") port = os.getenv("CONTROLPORT") - cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server] + cmdline = [rndc, "-c", "../_common/rndc.conf", "-p", port, "-s", server] cmdline.extend(rndc_command) subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10) diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in index 500675f..6a8bcdb 100644 --- a/bin/tests/system/doth/ns1/named.conf.in +++ b/bin/tests/system/doth/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -89,6 +89,7 @@ options { listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.1; }; // DoT listen-on port @EXTRAPORT5@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; }; // DoT listen-on port @EXTRAPORT6@ tls tls-forward-secrecy-mutual-tls http local { 10.53.0.1; }; // DoH + listen-on port @EXTRAPORT7@ tls tls-forward-secrecy { 10.53.0.1; }; // DoT recursion no; notify explicit; also-notify { 10.53.0.2 port @PORT@; }; @@ -170,3 +171,27 @@ zone "example11" { file "example.db"; allow-transfer port @EXTRAPORT5@ transport tls { any; }; }; + +zone "example12" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example13" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example14" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example15" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in index 3cb2042..e533f47 100644 --- a/bin/tests/system/doth/ns2/named.conf.in +++ b/bin/tests/system/doth/ns2/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -55,7 +55,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-example-primary { diff --git a/bin/tests/system/doth/ns3/named.conf.in b/bin/tests/system/doth/ns3/named.conf.in index 74d3957..cd1ab9c 100644 --- a/bin/tests/system/doth/ns3/named.conf.in +++ b/bin/tests/system/doth/ns3/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -48,7 +48,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-v1.2-pfs { diff --git a/bin/tests/system/doth/ns4/named.conf.in b/bin/tests/system/doth/ns4/named.conf.in index 077226a..c7c6c91 100644 --- a/bin/tests/system/doth/ns4/named.conf.in +++ b/bin/tests/system/doth/ns4/named.conf.in @@ -18,7 +18,7 @@ # startup/reconfiguration was known to cause timeout issues in the CI # system, where many tests run in parallel. -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -56,7 +56,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-v1.2-pfs { diff --git a/bin/tests/system/doth/ns5/named.conf.in b/bin/tests/system/doth/ns5/named.conf.in new file mode 100644 index 0000000..6808618 --- /dev/null +++ b/bin/tests/system/doth/ns5/named.conf.in @@ -0,0 +1,83 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# We need a separate instance for the "rndc reconfig" test in order to +# ensure that it does not use ephemeral keys (these are costly to +# generate) and creates a minimal amount of TLS contexts, reducing the +# time needed for startup/reconfiguration. Long +# startup/reconfiguration was known to cause timeout issues in the CI +# system, where many tests run in parallel. + +include "../../_common/rndc.key"; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + tls-port @TLSPORT@; + https-port @HTTPSPORT@; + http-port @HTTPPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + notify no; + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +# Let's reuse the same entry multiple times to see if transfers will succeed + +tls tls-v1.2 { + protocols { TLSv1.2; }; + prefer-server-ciphers yes; +}; + +zone "example12" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example12.db"; + allow-transfer { any; }; +}; + +zone "example13" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example13.db"; + allow-transfer { any; }; +}; + +zone "example14" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example14.db"; + allow-transfer { any; }; +}; + +zone "example15" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example15.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/doth/prereq.sh b/bin/tests/system/doth/prereq.sh index 36a8e37..c745136 100644 --- a/bin/tests/system/doth/prereq.sh +++ b/bin/tests/system/doth/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --with-libnghttp2 || { - echo_i "This test requires libnghttp2 support." >&2 - exit 255 + echo_i "This test requires libnghttp2 support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/doth/setup.sh b/bin/tests/system/doth/setup.sh index c50c31f..775dd33 100644 --- a/bin/tests/system/doth/setup.sh +++ b/bin/tests/system/doth/setup.sh @@ -15,18 +15,19 @@ $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 >ns1/example.db -echo '; huge answer' >> ns1/example.db +echo '; huge answer' >>ns1/example.db x=1 while [ $x -le 50 ]; do - y=1 - while [ $y -le 50 ]; do - printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >> ns1/example.db - y=$((y+1)) - done - x=$((x+1)) + y=1 + while [ $y -le 50 ]; do + printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >>ns1/example.db + y=$((y + 1)) + done + x=$((x + 1)) done copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf diff --git a/bin/tests/system/doth/stress_http_quota.py b/bin/tests/system/doth/stress_http_quota.py index 12e29c8..05ad043 100755 --- a/bin/tests/system/doth/stress_http_quota.py +++ b/bin/tests/system/doth/stress_http_quota.py @@ -161,12 +161,12 @@ class SubDIG: # and examining their statuses in one logical operation. class MultiDIG: def __init__(self, numdigs, http_secure=None, extra_args=None): - assert int(numdigs) > 0 + assert int(numdigs) > 0, f"numdigs={numdigs}" digs = [] for _ in range(1, int(numdigs) + 1): digs.append(SubDIG(http_secure=http_secure, extra_args=extra_args)) self.digs = digs - assert len(self.digs) == int(numdigs) + assert len(self.digs) == int(numdigs), f"len={len(self.digs)} numdigs={numdigs}" def run(self): for p in self.digs: diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index a95bd8c..aad2352 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -23,9 +23,9 @@ msg_peer_verification_failed=";; TLS peer certificate verification" ca_file="./CA/CA.pem" if [ -x "$PYTHON" ]; then - OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py") - OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1) - OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2) + OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py") + OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1) + OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2) fi # According to the RFC 8310, Section 8.1, Subject field MUST @@ -44,91 +44,91 @@ fi # ignore the tests checking the correct handling of absence of # SubjectAltName. if [ -n "$OPENSSL_VERSION" ]; then - if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then - run_san_tests=1 - elif [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then - run_san_tests=1 - fi + if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then + run_san_tests=1 + elif [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then + run_san_tests=1 + fi fi dig_with_tls_opts() { - # shellcheck disable=SC2086 - "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@" } dig_with_https_opts() { - # shellcheck disable=SC2086 - "$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@" } dig_with_http_opts() { - # shellcheck disable=SC2086 - "$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@" } dig_with_opts() { - # shellcheck disable=SC2086 - "$DIG" $common_dig_options -p "${PORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" $common_dig_options -p "${PORT}" "$@" } wait_for_tls_xfer() ( - srv_number="$1" - shift - zone_name="$1" - shift - # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces - dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1 - grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1 - return 0 + srv_number="$1" + shift + zone_name="$1" + shift + # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces + dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1 + grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1 + return 0 ) status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig) ($n)" ret=0 -dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 grep "^;" dig.out.ns1.test$n | cat_i digcomp example.axfr.good dig.out.ns1.test$n || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example; then - digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) if [ -n "$run_san_tests" ]; then - n=$((n + 1)) - echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)" - ret=0 - if retry_quiet 10 wait_for_tls_xfer 2 example3; then - ret=1 - else - echo_i "timed out waiting for zone transfer" - fi - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + n=$((n + 1)) + echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)" + ret=0 + if retry_quiet 10 wait_for_tls_xfer 2 example3; then + ret=1 + else + echo_i "timed out waiting for zone transfer" + fi + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via implicit IP) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example4; then - retry_quiet 5 test -f "ns2/example4.db" || ret=1 + retry_quiet 5 test -f "ns2/example4.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example4.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example4.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -137,11 +137,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv4) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example5; then - retry_quiet 5 test -f "ns2/example5.db" || ret=1 + retry_quiet 5 test -f "ns2/example5.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example5.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example5.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -150,11 +150,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv6) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example6; then - retry_quiet 5 test -f "ns2/example6.db" || ret=1 + retry_quiet 5 test -f "ns2/example6.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example6.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example6.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -163,9 +163,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, wrong hostname, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example7; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -174,9 +174,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, expired certificate, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example8; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -185,11 +185,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example9; then - retry_quiet 5 test -f "ns2/example9.db" || ret=1 + retry_quiet 5 test -f "ns2/example9.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example9.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example9.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -198,9 +198,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, no client cert, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example10; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -209,96 +209,96 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, expired client cert, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example11; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the second secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 3 example; then - digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns3.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns3.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the second secondary, mismatching ciphers, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 3 example2; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the third secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 4 example; then - digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns4.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns4.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (ephemeral key) ($n)" ret=0 -dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query via IPv6 (ephemeral key) ($n)" ret=0 -dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (static key) ($n)" ret=0 -dig_with_tls_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query via IPv6 (static key) ($n)" ret=0 -dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT XFR ($n)" ret=0 -dig_with_tls_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # zone transfers are allowed only via TLS -n=$((n+1)) +n=$((n + 1)) echo_i "testing zone transfer over Do53 server functionality (using dig, failure expected) ($n)" ret=0 -dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 +dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +grep "; Transfer failed." dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -306,8 +306,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking Do53 query ($n)" ret=0 -dig_with_opts @10.53.0.1 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.1 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -321,8 +321,8 @@ n=$((n + 1)) echo_i "checking DoT XFR with wrong ALPN token (h2, failure expected) ($n)" ret=0 # shellcheck disable=SC2086 -"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR > dig.out.test$n -grep "$msg_xfrs_not_allowed" dig.out.test$n > /dev/null || ret=1 +"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR >dig.out.test$n +grep "$msg_xfrs_not_allowed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -332,279 +332,279 @@ n=$((n + 1)) echo_i "checking DoH query when ALPN is expected to fail (dot, failure expected) ($n)" ret=0 # shellcheck disable=SC2086 -"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "ALPN for HTTP/2 failed." dig.out.test$n > /dev/null || ret=1 +"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "ALPN for HTTP/2 failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) ($n)" ret=0 -dig_with_https_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST) ($n)" ret=0 -dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, static key) ($n)" ret=0 -dig_with_https_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, static key) ($n)" ret=0 -dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts +https=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https=/alter @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH XFR (POST) (failure expected) ($n)" ret=0 -dig_with_https_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET) ($n)" ret=0 -dig_with_https_opts +stat +https-get @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat +https-get @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET) ($n)" ret=0 -dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, static key) ($n)" ret=0 -dig_with_https_opts +https-get @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, static key) ($n)" ret=0 -dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH XFR (GET) (failure expected) ($n)" ret=0 -dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query (POST) ($n)" ret=0 -dig_with_http_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +stat @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 (POST) ($n)" ret=0 -dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query (GET) ($n)" ret=0 -dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 (GET) ($n)" ret=0 -dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH XFR (failure expected) ($n)" ret=0 -dig_with_http_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query for a large answer (POST) ($n)" ret=0 -dig_with_https_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 for a large answer (POST) ($n)" ret=0 -dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query for a large answer (GET) ($n)" ret=0 -dig_with_https_opts +https-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 for a large answer (GET) ($n)" ret=0 -dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query for a large answer (POST) ($n)" ret=0 -dig_with_http_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 for a large answer (POST) ($n)" ret=0 -dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query for a large answer (GET) ($n)" ret=0 -dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 for a large answer (GET) ($n)" ret=0 -dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -wait_for_tlsctx_update_ns4 () { - grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run > /dev/null || return 1 - grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run > /dev/null || return 1 - return 0 +wait_for_tlsctx_update_ns4() { + grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run >/dev/null || return 1 + grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run >/dev/null || return 1 + return 0 } n=$((n + 1)) @@ -618,16 +618,16 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query after a reconfiguration ($n)" ret=0 -dig_with_tls_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) after a reconfiguration ($n)" ret=0 -dig_with_https_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -635,7 +635,7 @@ n=$((n + 1)) echo_i "doing rndc reconfig to see if HTTP endpoints have gotten reconfigured ($n)" ret=0 # 'sed -i ...' is not portable. Sigh... -sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" > "ns4/named.conf.sed" +sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" >"ns4/named.conf.sed" mv -f "ns4/named.conf.sed" "ns4/named.conf" rndc_reconfig ns4 10.53.0.4 60 retry_quiet 15 wait_for_tlsctx_update_ns4 || ret=1 @@ -645,40 +645,40 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) to verify HTTP endpoint reconfiguration ($n)" ret=0 -dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification enabled) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (with TLS verification enabled, self-signed cert, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification using the system's CA store, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (with TLS verification using the system's CA store, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -687,30 +687,30 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification, hostname is not specified, IP address is used instead) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null && ret=1 +dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if [ -n "$run_san_tests" ]; then - # SubjectAltName is required for DoT as according to RFC 8310, Subject - # field MUST NOT be inspected when verifying hostname for DoT. - n=$((n + 1)) - echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)" - ret=0 - dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 - grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)" - ret=0 - # shellcheck disable=SC2086 - dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 - grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + # SubjectAltName is required for DoT as according to RFC 8310, Subject + # field MUST NOT be inspected when verifying hostname for DoT. + n=$((n + 1)) + echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)" + ret=0 + dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 + grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)" + ret=0 + # shellcheck disable=SC2086 + dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 + grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # SubjectAltName is not required for HTTPS. Having a properly set @@ -718,48 +718,48 @@ fi n=$((n + 1)) echo_i "checking DoH query (when SubjectAltName is not set) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (expired certificate, Opportunistic TLS) ($n)" ret=0 -dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (expired certificate, Strict TLS, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig, client certificate required, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi +dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +grep "; Transfer failed." dig.out.ns1.test$n >/dev/null || ret=1 +if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig, client certificate used) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -digcomp dig.out.ns1.test$n example8.axfr.good > /dev/null || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi +dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +digcomp dig.out.ns1.test$n example8.axfr.good >/dev/null || ret=1 +if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (client certificate required, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 +dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -767,8 +767,8 @@ n=$((n + 1)) echo_i "checking DoH query (client certificate used) ($n)" ret=0 # shellcheck disable=SC2086 -dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -777,64 +777,63 @@ n=$((n + 1)) echo_i "checking DoH query (client certificate used - session resumption when using Mutual TLS) ($n)" ret=0 # shellcheck disable=SC2086 -dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA > dig.out.test$n || ret=1 -grep "TLS error" dig.out.test$n > /dev/null && ret=1 +dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA >dig.out.test$n || ret=1 +grep "TLS error" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) test_opcodes() { - EXPECT_STATUS="$1" - shift - for op in "$@"; - do - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH for opcode $op ($n)" - ret=0 - dig_with_https_opts +https @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)" - ret=0 - dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)" - ret=0 - dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)" - ret=0 - dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoT for opcode $op ($n)" - ret=0 - dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)" - ret=0 - dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - done + EXPECT_STATUS="$1" + shift + for op in "$@"; do + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH for opcode $op ($n)" + ret=0 + dig_with_https_opts +https @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)" + ret=0 + dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT for opcode $op ($n)" + ret=0 + dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)" + ret=0 + dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + done } test_opcodes NOERROR 0 @@ -845,45 +844,77 @@ n=$((n + 1)) echo_i "checking server quotas for both encrypted and unencrypted HTTP ($n)" ret=0 if [ -x "$PYTHON" ]; then - BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$? + BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$? else - echo_i "Python is not available. Skipping the test..." + echo_i "Python is not available. Skipping the test..." fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # check whether we can use curl for sending test queries. -if [ -x "${CURL}" ] ; then - CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)" - - if [ -n "$CURL_HTTP2" ]; then - testcurl=1 - else - echo_i "The available version of CURL does not have HTTP/2 support" - fi +if [ -x "${CURL}" ]; then + CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)" + + if [ -n "$CURL_HTTP2" ]; then + testcurl=1 + else + echo_i "The available version of CURL does not have HTTP/2 support" + fi fi # Note: see README.curl for information on how to generate curl # queries. if [ -n "$testcurl" ]; then - n=$((n + 1)) - echo_i "checking max-age for positive answer ($n)" - ret=0 - # use curl to query for 'example/SOA' - $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" > /dev/null 2>&1 || ret=1 - grep "cache-control: max-age=86400" headers.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking max-age for negative answer ($n)" - ret=0 - # use curl to query for 'fake.example/TXT' - $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" > /dev/null 2>&1 || ret=1 - grep "cache-control: max-age=3600" headers.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + n=$((n + 1)) + echo_i "checking max-age for positive answer ($n)" + ret=0 + # use curl to query for 'example/SOA' + $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" >/dev/null 2>&1 || ret=1 + grep "cache-control: max-age=86400" headers.$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking max-age for negative answer ($n)" + ret=0 + # use curl to query for 'fake.example/TXT' + $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" >/dev/null 2>&1 || ret=1 + grep "cache-control: max-age=3600" headers.$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example12\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example12 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example13\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example13 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example14\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example14 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example15\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example15 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dsdigest/ns1/sign.sh b/bin/tests/system/dsdigest/ns1/sign.sh index d7efd9a..a4abccc 100644 --- a/bin/tests/system/dsdigest/ns1/sign.sh +++ b/bin/tests/system/dsdigest/ns1/sign.sh @@ -25,12 +25,12 @@ cp ../ns2/dsset-bad. . key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $key2 > trusted.conf +keyfile_to_static_ds $key2 >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/dsdigest/ns2/named.conf.in b/bin/tests/system/dsdigest/ns2/named.conf.in index d3fd750..b20a027 100644 --- a/bin/tests/system/dsdigest/ns2/named.conf.in +++ b/bin/tests/system/dsdigest/ns2/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "good" { diff --git a/bin/tests/system/dsdigest/ns2/sign.sh b/bin/tests/system/dsdigest/ns2/sign.sh index 5bb4fce..37456fe 100644 --- a/bin/tests/system/dsdigest/ns2/sign.sh +++ b/bin/tests/system/dsdigest/ns2/sign.sh @@ -28,16 +28,15 @@ keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2) cat $infile1 $keyname11.key $keyname12.key >$zonefile1 cat $infile2 $keyname21.key $keyname22.key >$zonefile2 -$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null -$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null +$SIGNER -P -g -o $zone1 $zonefile1 >/dev/null +$SIGNER -P -g -o $zone2 $zonefile2 >/dev/null DSFILENAME1=dsset-${zone1}. DSFILENAME2=dsset-${zone2}. -$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1 -$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2 +$DSFROMKEY -a SHA-256 $keyname12 >$DSFILENAME1 +$DSFROMKEY -a SHA-256 $keyname22 >$DSFILENAME2 algo=SHA-384 -$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1 -$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2 - +$DSFROMKEY -a $algo $keyname12 >>$DSFILENAME1 +$DSFROMKEY -a $algo $keyname22 >$DSFILENAME2 diff --git a/bin/tests/system/dsdigest/ns3/named.conf.in b/bin/tests/system/dsdigest/ns3/named.conf.in index a2b105c..bd4eb83 100644 --- a/bin/tests/system/dsdigest/ns3/named.conf.in +++ b/bin/tests/system/dsdigest/ns3/named.conf.in @@ -33,7 +33,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/ns4/named.conf.in b/bin/tests/system/dsdigest/ns4/named.conf.in index e43763b..74e8960 100644 --- a/bin/tests/system/dsdigest/ns4/named.conf.in +++ b/bin/tests/system/dsdigest/ns4/named.conf.in @@ -31,7 +31,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/tests.sh b/bin/tests/system/dsdigest/tests.sh index 3650f4a..9d9b966 100644 --- a/bin/tests/system/dsdigest/tests.sh +++ b/bin/tests/system/dsdigest/tests.sh @@ -25,9 +25,9 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" echo_i "checking that validation with enabled digest types works" ret=0 -$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1 -grep "status: NOERROR" dig.out.good > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1 +$DIG $DIGOPTS a.good. @10.53.0.3 a >dig.out.good || ret=1 +grep "status: NOERROR" dig.out.good >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.good >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -35,19 +35,19 @@ status=$((status + ret)) echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL" ret=0 -$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1 -grep "SERVFAIL" dig.out.bad > /dev/null || ret=1 +$DIG $DIGOPTS a.bad. @10.53.0.3 a >dig.out.bad || ret=1 +grep "SERVFAIL" dig.out.bad >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that validation with no supported digest algorithms results in insecure" ret=0 -$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1 -grep "NOERROR" dig.out.ds > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1 -$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1 -grep "NOERROR" dig.out.insecure > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1 +$DIG $DIGOPTS bad. @10.53.0.4 ds >dig.out.ds || ret=1 +grep "NOERROR" dig.out.ds >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.ds >/dev/null || ret=1 +$DIG $DIGOPTS a.bad. @10.53.0.4 a >dig.out.insecure || ret=1 +grep "NOERROR" dig.out.insecure >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.insecure >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "exit status: $status" diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh index 6f96c6a..b6aa8da 100644 --- a/bin/tests/system/dupsigs/ns1/reset_keys.sh +++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh @@ -18,7 +18,7 @@ rm -rf keys/signing.test mkdir -p keys/signing.test timetodnssec() { - $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]); + $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]); printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1} } @@ -37,9 +37,8 @@ ZSK8=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) ZSK9=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) # clear all times on all keys -for FILEN in keys/signing.test/*.key -do - $SETTIME -P none -A none -R none -I none -D none $FILEN +for FILEN in keys/signing.test/*.key; do + $SETTIME -P none -A none -R none -I none -D none $FILEN done BASE=$(date +%s) diff --git a/bin/tests/system/dupsigs/setup.sh b/bin/tests/system/dupsigs/setup.sh index 4ac8a8d..563de43 100644 --- a/bin/tests/system/dupsigs/setup.sh +++ b/bin/tests/system/dupsigs/setup.sh @@ -20,4 +20,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE copy_setports ns1/named.conf.in ns1/named.conf cp -f ns1/signing.test.db.in ns1/signing.test.db -(cd ns1; $SHELL ./reset_keys.sh) +( + cd ns1 + $SHELL ./reset_keys.sh +) diff --git a/bin/tests/system/dupsigs/tests.sh b/bin/tests/system/dupsigs/tests.sh index 4ab3a73..939ff2d 100644 --- a/bin/tests/system/dupsigs/tests.sh +++ b/bin/tests/system/dupsigs/tests.sh @@ -26,20 +26,20 @@ status=0 # - 2 x 500 signatures for a{0000-0499}.signing.test. # # for a total of 1008. -fully_signed () { - $DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr" - awk 'BEGIN { lines = 0 } +fully_signed() { + $DIG axfr signing.test -p ${PORT} @10.53.0.1 >"dig.out.ns1.axfr" + awk 'BEGIN { lines = 0 } $4 == "RRSIG" {lines++} - END { if (lines != 1008) exit(1) }' < "dig.out.ns1.axfr" + END { if (lines != 1008) exit(1) }' <"dig.out.ns1.axfr" } # Wait for the last NSEC record in the zone to be signed. This is a lightweight # alternative to avoid many AXFR requests while waiting for the zone to be # fully signed. _wait_for_last_nsec_signed() { - $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1 - grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1 - return 0 + $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec >"dig.out.ns1.wait" || return 1 + grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" >/dev/null || return 1 + return 0 } echo_i "wait for the zone to be fully signed" @@ -52,19 +52,18 @@ now=$start end=$((start + 140)) while [ $now -lt $end ] && [ $status -eq 0 ]; do - et=$((now - start)) - echo_i "............... $et ............" - $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i - $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et - awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i - lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l) - if [ ${et} -ne 0 -a ${lines} -ne 1008 ] - then - echo_i "failed" - status=$((status + 1)) - fi - sleep 5 - now=$(date +%s) + et=$((now - start)) + echo_i "............... $et ............" + $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i + $DIG axfr signing.test -p ${PORT} @10.53.0.1 >dig.out.at$et + awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i + lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l) + if [ ${et} -ne 0 -a ${lines} -ne 1008 ]; then + echo_i "failed" + status=$((status + 1)) + fi + sleep 5 + now=$(date +%s) done echo_i "exit status: $status" diff --git a/bin/tests/system/dyndb/driver/Makefile.in b/bin/tests/system/dyndb/driver/Makefile.in index ccfad1d..d760fb2 100644 --- a/bin/tests/system/dyndb/driver/Makefile.in +++ b/bin/tests/system/dyndb/driver/Makefile.in @@ -103,11 +103,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/tests/system/dyndb/prereq.sh b/bin/tests/system/dyndb/prereq.sh index 19e0467..3bab2a6 100644 --- a/bin/tests/system/dyndb/prereq.sh +++ b/bin/tests/system/dyndb/prereq.sh @@ -13,9 +13,9 @@ . ../conf.sh -$FEATURETEST --tsan && { - echo_i "TSAN - skipping dyndb test" - exit 255 +$FEATURETEST --tsan && { + echo_i "TSAN - skipping dyndb test" + exit 255 } exit 0 diff --git a/bin/tests/system/dyndb/tests.sh b/bin/tests/system/dyndb/tests.sh index ef02dea..dc6c3d0 100644 --- a/bin/tests/system/dyndb/tests.sh +++ b/bin/tests/system/dyndb/tests.sh @@ -19,102 +19,100 @@ status=0 n=0 DIGOPTS="@10.53.0.1 -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" newtest() { - n=$((n + 1)) - echo_i "${1} (${n})" - ret=0 + n=$((n + 1)) + echo_i "${1} (${n})" + ret=0 } test_add() { - host="$1" - type="$2" - ip="$3" + host="$1" + type="$2" + ip="$3" - cat < ns1/update.txt + cat <ns1/update.txt server 10.53.0.1 ${PORT} ttl 86400 update add $host $type $ip send EOF - newtest "adding $host $type $ip" - $NSUPDATE ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed for $host $type $ip" - return 1 - } - - out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) - echo $out > added.a.out.$n - lines=$(echo "$out" | grep "$ip" | wc -l) - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - - for i in 1 2 3 4 5 6 7 8 9 10 - do - out=$($DIG $DIGOPTS +noall +answer -x $ip) - echo $out > added.ptr.out.$n - lines=$(echo "$out" | grep "$host" | wc -l) - [ $lines -eq 1 ] && break; - $PERL -e 'select(undef, undef, undef, 0.1);' - done - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig reverse output incorrect for $host $type $cmd: $out" - return 1 - } - - return 0 + newtest "adding $host $type $ip" + $NSUPDATE ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed for $host $type $ip" + return 1 + } + + out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) + echo $out >added.a.out.$n + lines=$(echo "$out" | grep "$ip" | wc -l) + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + + for i in 1 2 3 4 5 6 7 8 9 10; do + out=$($DIG $DIGOPTS +noall +answer -x $ip) + echo $out >added.ptr.out.$n + lines=$(echo "$out" | grep "$host" | wc -l) + [ $lines -eq 1 ] && break + $PERL -e 'select(undef, undef, undef, 0.1);' + done + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig reverse output incorrect for $host $type $cmd: $out" + return 1 + } + + return 0 } test_del() { - host="$1" - type="$2" + host="$1" + type="$2" - ip=$($DIG $DIGOPTS +short $host $type) + ip=$($DIG $DIGOPTS +short $host $type) - cat < ns1/update.txt + cat <ns1/update.txt server 10.53.0.1 ${PORT} update del $host $type send EOF - newtest "deleting $host $type (was $ip)" - $NSUPDATE ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed deleting $host $type" - return 1 - } - - out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) - echo $out > deleted.a.out.$n - lines=$(echo "$out" | grep "$ip" | wc -l) - [ $lines -eq 0 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - - for i in 1 2 3 4 5 6 7 8 9 10 - do - out=$($DIG $DIGOPTS +noall +answer -x $ip) - echo $out > deleted.ptr.out.$n - lines=$(echo "$out" | grep "$host" | wc -l) - [ $lines -eq 0 ] && break - $PERL -e 'select(undef, undef, undef, 0.1);' - done - [ $lines -eq 0 ] || { - [ "$should_fail" ] || \ - echo_i "dig reverse output incorrect for $host $type $cmd: $out" - return 1 - } - - return 0 + newtest "deleting $host $type (was $ip)" + $NSUPDATE ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed deleting $host $type" + return 1 + } + + out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) + echo $out >deleted.a.out.$n + lines=$(echo "$out" | grep "$ip" | wc -l) + [ $lines -eq 0 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + + for i in 1 2 3 4 5 6 7 8 9 10; do + out=$($DIG $DIGOPTS +noall +answer -x $ip) + echo $out >deleted.ptr.out.$n + lines=$(echo "$out" | grep "$host" | wc -l) + [ $lines -eq 0 ] && break + $PERL -e 'select(undef, undef, undef, 0.1);' + done + [ $lines -eq 0 ] || { + [ "$should_fail" ] \ + || echo_i "dig reverse output incorrect for $host $type $cmd: $out" + return 1 + } + + return 0 } test_add test1.ipv4.example.nil. A "10.53.0.10" || ret=1 @@ -142,8 +140,8 @@ test_del test4.ipv6.example.nil. AAAA || ret=1 status=$((status + ret)) newtest "checking parameter logging" -grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run > /dev/null || ret=1 -grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run > /dev/null || ret=1 +grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run >/dev/null || ret=1 +grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run >/dev/null || ret=1 [ $ret -eq 1 ] && echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh index f922225..b773344 100644 --- a/bin/tests/system/ecdsa/ns1/sign.sh +++ b/bin/tests/system/ecdsa/ns1/sign.sh @@ -24,34 +24,34 @@ echo_i "ns1/sign.sh" cp $infile $zonefile if [ -f ../ecdsa256-supported.file ]; then - zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") - ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") - cat "$ksk256.key" "$zsk256.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256 + zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") + ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") + cat "$ksk256.key" "$zsk256.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256 fi if [ -f ../ecdsa384-supported.file ]; then - zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") - ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") - cat "$ksk384.key" "$zsk384.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256 + zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") + ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") + cat "$ksk384.key" "$zsk384.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk384.key" >>dsset-256 fi # Configure the resolving server with a static key. if [ -f ../ecdsa256-supported.file ]; then - keyfile_to_static_ds $ksk256 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk256 >trusted.conf + cp trusted.conf ../ns2/trusted.conf else - keyfile_to_static_ds $ksk384 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk384 >trusted.conf + cp trusted.conf ../ns2/trusted.conf fi if [ -f ../ecdsa384-supported.file ]; then - keyfile_to_static_ds $ksk384 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk384 >trusted.conf + cp trusted.conf ../ns3/trusted.conf else - keyfile_to_static_ds $ksk256 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk256 >trusted.conf + cp trusted.conf ../ns3/trusted.conf fi -$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/ecdsa/ns2/named.conf.in b/bin/tests/system/ecdsa/ns2/named.conf.in index fd125d3..bb8a89c 100644 --- a/bin/tests/system/ecdsa/ns2/named.conf.in +++ b/bin/tests/system/ecdsa/ns2/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/ns3/named.conf.in b/bin/tests/system/ecdsa/ns3/named.conf.in index f1a80b6..0053898 100644 --- a/bin/tests/system/ecdsa/ns3/named.conf.in +++ b/bin/tests/system/ecdsa/ns3/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh index 86cd1cf..466d015 100644 --- a/bin/tests/system/ecdsa/setup.sh +++ b/bin/tests/system/ecdsa/setup.sh @@ -16,17 +16,17 @@ set -e . ../conf.sh if $SHELL ../testcrypto.sh ecdsap256sha256; then - echo "yes" > ecdsa256-supported.file + echo "yes" >ecdsa256-supported.file fi if $SHELL ../testcrypto.sh ecdsap384sha384; then - echo "yes" > ecdsa384-supported.file + echo "yes" >ecdsa384-supported.file fi copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) diff --git a/bin/tests/system/ecdsa/tests.sh b/bin/tests/system/ecdsa/tests.sh index f1210ec..f596fbf 100644 --- a/bin/tests/system/ecdsa/tests.sh +++ b/bin/tests/system/ecdsa/tests.sh @@ -19,35 +19,35 @@ status=0 n=0 dig_with_opts() { - "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } if [ -f ecdsa256-supported.file ]; then - n=$((n+1)) - echo_i "checking that ECDSA256 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + echo_i "checking that ECDSA256 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm ECDSA256 not supported, skipping test" + echo_i "algorithm ECDSA256 not supported, skipping test" fi if [ -f ecdsa384-supported.file ]; then - n=$((n+1)) - echo_i "checking that ECDSA384 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + echo_i "checking that ECDSA384 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm ECDSA384 not supported, skipping test" + echo_i "algorithm ECDSA384 not supported, skipping test" fi echo_i "exit status: $status" diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh index 9bf07f0..f2df328 100644 --- a/bin/tests/system/eddsa/ns1/sign.sh +++ b/bin/tests/system/eddsa/ns1/sign.sh @@ -24,34 +24,34 @@ echo_i "ns1/sign.sh" cp $infile $zonefile if [ -f ../ed25519-supported.file ]; then - zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") - ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") - cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256 + zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") + ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") + cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256 fi if [ -f ../ed448-supported.file ]; then - zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") - ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") - cat "$ksk448.key" "$zsk448.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256 + zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") + ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") + cat "$ksk448.key" "$zsk448.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk448.key" >>dsset-256 fi # Configure the resolving server with a static key. if [ -f ../ed25519-supported.file ]; then - keyfile_to_static_ds $ksk25519 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk25519 >trusted.conf + cp trusted.conf ../ns2/trusted.conf else - keyfile_to_static_ds $ksk448 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk448 >trusted.conf + cp trusted.conf ../ns2/trusted.conf fi if [ -f ../ed448-supported.file ]; then - keyfile_to_static_ds $ksk448 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk448 >trusted.conf + cp trusted.conf ../ns3/trusted.conf else - keyfile_to_static_ds $ksk25519 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk25519 >trusted.conf + cp trusted.conf ../ns3/trusted.conf fi -$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/named.conf.in b/bin/tests/system/eddsa/ns2/named.conf.in index fd125d3..bb8a89c 100644 --- a/bin/tests/system/eddsa/ns2/named.conf.in +++ b/bin/tests/system/eddsa/ns2/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh index 6c1c479..04322fd 100644 --- a/bin/tests/system/eddsa/ns2/sign.sh +++ b/bin/tests/system/eddsa/ns2/sign.sh @@ -27,12 +27,11 @@ cp $infile $zonefile if [ -f ../ed25519-supported.file ]; then - for i in Xexample.com.+015+03613 Xexample.com.+015+35217 - do - cp "$i.key" "$(echo $i.key | sed s/X/K/)" - cp "$i.private" "$(echo $i.private | sed s/X/K/)" - cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" - done + for i in Xexample.com.+015+03613 Xexample.com.+015+35217; do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile" + done fi -$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns3/named.conf.in b/bin/tests/system/eddsa/ns3/named.conf.in index f1a80b6..0053898 100644 --- a/bin/tests/system/eddsa/ns3/named.conf.in +++ b/bin/tests/system/eddsa/ns3/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns3/sign.sh b/bin/tests/system/eddsa/ns3/sign.sh index e501923..7c625bc 100644 --- a/bin/tests/system/eddsa/ns3/sign.sh +++ b/bin/tests/system/eddsa/ns3/sign.sh @@ -26,12 +26,11 @@ echo_i "ns3/sign.sh" cp $infile $zonefile if [ -f ../ed448-supported.file ]; then - for i in Xexample.com.+016+09713 Xexample.com.+016+38353 - do - cp "$i.key" "$(echo $i.key | sed s/X/K/)" - cp "$i.private" "$(echo $i.private | sed s/X/K/)" - cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" - done + for i in Xexample.com.+016+09713 Xexample.com.+016+38353; do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile" + done fi -$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/prereq.sh b/bin/tests/system/eddsa/prereq.sh index 5b1385b..98ed032 100644 --- a/bin/tests/system/eddsa/prereq.sh +++ b/bin/tests/system/eddsa/prereq.sh @@ -17,10 +17,10 @@ set -e supported=0 if $SHELL ../testcrypto.sh ed25519; then - supported=1 + supported=1 fi if $SHELL ../testcrypto.sh ed448; then - supported=1 + supported=1 fi [ "$supported" -eq 1 ] || exit 1 diff --git a/bin/tests/system/eddsa/setup.sh b/bin/tests/system/eddsa/setup.sh index a0d95a9..cad2756 100644 --- a/bin/tests/system/eddsa/setup.sh +++ b/bin/tests/system/eddsa/setup.sh @@ -16,11 +16,11 @@ set -e . ../conf.sh if $SHELL ../testcrypto.sh ed25519; then - echo "yes" > ed25519-supported.file + echo "yes" >ed25519-supported.file fi if $SHELL ../testcrypto.sh ed448; then - echo "yes" > ed448-supported.file + echo "yes" >ed448-supported.file fi copy_setports ns1/named.conf.in ns1/named.conf @@ -28,14 +28,14 @@ copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) ( - cd ns2 - $SHELL sign.sh + cd ns2 + $SHELL sign.sh ) ( - cd ns3 - $SHELL sign.sh + cd ns3 + $SHELL sign.sh ) diff --git a/bin/tests/system/eddsa/tests.sh b/bin/tests/system/eddsa/tests.sh index 4fe0a0c..93cf5cb 100644 --- a/bin/tests/system/eddsa/tests.sh +++ b/bin/tests/system/eddsa/tests.sh @@ -19,68 +19,68 @@ status=0 n=0 dig_with_opts() { - "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } if [ -f ed25519-supported.file ]; then - # Check the example. domain - n=$((n+1)) - echo_i "checking that Ed25519 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + # Check the example. domain + n=$((n + 1)) + echo_i "checking that Ed25519 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) - # Check test vectors (RFC 8080 + errata) - n=$((n+1)) - echo_i "checking that Ed25519 test vectors match ($n)" - ret=0 - grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + # Check test vectors (RFC 8080 + errata) + n=$((n + 1)) + echo_i "checking that Ed25519 test vectors match ($n)" + ret=0 + grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm Ed25519 not supported, skipping vectors match test" + echo_i "algorithm Ed25519 not supported, skipping vectors match test" fi -n=$((n+1)) +n=$((n + 1)) ret=0 if [ -f ed448-supported.file ]; then - # Check the example. domain - n=$((n+1)) - echo_i "checking that Ed448 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + # Check the example. domain + n=$((n + 1)) + echo_i "checking that Ed448 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) - # Check test vectors (RFC 8080 + errata) - n=$((n+1)) - echo_i "checking that Ed448 test vectors match ($n)" - ret=0 - grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1 + # Check test vectors (RFC 8080 + errata) + n=$((n + 1)) + echo_i "checking that Ed448 test vectors match ($n)" + ret=0 + grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'WKsJlwEA' ns3/example.com.db.signed >/dev/null || ret=1 - grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1 - grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed >/dev/null || ret=1 + grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'ZmQ0YQUA' ns3/example.com.db.signed >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm Ed448 not supported, skipping vectors match test" + echo_i "algorithm Ed448 not supported, skipping vectors match test" fi echo_i "exit status: $status" diff --git a/bin/tests/system/ednscompliance/tests.sh b/bin/tests/system/ednscompliance/tests.sh index 0c630f4..515951a 100644 --- a/bin/tests/system/ednscompliance/tests.sh +++ b/bin/tests/system/ednscompliance/tests.sh @@ -24,88 +24,163 @@ zone=. n=$((n + 1)) echo_i "check +edns=100 sets version 100 ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone > dig.out$n || ret=1 -grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; } +$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone >dig.out$n || ret=1 +grep "EDNS: version: 100," dig.out$n >/dev/null || { + ret=1 + reason="version" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) ret=0 reason= echo_i "check +ednsopt=100 adds option 100 ($n)" -$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone > dig.out$n || ret=1 -grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; } +$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone >dig.out$n || ret=1 +grep "; OPT=100" dig.out$n >/dev/null || { + ret=1 + reason="option" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check +ednsflags=0x80 sets flags to 0x0080 ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone > dig.out$n || ret=1 -grep "MBZ: 0x0080," dig.out$n > /dev/null || { ret=1; reason="flags"; } +$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone >dig.out$n || ret=1 +grep "MBZ: 0x0080," dig.out$n >/dev/null || { + ret=1 + reason="flags" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS version ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n || ret=1 -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone >dig.out$n || ret=1 +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS option ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone > dig.out$n || ret=1 -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } -grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone >dig.out$n || ret=1 +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "; OPT=100" dig.out$n >/dev/null && { + ret=1 + reason="option" +} +grep "IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="nosoa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS version + option ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone > dig.out$n || ret=1 -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone >dig.out$n || ret=1 +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "; OPT=100" dig.out$n >/dev/null && { + ret=1 + reason="option" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed: $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS flag ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone > dig.out$n || ret=1 -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } -grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone >dig.out$n || ret=1 +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && { + ret=1 + reason="mbz" +} +grep ".IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="nosoa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS version + flag ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone > dig.out$n || ret=1 -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone >dig.out$n || ret=1 +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && { + ret=1 + reason="mbz" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "DiG's EDNS negotiation ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone > dig.out$n || ret=1 -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone >dig.out$n || ret=1 +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) diff --git a/bin/tests/system/emptyzones/tests.sh b/bin/tests/system/emptyzones/tests.sh index c968d51..af9c88e 100644 --- a/bin/tests/system/emptyzones/tests.sh +++ b/bin/tests/system/emptyzones/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 @@ -27,18 +27,18 @@ ret=0 rndc_reload ns1 10.53.0.1 copy_setports ns1/named2.conf.in ns1/named.conf -$RNDCCMD 10.53.0.1 reload > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 reload >/dev/null || ret=1 sleep 5 -$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 > /dev/null || ret=1 +$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that allow-transfer { none; } works ($n)" ret=0 -$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all > dig.out.test$n || ret=1 -grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all >dig.out.test$n || ret=1 +grep "status: REFUSED" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/enginepkcs11/prereq.sh b/bin/tests/system/enginepkcs11/prereq.sh index 296452b..5372924 100644 --- a/bin/tests/system/enginepkcs11/prereq.sh +++ b/bin/tests/system/enginepkcs11/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then - exit 0 + exit 0 fi echo_i "skip: softhsm2-util not available" diff --git a/bin/tests/system/enginepkcs11/setup.sh b/bin/tests/system/enginepkcs11/setup.sh index 49988ad..7cae90d 100644 --- a/bin/tests/system/enginepkcs11/setup.sh +++ b/bin/tests/system/enginepkcs11/setup.sh @@ -18,102 +18,99 @@ set -e softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' -printf '%s' "${HSMPIN:-1234}" > pin +printf '%s' "${HSMPIN:-1234}" >pin PWD=$(pwd) copy_setports ns1/named.conf.in ns1/named.conf keygen() { - type="$1" - bits="$2" - zone="$3" - id="$4" - - label="${id}-${zone}" - p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') - pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id 2> pkcs11-tool.err.$zone.$id || return 1 + type="$1" + bits="$2" + zone="$3" + id="$4" + + label="${id}-${zone}" + p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1 } keyfromlabel() { - alg="$1" - zone="$2" - id="$3" - dir="$4" - shift 4 - - $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2> keyfromlabel.err.$zone.$id || return 1 - cat keyfromlabel.out.$zone.$id + alg="$1" + zone="$2" + id="$3" + dir="$4" + shift 4 + + $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 + cat keyfromlabel.out.$zone.$id } - # Setup ns1. dir="ns1" infile="${dir}/template.db.in" for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ - ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 - # Edwards curves are not yet supported by OpenSC - # ed25519:EC:edwards25519 ed448:EC:edwards448 -do - alg=$(echo "$algtypebits" | cut -f 1 -d :) - type=$(echo "$algtypebits" | cut -f 2 -d :) - bits=$(echo "$algtypebits" | cut -f 3 -d :) - - if $SHELL ../testcrypto.sh $alg; then - zone="$alg.example" - zonefile="zone.$alg.example.db" - ret=0 - - echo_i "Generate keys $alg $type:$bits for zone $zone" - keygen $type $bits $zone enginepkcs11-zsk || ret=1 - keygen $type $bits $zone enginepkcs11-ksk || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Get ZSK $alg $zone $type:$bits" - zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) - test -z "$zsk1" && exit 1 - - echo_i "Get KSK $alg $zone $type:$bits" - ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) - test -z "$ksk1" && exit 1 - - ( - cd $dir - zskid1=$(keyfile_to_key_id $zsk1) - kskid1=$(keyfile_to_key_id $ksk1) - echo "$zskid1" > $zone.zskid1 - echo "$kskid1" > $zone.kskid1 - ) - - echo_i "Sign zone with $ksk1 $zsk1" - cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}" - $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Generate successor keys $alg $type:$bits for zone $zone" - keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 - keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Get ZSK $alg $id-$zone $type:$bits" - zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) - test -z "$zsk2" && exit 1 - - echo_i "Get KSK $alg $id-$zone $type:$bits" - ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) - test -z "$ksk2" && exit 1 - - ( - cd $dir - zskid2=$(keyfile_to_key_id $zsk2) - kskid2=$(keyfile_to_key_id $ksk2) - echo "$zskid2" > $zone.zskid2 - echo "$kskid2" > $zone.kskid2 - cp "${zsk2}.key" "${zsk2}.zsk2" - cp "${ksk2}.key" "${ksk2}.ksk2" - ) - - echo_i "Add zone $zone to named.conf" - cat >> "${dir}/named.conf" <$zone.zskid1 + echo "$kskid1" >$zone.kskid1 + ) + + echo_i "Sign zone with $ksk1 $zsk1" + cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}" + $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Generate successor keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 + keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $id-$zone $type:$bits" + zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) + test -z "$zsk2" && exit 1 + + echo_i "Get KSK $alg $id-$zone $type:$bits" + ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) + test -z "$ksk2" && exit 1 + + ( + cd $dir + zskid2=$(keyfile_to_key_id $zsk2) + kskid2=$(keyfile_to_key_id $ksk2) + echo "$zskid2" >$zone.zskid2 + echo "$kskid2" >$zone.kskid2 + cp "${zsk2}.key" "${zsk2}.zsk2" + cp "${ksk2}.key" "${ksk2}.ksk2" + ) + + echo_i "Add zone $zone to named.conf" + cat >>"${dir}/named.conf" < verify.out.$zone.$n 2>&1 || ret=1 - test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" - status=$((status+ret)) - - # Test inline signing with keys stored in engine. - zskid1=$(cat "${zone}.zskid1") - zskid2=$(cat "${zone}.zskid2") - - n=$((n+1)) - ret=0 - echo_i "Test inline signing for $zone ($n)" - dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1 - awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 1 || return 1 - grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" - status=$((status+ret)) - - - n=$((n+1)) - ret=0 - echo_i "Dynamically update $zone, add new zsk ($n)" - zsk2=$(grep -v ';' K${zone}.*.zsk2) - cat > "update.cmd.zsk.$zone.$n" <verify.out.$zone.$n 2>&1 || ret=1 + test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" + status=$((status + ret)) + + # Test inline signing with keys stored in engine. + zskid1=$(cat "${zone}.zskid1") + zskid2=$(cat "${zone}.zskid2") + + n=$((n + 1)) + ret=0 + echo_i "Test inline signing for $zone ($n)" + dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 1 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Dynamically update $zone, add new zsk ($n)" + zsk2=$(grep -v ';' K${zone}.*.zsk2) + cat >"update.cmd.zsk.$zone.$n" < "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1 - test "$ret" -eq 0 || echo_i "failed (update failed)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test DNSKEY response for $zone after inline signing ($n)" - _dig_dnskey() ( - dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 - count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) - test $count -eq 3 - ) - retry_quiet 10 _dig_dnskey || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test SOA response for $zone after inline signing ($n)" - _dig_soa() ( - dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1 - awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 2 || return 1 - grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 - return 0 - ) - retry_quiet 10 _dig_soa || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" - status=$((status+ret)) - - # Test inline signing with keys stored in engine (key signing). - kskid1=$(cat "${zone}.kskid1") - kskid2=$(cat "${zone}.kskid2") - - n=$((n+1)) - ret=0 - echo_i "Dynamically update $zone, add new ksk ($n)" - ksk2=$(grep -v ';' K${zone}.*.ksk2) - cat > "update.cmd.ksk.$zone.$n" <"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing ($n)" + _dig_dnskey() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 3 + ) + retry_quiet 10 _dig_dnskey || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test SOA response for $zone after inline signing ($n)" + _dig_soa() ( + dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_soa || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" + status=$((status + ret)) + + # Test inline signing with keys stored in engine (key signing). + kskid1=$(cat "${zone}.kskid1") + kskid2=$(cat "${zone}.kskid2") + + n=$((n + 1)) + ret=0 + echo_i "Dynamically update $zone, add new ksk ($n)" + ksk2=$(grep -v ';' K${zone}.*.ksk2) + cat >"update.cmd.ksk.$zone.$n" < "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1 - test "$ret" -eq 0 || echo_i "failed (update failed)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" - _dig_dnskey_ksk() ( - dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 - count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) - test $count -eq 4 || return 1 - awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 2 || return 1 - grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 - return 0 - ) - retry_quiet 10 _dig_dnskey_ksk || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" - status=$((status+ret)) + $NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" + _dig_dnskey_ksk() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 4 || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_dnskey_ksk || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" + status=$((status + ret)) done # Go back to main test dir. cd .. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "Checking for assertion failure in pk11_numbits()" $PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt -dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1 +dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/fetchlimit/prereq.sh b/bin/tests/system/fetchlimit/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/fetchlimit/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/fetchlimit/tests.sh b/bin/tests/system/fetchlimit/tests.sh index a16659d..6e3f749 100644 --- a/bin/tests/system/fetchlimit/tests.sh +++ b/bin/tests/system/fetchlimit/tests.sh @@ -18,44 +18,44 @@ set -e DIGCMD="$DIG @10.53.0.3 -p ${PORT} +tcp +tries=1 +time=1" rndccmd() ( - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" ) burst() { - server=${1} - num=${4:-20} - rm -f burst.input.$$ - while [ $num -gt 0 ]; do - num=$((num-1)) - if [ "${5}" = "dup" ]; then - # burst with duplicate queries - echo "${2}${3}.lamesub.example A" >> burst.input.$$ - else - # burst with unique queries - echo "${num}${2}${3}.lamesub.example A" >> burst.input.$$ - fi - done - $PERL ../ditch.pl -p ${PORT} -s ${server} burst.input.$$ - rm -f burst.input.$$ + server=${1} + num=${4:-20} + rm -f burst.input.$$ + while [ $num -gt 0 ]; do + num=$((num - 1)) + if [ "${5}" = "dup" ]; then + # burst with duplicate queries + echo "${2}${3}.lamesub.example A" >>burst.input.$$ + else + # burst with unique queries + echo "${num}${2}${3}.lamesub.example A" >>burst.input.$$ + fi + done + $PERL ../ditch.pl -p ${PORT} -s ${server} burst.input.$$ + rm -f burst.input.$$ } stat() { - clients=$(rndccmd ${1} status | grep "recursive clients" | - sed 's;.*: \([^/][^/]*\)/.*;\1;') - echo_i "clients: $clients" - [ "$clients" = "" ] && return 1 - [ "$clients" -ge $2 ] || return 1 - [ "$clients" -le $3 ] || return 1 - return 0 + clients=$(rndccmd ${1} status | grep "recursive clients" \ + | sed 's;.*: \([^/][^/]*\)/.*;\1;') + echo_i "clients: $clients" + [ "$clients" = "" ] && return 1 + [ "$clients" -ge $2 ] || return 1 + [ "$clients" -le $3 ] || return 1 + return 0 } _wait_for_message() ( - nextpartpeek "$1" > wait_for_message.$n - grep -F "$2" wait_for_message.$n >/dev/null + nextpartpeek "$1" >wait_for_message.$n + grep -F "$2" wait_for_message.$n >/dev/null ) wait_for_message() ( - retry_quiet 20 _wait_for_message "$@" + retry_quiet 20 _wait_for_message "$@" ) n=0 @@ -68,17 +68,17 @@ ret=0 rndccmd 10.53.0.3 flush touch ans4/norespond for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - burst 10.53.0.3 a $try - # fetches-per-server is at 400, but at 20qps against a lame server, - # we'll reach 200 at the tenth second, and the quota should have been - # tuned to less than that by then. - [ $try -le 5 ] && low=$((try*10)) - stat 10.53.0.3 20 200 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst 10.53.0.3 a $try + # fetches-per-server is at 400, but at 20qps against a lame server, + # we'll reach 200 at the tenth second, and the quota should have been + # tuned to less than that by then. + [ $try -le 5 ] && low=$((try * 10)) + stat 10.53.0.3 20 200 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "dumping ADB data ($n)" @@ -90,7 +90,7 @@ set -- $info quota=$4 [ ${4:-200} -lt 200 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking servfail statistics ($n)" @@ -98,8 +98,8 @@ ret=0 rm -f ns3/named.stats rndccmd 10.53.0.3 stats for try in 1 2 3 4 5; do - [ -f ns3/named.stats ] && break - sleep 1 + [ -f ns3/named.stats ] && break + sleep 1 done sspill=$(grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/') [ -z "$sspill" ] && sspill=0 @@ -107,20 +107,20 @@ fails=$(grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9 [ -z "$fails" ] && fails=0 [ "$fails" -ge "$sspill" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking lame server recovery ($n)" ret=0 test -f ans4/norespond && rm -f ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.3 b $try - stat 10.53.0.3 0 200 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst 10.53.0.3 b $try + stat 10.53.0.3 0 200 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "dumping ADB data ($n)" @@ -132,19 +132,19 @@ set -- $info [ ${4:-${quota}} -lt $quota ] || ret=1 quota=$4 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking lame server recovery (continued) ($n)" ret=0 for try in 1 2 3 4 5 6 7 8 9 10; do - burst 10.53.0.3 c $try - stat 10.53.0.3 0 20 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst 10.53.0.3 c $try + stat 10.53.0.3 0 20 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "dumping ADB data ($n)" @@ -156,7 +156,7 @@ set -- $info [ ${4:-${quota}} -gt $quota ] || ret=1 quota=$4 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -168,20 +168,20 @@ fail=0 success=0 touch ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.3 b $try 300 - $DIGCMD a ${try}.example > dig.out.ns3.$n.$try - grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \ - success=$((success+1)) - grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \ - fail=$(($fail+1)) - stat 10.53.0.3 30 50 || ret=1 - [ $ret -eq 1 ] && break - rndccmd 10.53.0.3 recursing 2>&1 | sed 's/^/ns3 /' | cat_i - sleep 1 + burst 10.53.0.3 b $try 300 + $DIGCMD a ${try}.example >dig.out.ns3.$n.$try + grep "status: NOERROR" dig.out.ns3.$n.$try >/dev/null 2>&1 \ + && success=$((success + 1)) + grep "status: SERVFAIL" dig.out.ns3.$n.$try >/dev/null 2>&1 \ + && fail=$(($fail + 1)) + stat 10.53.0.3 30 50 || ret=1 + [ $ret -eq 1 ] && break + rndccmd 10.53.0.3 recursing 2>&1 | sed 's/^/ns3 /' | cat_i + sleep 1 done echo_i "$success successful valid queries, $fail SERVFAIL" if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking drop statistics ($n)" @@ -189,8 +189,8 @@ ret=0 rm -f ns3/named.stats rndccmd 10.53.0.3 stats for try in 1 2 3 4 5; do - [ -f ns3/named.stats ] && break - sleep 1 + [ -f ns3/named.stats ] && break + sleep 1 done zspill=$(grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/') [ -z "$zspill" ] && zspill=0 @@ -198,7 +198,7 @@ drops=$(grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries. [ -z "$drops" ] && drops=0 [ "$drops" -ge "$zspill" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) copy_setports ns3/named3.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -211,23 +211,32 @@ exceeded=0 success=0 touch ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.3 b $try 400 - $DIGCMD +time=2 a ${try}.example > dig.out.ns3.$n.$try - stat 10.53.0.3 1 400 || exceeded=$((exceeded + 1)) - grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \ - success=$((success+1)) - grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \ - fail=$(($fail+1)) - sleep 1 + burst 10.53.0.3 b $try 400 + $DIGCMD +time=2 a ${try}.example >dig.out.ns3.$n.$try + stat 10.53.0.3 1 400 || exceeded=$((exceeded + 1)) + grep "status: NOERROR" dig.out.ns3.$n.$try >/dev/null 2>&1 \ + && success=$((success + 1)) + grep "status: SERVFAIL" dig.out.ns3.$n.$try >/dev/null 2>&1 \ + && fail=$(($fail + 1)) + sleep 1 done echo_i "$success successful valid queries (expected 5)" -[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; } +[ "$success" -eq 5 ] || { + echo_i "failed" + ret=1 +} echo_i "$fail SERVFAIL responses (expected 0)" -[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; } +[ "$fail" -eq 0 ] || { + echo_i "failed" + ret=1 +} echo_i "clients count exceeded 400 on $exceeded trials (expected 0)" -[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; } +[ "$exceeded" -eq 0 ] || { + echo_i "failed" + ret=1 +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking drop statistics ($n)" @@ -239,7 +248,7 @@ wait_for_log 5 "queries dropped due to recursive client limit" ns3/named.stats | drops=$(grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/') [ "${drops:-0}" -ne 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns5/named.run >/dev/null @@ -248,12 +257,12 @@ echo_i "checking clients are dropped at the clients-per-query limit ($n)" ret=0 test -f ans4/norespond && rm -f ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.5 latency $try 20 "dup" - sleep 1 + burst 10.53.0.5 latency $try 20 "dup" + sleep 1 done wait_for_message ns5/named.run "clients-per-query increased to 10" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking drop statistics ($n)" @@ -261,8 +270,8 @@ ret=0 rm -f ns5/named.stats rndccmd 10.53.0.5 stats for try in 1 2 3 4 5; do - [ -f ns5/named.stats ] && break - sleep 1 + [ -f ns5/named.stats ] && break + sleep 1 done zspill=$(grep 'spilled due to clients per query' ns5/named.stats | sed 's/ *\([0-9][0-9]*\) spilled.*/\1/') [ -z "$zspill" ] && zspill=0 @@ -276,7 +285,7 @@ expected=55 [ "$zspill" -eq "$expected" ] || ret=1 echo_i "$zspill clients spilled (expected $expected)" if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "stop ns5" stop_server --use-rndc --port ${CONTROLPORT} ns5 @@ -291,12 +300,12 @@ echo_i "checking clients are dropped at the clients-per-query limit with stale-a ret=0 test -f ans4/norespond && rm -f ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.5 latency $try 20 "dup" - sleep 1 + burst 10.53.0.5 latency $try 20 "dup" + sleep 1 done wait_for_message ns5/named.run "clients-per-query increased to 10" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking drop statistics ($n)" @@ -304,8 +313,8 @@ ret=0 rm -f ns5/named.stats rndccmd 10.53.0.5 stats for try in 1 2 3 4 5; do - [ -f ns5/named.stats ] && break - sleep 1 + [ -f ns5/named.stats ] && break + sleep 1 done zspill=$(grep 'spilled due to clients per query' ns5/named.stats | sed 's/ *\([0-9][0-9]*\) spilled.*/\1/') [ -z "$zspill" ] && zspill=0 @@ -319,7 +328,7 @@ expected=55 [ "$zspill" -eq "$expected" ] || ret=1 echo_i "$zspill clients spilled (expected $expected)" if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh index bf6f458..c29dcfa 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -20,15 +20,15 @@ infile=signed.db.in zonefile=signed.db.signed outfile=signed.db.signed -$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i -$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i +$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i +$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >keygen.out | cat_i keyname=$(cat keygen.out) rm -f keygen.out -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns5/trusted.conf -$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err +$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err echo_i "signed zone '$zone'" diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh index b9ce09f..2a819b3 100755 --- a/bin/tests/system/filter-aaaa/ns4/sign.sh +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -20,8 +20,8 @@ infile=signed.db.in zonefile=signed.db.signed outfile=signed.db.signed -$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i -$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i +$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i +$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i -$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err +$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err echo_i "signed zone '$zone'" diff --git a/bin/tests/system/filter-aaaa/tests.sh b/bin/tests/system/filter-aaaa/tests.sh index 5ed97eb..e6cca52 100644 --- a/bin/tests/system/filter-aaaa/tests.sh +++ b/bin/tests/system/filter-aaaa/tests.sh @@ -21,26 +21,24 @@ n=0 rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" - -for conf in conf/good*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done # @@ -51,175 +49,173 @@ done n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::5 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::5 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0," dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0," dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::1 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::1; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 + grep 2001:db8::6 dig.out.ns1.test$n >/dev/null || ret=1 + grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::1 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::1; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 + grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi # @@ -230,169 +226,166 @@ fi n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep ::5 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep ::5 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0," dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::4 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::4; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 + grep 2001:db8::6 dig.out.ns4.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::4 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::4; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi - # # Recursive tests against: # filter-aaaa-on-v4 yes; @@ -401,146 +394,145 @@ fi n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep ::5 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep ::5 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive ($n)" -if testsock6 fd92:7065:b8e:ffff::2 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::2; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 + grep 2001:db8::6 dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -550,25 +542,24 @@ ret=0 # we need to prime the cache with addresses for the MX, since additional # section data won't be included unless it's validated, and that doesn't # necessarily happen otherwise. -$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 > /dev/null -$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 > /dev/null -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 >/dev/null +$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 >/dev/null +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, recursive, over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::2 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::2; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi # @@ -579,175 +570,172 @@ fi n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep ::5 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep ::5 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::3 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::3; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 + grep 2001:db8::6 dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, recursive with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::3 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::3; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi -if ! testsock6 fd92:7065:b8e:ffff::1 -then - echo_i "IPv6 address not configured; skipping IPv6 query tests" - echo_i "exit status: $status" - exit $status +if ! testsock6 fd92:7065:b8e:ffff::1; then + echo_i "IPv6 address not configured; skipping IPv6 query tests" + echo_i "exit status: $status" + exit $status fi # Reconfiguring for IPv6 tests @@ -771,155 +759,154 @@ rndc_reconfig ns4 10.53.0.4 n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::2 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::2 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::5 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::5 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 2001:db8::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - # # Authoritative tests against: # filter-aaaa-on-v6 break-dnssec; @@ -928,156 +915,155 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep ::2 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep ::2 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep ::5 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep ::5 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep 2001:db8::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - # # Recursive tests against: # filter-aaaa-on-v6 yes; @@ -1086,162 +1072,161 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep ::5 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep ::5 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep 2001:db8::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - # # Recursive tests against: # filter-aaaa-on-v6 yes; @@ -1250,157 +1235,157 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep ::5 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep ::5 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep 2001:db8::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1411,8 +1396,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking filter-aaaa with dns64 ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/formerr/tests.sh b/bin/tests/system/formerr/tests.sh index 75f4cc0..1d1aeaf 100644 --- a/bin/tests/system/formerr/tests.sh +++ b/bin/tests/system/formerr/tests.sh @@ -18,29 +18,29 @@ set -e status=0 echo_i "test name too long" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong > nametoolong.out +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong >nametoolong.out ans=$(grep got: nametoolong.out) -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=$((status + 1)); +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "two questions" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions > twoquestions.out +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions >twoquestions.out ans=$(grep got: twoquestions.out) -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=$((status + 1)); +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$((status + 1)) fi # this would be NOERROR if it included a COOKIE option, # but is a FORMERR without one. echo_i "empty question section (and no COOKIE option)" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions > noquestions.out +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions >noquestions.out ans=$(grep got: noquestions.out) -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=$((status + 1)); +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "exit status: $status" diff --git a/bin/tests/system/forward/ns1/sign.sh b/bin/tests/system/forward/ns1/sign.sh index 0888c5f..5e85fd5 100644 --- a/bin/tests/system/forward/ns1/sign.sh +++ b/bin/tests/system/forward/ns1/sign.sh @@ -25,10 +25,10 @@ echo_i "ns1/sign.sh" ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 # Configure the resolving server with a static key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns3/trusted.conf diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh new file mode 100644 index 0000000..32889aa --- /dev/null +++ b/bin/tests/system/forward/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh index 09624ca..33d33cc 100644 --- a/bin/tests/system/forward/setup.sh +++ b/bin/tests/system/forward/setup.sh @@ -25,6 +25,6 @@ copy_setports ns9/named1.conf.in ns9/named.conf copy_setports ns10/named.conf.in ns10/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index 4037f22..b942699 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -17,15 +17,15 @@ set -e . ../conf.sh dig_with_opts() ( - "$DIG" -p "$PORT" "$@" + "$DIG" -p "$PORT" "$@" ) sendcmd() ( - send "$1" "$EXTRAPORT1" + send "$1" "$EXTRAPORT1" ) rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } root=10.53.0.1 @@ -36,156 +36,156 @@ f2=10.53.0.4 status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone overrides global forwarders ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward first zone no forwarders recurses ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward only zone no forwarders fails ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that global forwarders work ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example4. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone works ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that forwarding doesn't spontaneously happen ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.root dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone with no specified policy works ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example3. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example3. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward only doesn't recurse ($n)" ret=0 -dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1 -grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts txt.example5. txt @$f2 >dig.out.$n.f2 || ret=1 +grep "SERVFAIL" dig.out.$n.f2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking for negative caching of forwarder response ($n)" # prime the cache, shutdown the forwarder then check that we can # get the answer from the cache. restart forwarder. ret=0 -dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 -grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1 +grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1 stop_server ns4 || ret=1 -dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 -grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1 +grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1 start_server --restart --noclean --port "${PORT}" ns4 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) check_override() ( - dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && - grep "status: NOERROR" dig.out.$n.f2 > /dev/null && - dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && - grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null + dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \ + && grep "status: NOERROR" dig.out.$n.f2 >/dev/null \ + && dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \ + && grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null ) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that forward only zone overrides empty zone ($n)" ret=0 # retry loop in case the server restart above causes transient failure retry_quiet 10 check_override || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that DS lookups for grafting forward zones are isolated ($n)" ret=0 -dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1 -dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1 -dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1 -dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1 -grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1 -grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1 -grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1 +dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q1 || ret=1 +dig_with_opts grafted DS @10.53.0.4 >dig.out.$n.q2 || ret=1 +dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q3 || ret=1 +dig_with_opts grafted AAAA @10.53.0.4 >dig.out.$n.q4 || ret=1 +grep "status: NOERROR" dig.out.$n.q1 >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.$n.q2 >/dev/null || ret=1 +grep "status: NOERROR" dig.out.$n.q3 >/dev/null || ret=1 +grep "status: NOERROR" dig.out.$n.q4 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)" ret=0 $CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1 $CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)" ret=0 $CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1 $CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) count_sent() ( - logfile="$1" - start_pattern="$2" - pattern="$3" - nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" + logfile="$1" + start_pattern="$2" + pattern="$3" + nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" ) check_sent() ( - expected="$1" - shift - count=$(count_sent "$@") - [ "$expected" = "$count" ] + expected="$1" + shift + count=$(count_sent "$@") + [ "$expected" = "$count" ] ) wait_for_log() ( - nextpartpeek "$1" | grep "$2" >/dev/null + nextpartpeek "$1" | grep "$2" >/dev/null ) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)" ret=0 # Make ans6 receive queries without responding to them. @@ -195,19 +195,19 @@ echo "//" | sendcmd 10.53.0.6 # when a delegation is encountered after falling back to full recursive # resolution. nextpart ns3/named.run >/dev/null -dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts txt.example7. txt @$f1 >dig.out.$n.f1 || ret=1 # The forwarder for the "example7" zone should only be queried once. start_pattern="sending packet to 10\.53\.0\.6" retry_quiet 5 wait_for_log ns3/named.run "$start_pattern" check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that priming queries are not forwarded ($n)" ret=0 nextpart ns7/named.run >/dev/null -dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 >dig.out.$n.f7 || ret=1 received_pattern="received packet from 10\.53\.0\.1" start_pattern="sending packet to 10\.53\.0\.1" retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1 @@ -217,30 +217,30 @@ sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run || tr sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run || true) [ "$sent" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking recovery from forwarding to a non-recursive server ($n)" ret=0 -dig_with_opts xxx.sld.tld txt @10.53.0.8 > dig.out.$n.f8 || ret=1 -grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1 +dig_with_opts xxx.sld.tld txt @10.53.0.8 >dig.out.$n.f8 || ret=1 +grep "status: NOERROR" dig.out.$n.f8 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that rebinding protection works in forward only mode ($n)" ret=0 # 10.53.0.5 will forward target.malicious. query to 10.53.0.4 # which in turn will return a CNAME for subdomain.rebind. # to honor the option deny-answer-aliases { "rebind"; }; # ns5 should return a SERVFAIL to avoid potential rebinding attacks -dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1 -grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 +dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. >dig.out.$n || ret=1 +grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Prepare ans6 for the chasing DS tests. -sendcmd 10.53.0.6 << EOF +sendcmd 10.53.0.6 <&1 | sed 's/^/ns3 /' | cat_i sleep 1 nextpart ns3/named.run >/dev/null -dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1 -grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 +dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1 +grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # See [GL #3129]. # Enable silent mode for ans11. echo "1" | sendcmd 10.53.0.11 -n=$((n+1)) +n=$((n + 1)) echo_i "checking the handling of hung DS fetch while chasing DS ($n)" ret=0 copy_setports ns3/named2.conf.in ns3/tmp -sed 's/root.db/root2.db/' ns3/tmp > ns3/named.conf +sed 's/root.db/root2.db/' ns3/tmp >ns3/named.conf rm -f ns3/tmp rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i rndccmd 10.53.0.3 flush 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 nextpart ns3/named.run >/dev/null -dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1 -grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 +dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1 +grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1 # Disable silent mode for ans11. echo "0" | sendcmd 10.53.0.11 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Check various spoofed response scenarios. The same tests will be # run twice, with "forward first" and "forward only" configurations. # -run_spooftests () { - n=$((n+1)) - echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 - # check 'net' is not poisoned. - dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 - grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 - # check 'sub.local.net' is not poisoned. - dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 - grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 - # check that net2/DNAME is not cached - dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 - grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 - grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking spoofed response scenario 3 - extra answer ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 - # check extra net3 records are not cached - rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i - for try in 1 2 3 4 5; do - lines=$(grep "net3" ns9/named_dump.db | wc -l) - if [ ${lines} -eq 0 ]; then - sleep 1 - continue - fi - [ ${lines} -eq 1 ] || ret=1 - grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 - grep -q '^local.net3' ns9/named_dump.db && ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +run_spooftests() { + n=$((n + 1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net >/dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 >/dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 >dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } echo_i "checking spoofed response scenarios with forward first zones" @@ -353,31 +353,31 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1 # check 'net' is poisoned. -dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net >/dev/null || ret=1 # check 'sub.local.net' is poisoned. -dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1 # check that net2/DNAME is cached -dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 -grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 >/dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # This test doesn't use any forwarder clauses but is here because it @@ -390,17 +390,17 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "checking sibling glue below zone ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 sibling.tld >dig.out.$n.prime || ret=1 # check for glue A record for sub.local.tld is not used -dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 -grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 -grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +dig_with_opts @10.53.0.9 sub.local.tld TXT >dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub >/dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh index f436559..f6b40c2 100644 --- a/bin/tests/system/genzone.sh +++ b/bin/tests/system/genzone.sh @@ -33,9 +33,8 @@ cat <&2 - exit 255 + echo_i "This test requires GeoIP support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/geoip2/setup.sh b/bin/tests/system/geoip2/setup.sh index 646388f..a0eaaf7 100644 --- a/bin/tests/system/geoip2/setup.sh +++ b/bin/tests/system/geoip2/setup.sh @@ -18,6 +18,6 @@ $SHELL clean.sh copy_setports ns2/named1.conf.in ns2/named.conf for i in 1 2 3 4 5 6 7 other bogus; do - cp ns2/example.db.in ns2/example${i}.db - echo "@ IN TXT \"$i\"" >> ns2/example$i.db + cp ns2/example.db.in ns2/example${i}.db + echo "@ IN TXT \"$i\"" >>ns2/example$i.db done diff --git a/bin/tests/system/geoip2/tests.sh b/bin/tests/system/geoip2/tests.sh index b72a870..ac1df74 100644 --- a/bin/tests/system/geoip2/tests.sh +++ b/bin/tests/system/geoip2/tests.sh @@ -22,26 +22,24 @@ rm -f dig.out.* DIGOPTS="+tcp +short -p ${PORT} @10.53.0.2" DIGOPTS6="+tcp +short -p ${PORT} @fd92:7065:b8e:ffff::2 -6" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" - -for conf in conf/good*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done n=$((n + 1)) @@ -49,23 +47,22 @@ echo_i "checking Country database by code using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Country database by code using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -88,26 +85,25 @@ echo_i "checking Country database with nested ACLs using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Country database with nested ACLs using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -127,23 +123,22 @@ echo_i "checking Country database by name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Country database by name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -167,24 +162,23 @@ ret=0 lret=0 # deliberately skipping 4 and 6 as they have duplicate continents for i in 1 2 3 5 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Country database by continent code using IPv6 ($n)" ret=0 lret=0 # deliberately skipping 4 and 6 as they have duplicate continents for i in 1 2 3 5 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -208,24 +202,23 @@ ret=0 lret=0 # skipping 2 on purpose here; it has the same region code as 1 for i in 1 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking City database by region code using IPv6 ($n)" ret=0 lret=0 -# skipping 2 on purpose here; it has the same region code as 1 + # skipping 2 on purpose here; it has the same region code as 1 for i in 1 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -249,23 +242,22 @@ echo_i "checking City database by city name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking City database by city name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -288,26 +280,25 @@ echo_i "checking ISP database using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking ISP database using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -327,26 +318,25 @@ echo_i "checking ASN database by org name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking ASN database by org name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -366,26 +356,25 @@ echo_i "checking GeoIP6 ASN database, ASNNNN only, using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking ASN database, ASNNNN only, using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -405,26 +394,25 @@ echo_i "checking GeoIP6 ASN database, NNNN only, using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking ASN database, NNNN only, using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -444,26 +432,25 @@ echo_i "checking Domain database using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Domain database using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -481,8 +468,8 @@ sleep 3 n=$((n + 1)) echo_i "checking geoip blackhole ACL ($n)" ret=0 -$DIG $DIGOPTS txt example -b 10.53.0.7 > dig.out.ns2.test$n || ret=1 -$RNDCCMD 10.53.0.2 status 2>&1 > rndc.out.ns2.test$n || ret=1 +$DIG $DIGOPTS txt example -b 10.53.0.7 >dig.out.ns2.test$n || ret=1 +$RNDCCMD 10.53.0.2 status 2>&1 >rndc.out.ns2.test$n || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/get_core_dumps.sh b/bin/tests/system/get_core_dumps.sh index d4f6ec7..1469c3c 100755 --- a/bin/tests/system/get_core_dumps.sh +++ b/bin/tests/system/get_core_dumps.sh @@ -20,51 +20,51 @@ status=0 export SYSTESTDIR="${TOP_BUILDDIR}/bin/tests/system/${systest}" get_core_dumps() { - find "$SYSTESTDIR/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort + find "$SYSTESTDIR/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort } core_dumps=$(get_core_dumps | tr '\n' ' ') if [ -n "$core_dumps" ]; then - status=1 - echoinfo "I:$systest:Core dump(s) found: $core_dumps" - get_core_dumps | while read -r coredump; do - echoinfo "D:$systest:backtrace from $coredump:" - echoinfo "D:$systest:--------------------------------------------------------------------------------" - binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p") - if [ ! -f "${binary}" ]; then - binary=$(find "${TOP_BUILDDIR}" -path "*/.libs/${binary}" -type f) - fi - "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ - -batch \ - -ex bt \ - -core="$coredump" \ - -- \ - "$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d - echoinfo "D:$systest:--------------------------------------------------------------------------------" - coredump_backtrace="${coredump}-backtrace.txt" - echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace" - "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ - -batch \ - -command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \ - -core="$coredump" \ - -- \ - "$binary" > "$coredump_backtrace" 2>&1 - echoinfo "D:$systest:core dump $coredump archived as $coredump.gz" - gzip -1 "${coredump}" - done + status=1 + echoinfo "I:$systest:Core dump(s) found: $core_dumps" + get_core_dumps | while read -r coredump; do + echoinfo "D:$systest:backtrace from $coredump:" + echoinfo "D:$systest:--------------------------------------------------------------------------------" + binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p") + if [ ! -f "${binary}" ]; then + binary=$(find "${TOP_BUILDDIR}" -path "*/.libs/${binary}" -type f) + fi + "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ + -batch \ + -ex bt \ + -core="$coredump" \ + -- \ + "$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d + echoinfo "D:$systest:--------------------------------------------------------------------------------" + coredump_backtrace="${coredump}-backtrace.txt" + echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace" + "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ + -batch \ + -command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \ + -core="$coredump" \ + -- \ + "$binary" >"$coredump_backtrace" 2>&1 + echoinfo "D:$systest:core dump $coredump archived as $coredump.gz" + gzip -1 "${coredump}" + done fi assertion_failures=$(find "$SYSTESTDIR/" -name named.run -exec grep "assertion failure" {} + | wc -l) if [ "$assertion_failures" -ne 0 ]; then - status=1 - echoinfo "I:$systest:$assertion_failures assertion failure(s) found" + status=1 + echoinfo "I:$systest:$assertion_failures assertion failure(s) found" fi tsan_failures=$(find "$SYSTESTDIR/" -name 'tsan.*' | wc -l) if [ "$tsan_failures" -ne 0 ]; then - status=1 - echoinfo "I:$systest:$tsan_failures TSAN sanitizer report(s) found" - find "$SYSTESTDIR/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d + status=1 + echoinfo "I:$systest:$tsan_failures TSAN sanitizer report(s) found" + find "$SYSTESTDIR/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d fi exit $status diff --git a/bin/tests/system/get_ports.sh b/bin/tests/system/get_ports.sh index b44e3ef..96201f1 100755 --- a/bin/tests/system/get_ports.sh +++ b/bin/tests/system/get_ports.sh @@ -15,7 +15,7 @@ # individual system subtests, so every test is given a unique port range. get_sorted_test_names() { - find . -maxdepth 2 -mindepth 2 -type f \( -name "tests.sh" -o -name "tests*.py" \) | cut -d/ -f2 | sort -u + find . -maxdepth 2 -mindepth 2 -type f \( -name "tests.sh" -o -name "tests*.py" \) | cut -d/ -f2 | sort -u } total_tests=$(get_sorted_test_names | wc -l) @@ -27,30 +27,33 @@ port_max=$((32767 - (total_tests * ports_per_test))) baseport=0 test_index=0 while getopts "p:t:-:" OPT; do - if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then - OPT="${OPTARG%%=*}" - OPTARG="${OPTARG#$OPT}" - OPTARG="${OPTARG#=}" - fi + if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then + OPT="${OPTARG%%=*}" + OPTARG="${OPTARG#$OPT}" + OPTARG="${OPTARG#=}" + fi - # shellcheck disable=SC2214 - case "$OPT" in - p | port) baseport=$OPTARG ;; - t | test) - test_index=$(get_sorted_test_names | awk "/^${OPTARG}\$/ { print NR }") - if [ -z "${test_index}" ]; then - echo "Test '${OPTARG}' not found" >&2 - exit 1 - fi - ;; - -) break ;; - *) echo "invalid option" >&2; exit 1 ;; - esac + # shellcheck disable=SC2214 + case "$OPT" in + p | port) baseport=$OPTARG ;; + t | test) + test_index=$(get_sorted_test_names | awk "/^${OPTARG}\$/ { print NR }") + if [ -z "${test_index}" ]; then + echo "Test '${OPTARG}' not found" >&2 + exit 1 + fi + ;; + -) break ;; + *) + echo "invalid option" >&2 + exit 1 + ;; + esac done port_pool_size=$((port_max - port_min)) if [ "${baseport}" -eq 0 ]; then - baseport="$((($(date +%s) / 3600 % port_pool_size) + port_min + (test_index * ports_per_test)))" + baseport="$((($(date +%s) / 3600 % port_pool_size) + port_min + (test_index * ports_per_test)))" fi echo "export PORT=$((baseport))" diff --git a/bin/tests/system/glue/tests.sh b/bin/tests/system/glue/tests.sh index 2dcacbf..0bfae45 100644 --- a/bin/tests/system/glue/tests.sh +++ b/bin/tests/system/glue/tests.sh @@ -28,7 +28,7 @@ $DIG $DIGOPTS @10.53.0.1 foo.bar.fi. A >dig.out || status=1 digcomp --lc fi.good dig.out || status=1 echo_i "testing that we don't find out-of-zone glue" -$DIG $DIGOPTS @10.53.0.1 example.net. a > dig.out || status=1 +$DIG $DIGOPTS @10.53.0.1 example.net. a >dig.out || status=1 digcomp noglue.good dig.out || status=1 echo_i "exit status: $status" diff --git a/bin/tests/system/hooks/driver/Makefile.in b/bin/tests/system/hooks/driver/Makefile.in index f97a712..30c40be 100644 --- a/bin/tests/system/hooks/driver/Makefile.in +++ b/bin/tests/system/hooks/driver/Makefile.in @@ -103,11 +103,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/tests/system/host/tests.sh b/bin/tests/system/host/tests.sh index c640a40..4bc3bf9 100644 --- a/bin/tests/system/host/tests.sh +++ b/bin/tests/system/host/tests.sh @@ -19,54 +19,54 @@ set -e status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "Check A only lookup ($n)" ret=0 -$HOST -p ${PORT} a-only.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} a-only.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "1.2.3.4" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check AAAA only lookup ($n)" ret=0 -$HOST -p ${PORT} aaaa-only.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} aaaa-only.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "2001::ffff" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check dual A + AAAA lookup ($n)" ret=0 -$HOST -p ${PORT} dual.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} dual.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 -grep "2001::ffff" host.out${n} > /dev/null || ret=1 +grep "1.2.3.4" host.out${n} >/dev/null || ret=1 +grep "2001::ffff" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to A only lookup ($n)" ret=0 -$HOST -p ${PORT} cname-a-only.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} cname-a-only.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "1.2.3.4" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to AAAA only lookup ($n)" ret=0 -$HOST -p ${PORT} cname-aaaa-only.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} cname-aaaa-only.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "2001::ffff" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to dual A + AAAA lookup ($n)" ret=0 -$HOST -p ${PORT} cname-dual.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} cname-dual.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l host.err${n} > host.out${n} || ret=1 +$HOST -p ${PORT} -t ANY example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 lines=$(grep -c 'Address:.10\.53\.0\.1#'"${PORT}" host.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c 'example.net has SOA record ns1.example.net. hostmaster.example.net. 1397051952 5 5 1814400 3600' host.out${n}) @@ -122,7 +122,7 @@ test $lines -eq 1 || ret=1 lines=$(grep -c 'example.net name server ns1.example.net.' host.out${n}) test $lines -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh index 5f525d6..398b7e1 100644 --- a/bin/tests/system/idna/tests.sh +++ b/bin/tests/system/idna/tests.sh @@ -18,9 +18,9 @@ set -e # Set known locale for the tests if locale -a | grep -qE "^C\\.(UTF-8|utf8)"; then - LC_ALL="C.UTF-8" + LC_ALL="C.UTF-8" elif locale -a | grep -qE "^en_US\\.(UTF-8|utf8)"; then - LC_ALL="en_US.UTF-8" + LC_ALL="en_US.UTF-8" fi export LC_ALL @@ -71,7 +71,6 @@ DIGCMD="$DIG -i -p ${PORT} @10.53.0.1" n=0 status=0 - # Function for extracting the qname from the response # # This is the first field in the line after the line starting @@ -80,10 +79,10 @@ status=0 # The string returned includes the trailing period. qname() { - awk 'BEGIN { qs = 0; } \ + awk 'BEGIN { qs = 0; } \ /;; QUESTION SECTION:/ { qs = 1; next; } \ qs == 1 {sub(";", "", $1) ; print $1; exit 0; }' \ - $1 + $1 } # Function for performing a test where "dig" is expected to succeed. @@ -96,26 +95,29 @@ qname() { # parameter should have that period as well. idna_test() { - n=$((n+1)) - description=$1 - if [ "$2" != "" ]; then - description="${description}: $2" - fi - echo_i "$description ($n)" - - ret=0 - { $DIGCMD $2 $3 > dig.out.$n 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then - echo_i "failed: dig command returned non-zero status" - ret=1 - else - actual=$(qname dig.out.$n) - if [ "$4" != "$actual" ]; then - echo_i "failed: expected answer $4, actual result $actual" - ret=1 - fi + n=$((n + 1)) + description=$1 + if [ "$2" != "" ]; then + description="${description}: $2" + fi + echo_i "$description ($n)" + + ret=0 + { + $DIGCMD $2 $3 >dig.out.$n 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + echo_i "failed: dig command returned non-zero status" + ret=1 + else + actual=$(qname dig.out.$n) + if [ "$4" != "$actual" ]; then + echo_i "failed: expected answer $4, actual result $actual" + ret=1 fi - status=$((status+ret)) + fi + status=$((status + ret)) } # Function for performing a test where "dig" is expected to fail @@ -125,20 +127,23 @@ idna_test() { # $3 - Name being queried idna_fail() { - n=$((n+1)) - description=$1 - if [ "$2" != "" ]; then - description="${description}: $2" - fi - echo_i "$description ($n)" - - ret=0 - { $DIGCMD $2 $3 > dig.out.$n 2>&1; rc=$?; } || true - if [ $rc -eq 0 ]; then - echo_i "failed: dig command unexpectedly succeeded" - ret=1 - fi - status=$((status+ret)) + n=$((n + 1)) + description=$1 + if [ "$2" != "" ]; then + description="${description}: $2" + fi + echo_i "$description ($n)" + + ret=0 + { + $DIGCMD $2 $3 >dig.out.$n 2>&1 + rc=$? + } || true + if [ $rc -eq 0 ]; then + echo_i "failed: dig command unexpectedly succeeded" + ret=1 + fi + status=$((status + ret)) } # Function to check that case is preserved for an all-ASCII label. @@ -159,235 +164,226 @@ idna_fail() { # as the qname. ascii_case_preservation_test() { - text="Checking valid ASCII label" - idna_test "$text" "" LocalhosT LocalhosT. - idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT. - idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT. - idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT. - idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT. + text="Checking valid ASCII label" + idna_test "$text" "" LocalhosT LocalhosT. + idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT. + idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT. + idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT. + idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT. } # Function to perform the tests if IDNA is enabled. idna_enabled_test() { - echo_i "IDNA is enabled, all IDNA tests will be performed" - # Check that case is preserved on an ASCII label. - - ascii_case_preservation_test - - - # Test of a valid U-label - # - # +noidnin +noidnout: The label is sent as a unicode octet stream and dig - # will display the string in the \nnn format. - # +noidnin +idnout: As for the previous case. - # +idnin +noidnout: The label is converted to the xn-- format. "dig" - # displays the returned xn-- text. - # +idnin +idnout: The label is converted to the xn-- format. "dig" - # converts the returned xn-- string back to the original - # unicode text. - # - # Note that ASCII characters are converted to lower-case. - - text="Checking valid non-ASCII label" - idna_test "$text" "" "München" "M\195\188nchen." - idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen." - idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen." - idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya." - idna_test "$text" "+idnin +idnout" "München" "münchen." - - - # Tests of transitional processing of a valid U-label - # - # IDNA2003 introduced national character sets but, unfortunately, didn't - # support several characters properly. One of those was the German - # character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss". - # So the domain “faß.de” domain (for example) was processed as “fass.de”. - # - # This was corrected in IDNA2008, although some vendors that adopted this - # standard chose to keep the existing IDNA2003 translation for this - # character to prevent problems (e.g. people visiting www.faß.example would, - # under IDNA2003, go to www.fass.example but under IDNA2008 would end up at - # www.fa\195\159.example - a different web site). - # - # BIND has adopted a hard transition, so this test checks that these - # transitional mapping is not used. The tests are essentially the same as - # for the valid U-label. - - text="Checking that non-transitional IDNA processing is used" - idna_test "$text" "" "faß.de" "fa\195\159.de." - idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de." - idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de." - idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de." - idna_test "$text" "+idnin +idnout" "faß.de" "faß.de." - - # Another problem character. The final character in the first label mapped - # onto the Greek sigma character ("σ") in IDNA2003. - - text="Second check that non-transitional IDNA processing is used" - idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com." - idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com." - - - - # Tests of a valid A-label (i.e. starting xn--) - # - # +noidnout: The string is sent as-is to the server and the returned qname - # is displayed in the same form. - # +idnout: The string is sent as-is to the server and the returned qname - # is displayed as the corresponding U-label. - # - # The "+[no]idnin" flag has no effect in these cases. - - text="Checking valid A-label" - idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." - idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." - - # Test of valid A-label in locale that cannot display it - # - # +noidnout: The string is sent as-is to the server and the returned qname - # is displayed in the same form. - # +idnout: The string is sent as-is to the server and the returned qname - # is displayed as the corresponding A-label. - # - # The "+[no]idnout" flag has no effect in these cases. - saved_LC_ALL="${LC_ALL}" - LC_ALL="C" - text="Checking valid A-label in C locale" - label="xn--nxasmq6b.com" - if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then - idna_test "$text" "" "$label" "$label." - idna_test "$text" "+noidnin +noidnout" "$label" "$label." - idna_test "$text" "+noidnin +idnout" "$label" "$label." - idna_test "$text" "+idnin +noidnout" "$label" "$label." - idna_test "$text" "+idnin +idnout" "$label" "$label." - idna_test "$text" "+noidnin +idnout" "$label" "$label." - fi - LC_ALL="${saved_LC_ALL}" - - - - # Tests of invalid A-labels - # - # +noidnin: The label is sent as-is to the server and dig will display the - # returned fake A-label in the same form. - # +idnin: "dig" should report that the label is not correct. - # - # +[no]idnout: If the label makes it to the server (via +noidnin), "dig" - # should report an error if +idnout is specified. - - # The minimum length of a punycode A-label is 7 characters. Check that - # a shorter label is detected and rejected. - - text="Checking punycode label shorter than minimum valid length" - idna_test "$text" "" "xn--xx" "xn--xx." - idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx." - idna_fail "$text" "+noidnin +idnout" "xn--xx" - idna_fail "$text" "+idnin +noidnout" "xn--xx" - idna_fail "$text" "+idnin +idnout" "xn--xx" - - # Fake A-label - the string does not translate to anything. - - text="Checking fake A-label" - idna_test "$text" "" "xn--ahahah" "xn--ahahah." - idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." - idna_fail "$text" "+noidnin +idnout" "xn--ahahah" - idna_fail "$text" "+idnin +noidnout" "xn--ahahah" - idna_fail "$text" "+idnin +idnout" "xn--ahahah" - - # Too long a label. The punycode string is too long (at 64 characters). - # BIND rejects such labels: with +idnin - - label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" - text="Checking punycode label longer than maximum valid length" - idna_fail "$text" "" "$label" - idna_fail "$text" "+noidnin +noidnout" "$label" - idna_fail "$text" "+noidnin +idnout" "$label" - idna_fail "$text" "+idnin +noidnout" "$label" - idna_fail "$text" "+idnin +idnout" "$label" - - # Tests of a valid unicode string but an invalid U-label (input) - # - # Symbols are not valid IDNA2008 names. Check whether dig rejects them - # when they are supplied on the command line to ensure no IDNA2003 - # fallbacks are in place. - # - # +noidnin: "dig" should send unicode octets to the server and display the - # returned qname in the same form. - # +idnin: "dig" should generate an error. - # - # The +[no]idnout options should not have any effect on the test. - - text="Checking invalid input U-label" - idna_test "$text" "" "√.com" "\226\136\154.com." - idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com." - idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com." - idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com." - idna_test "$text" "+idnin +idnout" "√.com" "√.com." - - # Tests of a valid unicode string but an invalid U-label (output) - # - # Symbols are not valid IDNA2008 names. Check whether dig rejects them - # when they are received in DNS responses to ensure no IDNA2003 fallbacks - # are in place. - # - # Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses - # Punycode more strictly than older versions and thus dig fails with that - # combination of options with libidn2 2.2.0+ but succeeds with older - # versions. - # - # +noidnout: "dig" should send the ACE string to the server and display the - # returned qname. - # +idnout: "dig" should generate an error. - # - # The +[no]idnin options should not have any effect on the test. - - text="Checking invalid output U-label" - idna_test "$text" "" "xn--19g" "xn--19g." - idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." - idna_test "$text" "+noidnin +idnout" "xn--19g" "√." - idna_test "$text" "+idnin +idnout" "xn--19g" "√." - - - # Test that non-letter characters are preserved in the output. When - # UseSTD3ASCIIRules are enabled, it would mangle non-letter characters like - # `_` (underscore) and `*` (wildcard. - - text="Checking valid non-letter characters" - idna_test "$text" "" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." - idna_test "$text" "+noidnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." - idna_test "$text" "+noidnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." - idna_test "$text" "+idnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." - idna_test "$text" "+idnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." - - idna_test "$text" "" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." - idna_test "$text" "+noidnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." - idna_test "$text" "+noidnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." - idna_test "$text" "+idnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." - idna_test "$text" "+idnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." + echo_i "IDNA is enabled, all IDNA tests will be performed" + # Check that case is preserved on an ASCII label. + + ascii_case_preservation_test + + # Test of a valid U-label + # + # +noidnin +noidnout: The label is sent as a unicode octet stream and dig + # will display the string in the \nnn format. + # +noidnin +idnout: As for the previous case. + # +idnin +noidnout: The label is converted to the xn-- format. "dig" + # displays the returned xn-- text. + # +idnin +idnout: The label is converted to the xn-- format. "dig" + # converts the returned xn-- string back to the original + # unicode text. + # + # Note that ASCII characters are converted to lower-case. + + text="Checking valid non-ASCII label" + idna_test "$text" "" "München" "M\195\188nchen." + idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen." + idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen." + idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya." + idna_test "$text" "+idnin +idnout" "München" "münchen." + + # Tests of transitional processing of a valid U-label + # + # IDNA2003 introduced national character sets but, unfortunately, didn't + # support several characters properly. One of those was the German + # character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss". + # So the domain “faß.de” domain (for example) was processed as “fass.de”. + # + # This was corrected in IDNA2008, although some vendors that adopted this + # standard chose to keep the existing IDNA2003 translation for this + # character to prevent problems (e.g. people visiting www.faß.example would, + # under IDNA2003, go to www.fass.example but under IDNA2008 would end up at + # www.fa\195\159.example - a different web site). + # + # BIND has adopted a hard transition, so this test checks that these + # transitional mapping is not used. The tests are essentially the same as + # for the valid U-label. + + text="Checking that non-transitional IDNA processing is used" + idna_test "$text" "" "faß.de" "fa\195\159.de." + idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de." + idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de." + idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de." + idna_test "$text" "+idnin +idnout" "faß.de" "faß.de." + + # Another problem character. The final character in the first label mapped + # onto the Greek sigma character ("σ") in IDNA2003. + + text="Second check that non-transitional IDNA processing is used" + idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com." + idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com." + + # Tests of a valid A-label (i.e. starting xn--) + # + # +noidnout: The string is sent as-is to the server and the returned qname + # is displayed in the same form. + # +idnout: The string is sent as-is to the server and the returned qname + # is displayed as the corresponding U-label. + # + # The "+[no]idnin" flag has no effect in these cases. + + text="Checking valid A-label" + idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." + + # Test of valid A-label in locale that cannot display it + # + # +noidnout: The string is sent as-is to the server and the returned qname + # is displayed in the same form. + # +idnout: The string is sent as-is to the server and the returned qname + # is displayed as the corresponding A-label. + # + # The "+[no]idnout" flag has no effect in these cases. + saved_LC_ALL="${LC_ALL}" + LC_ALL="C" + text="Checking valid A-label in C locale" + label="xn--nxasmq6b.com" + if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then + idna_test "$text" "" "$label" "$label." + idna_test "$text" "+noidnin +noidnout" "$label" "$label." + idna_test "$text" "+noidnin +idnout" "$label" "$label." + idna_test "$text" "+idnin +noidnout" "$label" "$label." + idna_test "$text" "+idnin +idnout" "$label" "$label." + idna_test "$text" "+noidnin +idnout" "$label" "$label." + fi + LC_ALL="${saved_LC_ALL}" + + # Tests of invalid A-labels + # + # +noidnin: The label is sent as-is to the server and dig will display the + # returned fake A-label in the same form. + # +idnin: "dig" should report that the label is not correct. + # + # +[no]idnout: If the label makes it to the server (via +noidnin), "dig" + # should report an error if +idnout is specified. + + # The minimum length of a punycode A-label is 7 characters. Check that + # a shorter label is detected and rejected. + + text="Checking punycode label shorter than minimum valid length" + idna_test "$text" "" "xn--xx" "xn--xx." + idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx." + idna_fail "$text" "+noidnin +idnout" "xn--xx" + idna_fail "$text" "+idnin +noidnout" "xn--xx" + idna_fail "$text" "+idnin +idnout" "xn--xx" + + # Fake A-label - the string does not translate to anything. + + text="Checking fake A-label" + idna_test "$text" "" "xn--ahahah" "xn--ahahah." + idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." + idna_fail "$text" "+noidnin +idnout" "xn--ahahah" + idna_fail "$text" "+idnin +noidnout" "xn--ahahah" + idna_fail "$text" "+idnin +idnout" "xn--ahahah" + + # Too long a label. The punycode string is too long (at 64 characters). + # BIND rejects such labels: with +idnin + + label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" + text="Checking punycode label longer than maximum valid length" + idna_fail "$text" "" "$label" + idna_fail "$text" "+noidnin +noidnout" "$label" + idna_fail "$text" "+noidnin +idnout" "$label" + idna_fail "$text" "+idnin +noidnout" "$label" + idna_fail "$text" "+idnin +idnout" "$label" + + # Tests of a valid unicode string but an invalid U-label (input) + # + # Symbols are not valid IDNA2008 names. Check whether dig rejects them + # when they are supplied on the command line to ensure no IDNA2003 + # fallbacks are in place. + # + # +noidnin: "dig" should send unicode octets to the server and display the + # returned qname in the same form. + # +idnin: "dig" should generate an error. + # + # The +[no]idnout options should not have any effect on the test. + + text="Checking invalid input U-label" + idna_test "$text" "" "√.com" "\226\136\154.com." + idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com." + idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com." + idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com." + idna_test "$text" "+idnin +idnout" "√.com" "√.com." + + # Tests of a valid unicode string but an invalid U-label (output) + # + # Symbols are not valid IDNA2008 names. Check whether dig rejects them + # when they are received in DNS responses to ensure no IDNA2003 fallbacks + # are in place. + # + # Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses + # Punycode more strictly than older versions and thus dig fails with that + # combination of options with libidn2 2.2.0+ but succeeds with older + # versions. + # + # +noidnout: "dig" should send the ACE string to the server and display the + # returned qname. + # +idnout: "dig" should generate an error. + # + # The +[no]idnin options should not have any effect on the test. + + text="Checking invalid output U-label" + idna_test "$text" "" "xn--19g" "xn--19g." + idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." + idna_test "$text" "+noidnin +idnout" "xn--19g" "√." + idna_test "$text" "+idnin +idnout" "xn--19g" "√." + + # Test that non-letter characters are preserved in the output. When + # UseSTD3ASCIIRules are enabled, it would mangle non-letter characters like + # `_` (underscore) and `*` (wildcard. + + text="Checking valid non-letter characters" + idna_test "$text" "" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." + + idna_test "$text" "" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." } - # Function to perform tests if IDNA is not enabled. idna_disabled_test() { - echo_i "IDNA is disabled, only case mapping tests will be performed" - ascii_case_preservation_test + echo_i "IDNA is disabled, only case mapping tests will be performed" + ascii_case_preservation_test } - # Main test begins here if $FEATURETEST --with-libidn2; then - idna_enabled_test + idna_enabled_test else - idna_disabled_test + idna_disabled_test fi exit $status diff --git a/bin/tests/system/ifconfig.sh.in b/bin/tests/system/ifconfig.sh.in index ed84fd1..9b9acd5 100755 --- a/bin/tests/system/ifconfig.sh.in +++ b/bin/tests/system/ifconfig.sh.in @@ -35,187 +35,187 @@ sys=$(@SHELL@ "$top_srcdir/config.guess") use_ip= case "$sys" in - *-*-linux*) - if type ip > /dev/null; then - use_ip=yes - elif type ifconfig > /dev/null; then - : - else - echo "$0: can't find ip or ifconfig" >&2 - exit 1 - fi - ;; + *-*-linux*) + if type ip >/dev/null; then + use_ip=yes + elif type ifconfig >/dev/null; then + : + else + echo "$0: can't find ip or ifconfig" >&2 + exit 1 + fi + ;; esac up() { - case "$sys" in - *-pc-solaris2.5.1) - [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up - ;; - *-sun-solaris2.[6-7]) - [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up - ;; - *-*-solaris2.[8-9]|*-*-solaris2.10) - [ "$a" ] && { - /sbin/ifconfig lo0:$int plumb - /sbin/ifconfig lo0:$int $a up - /sbin/ifconfig lo0:$int mtu 1500 - } - [ "$aaaa" ] && { - /sbin/ifconfig lo0:$int inet6 plumb - /sbin/ifconfig lo0:$int inet6 $aaaa up - } - ;; - *-*-solaris2.1[1-9]) - [ "$a" ] && { - /sbin/ipadm create-addr -t -T static \ - -a $a lo0/bind9v4$int || - echo failed lo0/bind9v4$int - } - [ "$aaaa" ] && { - /sbin/ipadm create-addr -t -T static \ - -a $aaaa lo0/bind9v6$int || - echo failed lo0/bind9v6$int - } - ;; - *-*-linux*) - if [ "$use_ip" ]; then - ip address add $a/24 dev lo:$int - ip link set dev lo:$int mtu 1500 - [ "$aaaa" ] && ip address add $aaaa/64 dev lo - else - ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500 - [ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64 - fi - ;; - *-unknown-freebsd*) - [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500 - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*) - [ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500 - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *-*-bsdi[3-5].*) - [ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0 - ;; - *-dec-osf[4-5].*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-sgi-irix6.*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) - [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff - ;; - *-ibm-aix4.*|*-ibm-aix5.*) - [ "$a" ] && ifconfig lo0 alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64 - ;; - hpux) - [ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up - [ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up - ;; - *-sco3.2v*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-darwin*) - [ "$a" ] && ifconfig lo0 alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *) - echo "Don't know how to set up interface. Giving up." - exit 1 - ;; - esac + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-*-solaris2.[8-9] | *-*-solaris2.10) + [ "$a" ] && { + /sbin/ifconfig lo0:$int plumb + /sbin/ifconfig lo0:$int $a up + /sbin/ifconfig lo0:$int mtu 1500 + } + [ "$aaaa" ] && { + /sbin/ifconfig lo0:$int inet6 plumb + /sbin/ifconfig lo0:$int inet6 $aaaa up + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $a lo0/bind9v4$int \ + || echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $aaaa lo0/bind9v6$int \ + || echo failed lo0/bind9v6$int + } + ;; + *-*-linux*) + if [ "$use_ip" ]; then + ip address add $a/24 dev lo:$int + ip link set dev lo:$int mtu 1500 + [ "$aaaa" ] && ip address add $aaaa/64 dev lo + else + ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-unknown-dragonfly* | *-unknown-netbsd* | *-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0 + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-*-sysv5uw7* | *-*-sysv*UnixWare* | *-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff + ;; + *-ibm-aix4.* | *-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up + [ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-darwin*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *) + echo "Don't know how to set up interface. Giving up." + exit 1 + ;; + esac } down() { - case "$sys" in - *-pc-solaris2.5.1) - [ "$a" ] && ifconfig lo0:$int 0.0.0.0 down - ;; - *-sun-solaris2.[6-7]) - [ "$a" ] && ifconfig lo0:$int $a down - ;; - *-*-solaris2.[8-9]|*-*-solaris2.10) - [ "$a" ] && { - ifconfig lo0:$int $a down - ifconfig lo0:$int $a unplumb - } - [ "$aaaa" ] && { - ifconfig lo0:$int inet6 down - ifconfig lo0:$int inet6 unplumb - } - ;; - *-*-solaris2.1[1-9]) - [ "$a" ] && { - ipadm delete-addr lo0/bind9v4$int || - echo failed lo0/bind9v4$int - } - [ "$aaaa" ] && { - ipadm delete-addr lo0/bind9v6$int || - echo failed lo0/bind9v6$int - } - ;; + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 down + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a down + ;; + *-*-solaris2.[8-9] | *-*-solaris2.10) + [ "$a" ] && { + ifconfig lo0:$int $a down + ifconfig lo0:$int $a unplumb + } + [ "$aaaa" ] && { + ifconfig lo0:$int inet6 down + ifconfig lo0:$int inet6 unplumb + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + ipadm delete-addr lo0/bind9v4$int \ + || echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + ipadm delete-addr lo0/bind9v6$int \ + || echo failed lo0/bind9v6$int + } + ;; - *-*-linux*) - if [ "$use_ip" ]; then - [ "$a" ] && ip address del $a/24 dev lo:$int - [ "$aaaa" ] && ip address del $aaaa/64 dev lo - else - [ "$a" ] && ifconfig lo:$int $a down - [ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64 - fi - ;; - *-unknown-freebsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-unknown-netbsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-unknown-openbsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-*-bsdi[3-5].*) - [ "$a" ] && ifconfig lo0 remove $a - ;; - *-dec-osf[4-5].*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-sgi-irix6.*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-ibm-aix4.*|*-ibm-aix5.*) - [ "$a" ] && ifconfig lo0 delete $a - [ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64 - ;; - hpux) - [ "$a" ] && ifconfig lo0:$int 0.0.0.0 - [ "$aaaa" ] && ifconfig lo0:$int inet6 :: - ;; - *-sco3.2v*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *darwin*) - [ "$a" ] && ifconfig lo0 -alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *) - echo "Don't know how to destroy interface. Giving up." - exit 1 - ;; - esac + *-*-linux*) + if [ "$use_ip" ]; then + [ "$a" ] && ip address del $a/24 dev lo:$int + [ "$aaaa" ] && ip address del $aaaa/64 dev lo + else + [ "$a" ] && ifconfig lo:$int $a down + [ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-netbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 remove $a + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-*-sysv5uw7* | *-*-sysv*UnixWare* | *-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-ibm-aix4.* | *-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 delete $a + [ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 + [ "$aaaa" ] && ifconfig lo0:$int inet6 :: + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *darwin*) + [ "$a" ] && ifconfig lo0 -alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *) + echo "Don't know how to destroy interface. Giving up." + exit 1 + ;; + esac } sequence() ( - awk -v s=$1 -v e=$2 ' + awk -v s=$1 -v e=$2 ' BEGIN { for (i = s ; i <= e; i++) { print i; } exit; @@ -239,30 +239,28 @@ sequence() ( # max=11 case $1 in - start|up|stop|down) - for i in $(sequence 0 2) - do - case $i in - 0) ipv6="ff" ;; - 1) ipv6="99" ;; - 2) ipv6="00" ;; - *) ipv6="" ;; - esac - for ns in $(sequence 1 $max) - do - [ $i -gt 0 -a $ns -gt 2 ] && break - int=$((i * max + ns)) - a=10.53.$i.$ns - aaaa=fd92:7065:b8e:${ipv6}ff::$ns - case "$1" in - start|up) up;; - stop|down) down;; - esac - done - done - ;; - *) - echo "Usage: $0 { up | down }" - exit 1 - ;; + start | up | stop | down) + for i in $(sequence 0 2); do + case $i in + 0) ipv6="ff" ;; + 1) ipv6="99" ;; + 2) ipv6="00" ;; + *) ipv6="" ;; + esac + for ns in $(sequence 1 $max); do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=$((i * max + ns)) + a=10.53.$i.$ns + aaaa=fd92:7065:b8e:${ipv6}ff::$ns + case "$1" in + start | up) up ;; + stop | down) down ;; + esac + done + done + ;; + *) + echo "Usage: $0 { up | down }" + exit 1 + ;; esac diff --git a/bin/tests/system/include-multiplecfg/setup.sh b/bin/tests/system/include-multiplecfg/setup.sh index 064fb01..643e872 100644 --- a/bin/tests/system/include-multiplecfg/setup.sh +++ b/bin/tests/system/include-multiplecfg/setup.sh @@ -15,4 +15,4 @@ $SHELL clean.sh -copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/include-multiplecfg/tests.sh b/bin/tests/system/include-multiplecfg/tests.sh index 65b4001..8422417 100644 --- a/bin/tests/system/include-multiplecfg/tests.sh +++ b/bin/tests/system/include-multiplecfg/tests.sh @@ -26,9 +26,9 @@ n=0 n=$((n + 1)) echo_i "checking glob include of zone1 config ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 zone1.com. a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^zone1.com.' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 zone1.com. a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^zone1.com.' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -36,9 +36,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking glob include of zone2 config ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 zone2.com. a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^zone2.com.' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 zone2.com. a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^zone2.com.' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -46,9 +46,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking include of standard file path config ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 mars.com. a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^mars.com.' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 mars.com. a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^mars.com.' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -56,7 +56,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf with glob include ($n)" ret=0 -(cd ns2; $CHECKCONF named.conf) || ret=1 +( + cd ns2 + $CHECKCONF named.conf +) || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index 79f3774..aa0e3fa 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -12,16 +12,16 @@ # information regarding copyright ownership. rm -rf ./*/*.jbk \ - ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \ - ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \ - ./*/trusted.conf \ - ./K* ./*/K* \ - ./checkecdsa \ - ./freeze.test* thaw.test* \ - ./import.key \ - ././ns*/managed-keys.bind* ./ns*/*.mkeys* \ - ./*/dsset-* ./*/nzf-* \ - ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ - ./*.out ./*.out* ./*/*.out ./*/*.out* \ - ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ - ns3/a-file ns3/removedkeys + ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \ + ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \ + ./*/trusted.conf \ + ./K* ./*/K* \ + ./checkecdsa \ + ./freeze.test* thaw.test* \ + ./import.key \ + ././ns*/managed-keys.bind* ./ns*/*.mkeys* \ + ./*/dsset-* ./*/nzf-* \ + ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ + ./*.out ./*.out* ./*/*.out ./*/*.out* \ + ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ + ns3/a-file ns3/removedkeys diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh index c231713..e55f5e7 100644 --- a/bin/tests/system/inline/ns1/sign.sh +++ b/bin/tests/system/inline/ns1/sign.sh @@ -18,8 +18,8 @@ rm -f K.+*+*.key rm -f K.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out +$SIGNER -S -x -T 1200 -o ${zone} root.db >signer.out [ $? = 0 ] || cat signer.out -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns6/trusted.conf diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in index 38e6e90..44b7127 100644 --- a/bin/tests/system/inline/ns2/named.conf.in +++ b/bin/tests/system/inline/ns2/named.conf.in @@ -13,7 +13,7 @@ // NS2 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in index 6b3b3cd..a74a9be 100644 --- a/bin/tests/system/inline/ns3/named.conf.in +++ b/bin/tests/system/inline/ns3/named.conf.in @@ -13,7 +13,7 @@ // NS3 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index f17a8ad..0962193 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -15,7 +15,7 @@ # Fake an unsupported key unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported) -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key zone=bits @@ -23,36 +23,36 @@ rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=noixfr rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=primary rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=dynamic rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=updated rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db +$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null cp primary2.db.in updated.db # signatures are expired and should be regenerated on startup @@ -61,28 +61,28 @@ rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db +$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null zone=retransfer rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=nsec3 rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=retransfer3 rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=inactiveksk rm -f K${zone}.+*+*.key @@ -91,7 +91,7 @@ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=inactivezsk rm -f K${zone}.+*+*.key @@ -100,7 +100,7 @@ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=delayedkeys rm -f K${zone}.+*+*.key @@ -122,38 +122,35 @@ rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -for s in a c d h k l m q z -do - zone=test-$s - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +for s in a c d h k l m q z; do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) done -for s in b f i o p t v -do - zone=test-$s - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +for s in b f i o p t v; do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) done zone=externalkey rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM} -do - k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) - k2=$($KEYGEN -q -a $alg -n zone $zone) - k3=$($KEYGEN -q -a $alg -n zone $zone) - k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) - $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db - - # Convert k1 and k2 in to External Keys. - rm -f $k1.private - mv $k1.key a-file - $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) - rm -f $k2.private - mv $k2.key a-file - $IMPORTKEY -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) +for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM}; do + k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + k2=$($KEYGEN -q -a $alg -n zone $zone) + k3=$($KEYGEN -q -a $alg -n zone $zone) + k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + $DSFROMKEY -T 1200 $k4 >>../ns1/root.db + + # Convert k1 and k2 in to External Keys. + rm -f $k1.private + mv $k1.key a-file + $IMPORTKEY -P now -D now+3600 -f a-file $zone >/dev/null 2>&1 \ + || (echo_i "importkey failed: $alg") + rm -f $k2.private + mv $k2.key a-file + $IMPORTKEY -f a-file $zone >/dev/null 2>&1 \ + || (echo_i "importkey failed: $alg") done diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post index f454b35..169c2bb 100644 --- a/bin/tests/system/inline/ns5/named.conf.post +++ b/bin/tests/system/inline/ns5/named.conf.post @@ -13,7 +13,7 @@ // NS5 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns5/named.conf.pre b/bin/tests/system/inline/ns5/named.conf.pre index 91844ac..2018289 100644 --- a/bin/tests/system/inline/ns5/named.conf.pre +++ b/bin/tests/system/inline/ns5/named.conf.pre @@ -13,7 +13,7 @@ // NS5 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns6/named.conf.in b/bin/tests/system/inline/ns6/named.conf.in index 8237f31..05de001 100644 --- a/bin/tests/system/inline/ns6/named.conf.in +++ b/bin/tests/system/inline/ns6/named.conf.in @@ -13,7 +13,7 @@ // NS6 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -35,7 +35,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in index 3a0cf86..4e99dab 100644 --- a/bin/tests/system/inline/ns7/named.conf.in +++ b/bin/tests/system/inline/ns7/named.conf.in @@ -27,7 +27,7 @@ * one it was meant for. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in index 47bb991..a16bcad 100644 --- a/bin/tests/system/inline/ns8/named.conf.in +++ b/bin/tests/system/inline/ns8/named.conf.in @@ -13,7 +13,7 @@ // NS8 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh index d9b95e4..56d097d 100755 --- a/bin/tests/system/inline/ns8/sign.sh +++ b/bin/tests/system/inline/ns8/sign.sh @@ -14,16 +14,15 @@ . ../../conf.sh for zone in example01.com example02.com example03.com example04.com \ - example05.com example06.com example07.com example08.com \ - example09.com example10.com example11.com example12.com \ - example13.com example14.com example15.com example16.com -do + example05.com example06.com example07.com example08.com \ + example09.com example10.com example11.com example12.com \ + example13.com example14.com example15.com example16.com; do rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) cp example.com.db.in ${zone}.db - $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 + $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null 2>&1 done for zone in example unsigned-serial-test; do diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index 84233c8..7956a84 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -50,7 +50,19 @@ copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf -(cd ns3; $SHELL -e sign.sh) -(cd ns1; $SHELL -e sign.sh) -(cd ns7; $SHELL -e sign.sh) -(cd ns8; $SHELL -e sign.sh) +( + cd ns3 + $SHELL -e sign.sh +) +( + cd ns1 + $SHELL -e sign.sh +) +( + cd ns7 + $SHELL -e sign.sh +) +( + cd ns8 + $SHELL -e sign.sh +) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index e9c4554..91d0f43 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -16,36 +16,38 @@ set -e . ../conf.sh DIGOPTS="+tcp +dnssec -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" dig_with_opts() { - $DIG $DIGOPTS "$@" + $DIG $DIGOPTS "$@" } rndccmd() { - $RNDCCMD "$@" + $RNDCCMD "$@" } wait_for_serial() ( - $DIG $DIGOPTS "@$1" "$2" SOA > "$4" - serial=$(awk '$4 == "SOA" { print $7 }' "$4") - [ "$3" -eq "${serial:--1}" ] + $DIG $DIGOPTS "@$1" "$2" SOA >"$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] ) status=0 n=0 ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 >/dev/null 2>&1 || ret=1 -for i in 1 2 3 4 5 6 7 8 9 0 -do - nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1 - test "$nsec3param" = "1 0 0 -" && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1 + test "$nsec3param" = "1 0 0 -" && break + sleep 1 done -if [ $ret != 0 ]; then echo_i "pre-condition failed, test aborted"; exit 1; fi +if [ $ret != 0 ]; then + echo_i "pre-condition failed, test aborted" + exit 1 +fi n=$((n + 1)) echo_i "checking that an unsupported algorithm is not used for signing ($n)" @@ -57,22 +59,21 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that rrsigs are replaced with ksk only ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr nsec3. | - awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr nsec3. \ + | awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -80,7 +81,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking expired signatures are updated on load ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA >dig.out.ns3.test$n || ret=1 expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n) [ "$expiry" = "20110101000000" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -89,20 +90,19 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of private type record via 'rndc signing -clear' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 || ret=1 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do - $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1 - break; # We only want to remove 1 record for now. -done 2>&1 |sed 's/^/ns3 /' | cat_i - -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 - num=$(grep "Done signing with" signing.out.test$n | wc -l) - [ $num = 1 ] && break - sleep 1 + $RNDCCMD 10.53.0.3 signing -clear ${key} bits >/dev/null || ret=1 + break # We only want to remove 1 record for now. +done 2>&1 | sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 || ret=1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -112,9 +112,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking private type was properly signed ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1 -grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 >dig.out.ns6.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -122,15 +122,14 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 signing -clear all bits >/dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 - grep "No signing records found" signing.out.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 || ret=1 + grep "No signing records found" signing.out.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -141,10 +140,10 @@ n=$((n + 1)) echo_i "checking negative private type response was properly signed ($n)" ret=0 sleep 1 -$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1 -grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 >dig.out.ns6.test$n || ret=1 +grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns6.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -153,30 +152,29 @@ n=$((n + 1)) echo_i "checking that the record is added on the hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 added.bits A >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that update has been transferred and has been signed ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 added.bits A >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -185,31 +183,30 @@ n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2011072400" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -217,14 +214,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer, noixfr ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list noixfr >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -233,30 +229,29 @@ n=$((n + 1)) echo_i "checking that the record is added on the hidden primary, noixfr ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 added.noixfr A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that update has been transferred and has been signed, noixfr ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 added.noixfr A >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -265,31 +260,30 @@ n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep "2011072400" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -297,14 +291,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that the primary zone signed on initial load ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list primary >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -312,20 +305,19 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -list primary >signing.out.test$n 2>&1 || ret=1 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do - $RNDCCMD 10.53.0.3 signing -clear ${key} primary > /dev/null || ret=1 - break; # We only want to remove 1 record for now. -done 2>&1 |sed 's/^/ns3 /' | cat_i - -for i in 1 2 3 4 5 6 7 8 9 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 - num=$(grep "Done signing with" signing.out.test$n | wc -l) - [ $num = 1 ] && break - sleep 1 + $RNDCCMD 10.53.0.3 signing -clear ${key} primary >/dev/null || ret=1 + break # We only want to remove 1 record for now. +done 2>&1 | sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list primary >signing.out.test$n 2>&1 || ret=1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -335,9 +327,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking private type was properly signed (primary) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.6 primary TYPE65534 > dig.out.ns6.test$n || ret=1 -grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 primary TYPE65534 >dig.out.ns6.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -345,14 +337,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all primary > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 - grep "No signing records found" signing.out.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +$RNDCCMD 10.53.0.3 signing -clear all primary >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list primary >signing.out.test$n 2>&1 || ret=1 + grep "No signing records found" signing.out.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -364,14 +355,13 @@ echo_i "check adding of record to unsigned primary ($n)" ret=0 cp ns3/primary2.db.in ns3/primary.db rndc_reload ns3 10.53.0.3 primary -for i in 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 e.primary A > dig.out.ns3.test$n || ret=1 - grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 e.primary A >dig.out.ns3.test$n || ret=1 + grep "10.0.0.5" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -380,11 +370,11 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check adding record fails when SOA serial not changed ($n)" ret=0 -echo "c A 10.0.0.3" >> ns3/primary.db +echo "c A 10.0.0.3" >>ns3/primary.db rndc_reload ns3 10.53.0.3 sleep 1 -$DIG $DIGOPTS @10.53.0.3 c.primary A > dig.out.ns3.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 c.primary A >dig.out.ns3.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -393,14 +383,13 @@ echo_i "check adding record works after updating SOA serial ($n)" ret=0 cp ns3/primary3.db.in ns3/primary.db $RNDCCMD 10.53.0.3 reload primary 2>&1 | sed 's/^/ns3 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 c.primary A > dig.out.ns3.test$n || ret=1 - grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 c.primary A >dig.out.ns3.test$n || ret=1 + grep "10.0.0.3" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -409,24 +398,23 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check the added record was properly signed ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 e.primary A > dig.out.ns6.test$n || ret=1 -grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 -grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 +$DIG $DIGOPTS @10.53.0.3 e.primary A >dig.out.ns6.test$n || ret=1 +grep "10.0.0.5" dig.out.ns6.test$n >/dev/null || ans=1 +grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ans=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ans=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that the dynamic primary zone signed on initial load ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list dynamic >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -439,9 +427,9 @@ serial=$(awk '{print $3}' dig.out.ns2.soa.test$n) # serial should have changed [ "$serial" = "2000042407" ] && ret=1 # e.updated should exist and should be signed -$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 e.updated A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 # updated.db.signed.jnl should exist, should have the source serial # of primary2.db, and should show a minimal diff: no more than 8 added # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records @@ -449,7 +437,7 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 $JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n || ret=1 serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n) [ "$serial" = "2000042408" ] || ret=1 -diffsize=$(wc -l < journalprint.out.test$n) +diffsize=$(wc -l dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +[ -f ns3/dynamic.db.jnl ] || { + ret=1 + echo_i "journal does not exist (posttest)" +} + +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 e.dynamic >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + grep "1.2.3.4" dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done -[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; } +[ $ans = 0 ] || { + ret=1 + echo_i "signed record not found" + cat dig.out.ns3.test$n +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -502,31 +499,30 @@ n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2011072450" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -535,31 +531,30 @@ n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep "2011072450" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -568,31 +563,30 @@ n=$((n + 1)) echo_i "checking forwarded update on hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2011072460" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking forwarded update on signed zone ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -601,31 +595,30 @@ n=$((n + 1)) echo_i "checking forwarded update on hidden primary, noixfr ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep "2011072460" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking forwarded update on signed zone, noixfr ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -633,23 +626,28 @@ status=$((status + ret)) ret=0 n=$((n + 1)) echo_i "checking turning on of inline signing in a secondary zone via reload ($n)" -$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA >dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "setup broken"; fi status=$((status + ret)) copy_setports ns5/named.conf.post ns5/named.conf -(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1 -(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1 +( + cd ns5 + $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits +) >/dev/null 2>&1 +( + cd ns5 + $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits +) >/dev/null 2>&1 rndc_reload ns5 10.53.0.5 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n || ret=1 - grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.5 bits SOA >dig.out.ns5.test$n || ret=1 + grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns5.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -657,38 +655,42 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)" ret=0 -$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1; } +$RNDCCMD 10.53.0.3 freeze dynamic >freeze.test$n 2>&1 || { + echo_i "/' < freeze.test$n" + ret=1 +} sleep 1 -$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; } +$RNDCCMD 10.53.0.3 thaw dynamic >thaw.test$n 2>&1 || { + echo_i "rndc thaw dynamic failed" + ret=1 +} sleep 1 -grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1 +grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - n=$((n + 1)) echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 freeze dynamic >freeze.test$n 2>&1 || ret=1 sleep 1 awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } { print; } - END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new + END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db >ns3/dynamic.db.new mv ns3/dynamic.db.new ns3/dynamic.db -$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 thaw dynamic >thaw.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check added record freeze1.dynamic ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - test $ret = 0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + test $ret = 0 && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -699,26 +701,25 @@ sleep 1 n=$((n + 1)) echo_i "checking rndc freeze/thaw of server ($n)" ret=0 -$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 freeze >freeze.test$n 2>&1 || ret=1 sleep 1 awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } { print; } - END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new + END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db >ns3/dynamic.db.new mv ns3/dynamic.db.new ns3/dynamic.db -$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 thaw >thaw.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check added record freeze2.dynamic ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - test $ret = 0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + test $ret = 0 && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -726,8 +727,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check rndc reload allows reuse of inline-signing zones ($n)" ret=0 -{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i -grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1 +{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1; } | sed 's/^/ns3 /' | cat_i +grep "not reusable" ns3/named.run >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -746,7 +747,7 @@ n=$((n + 1)) echo_i "checking that the retransfer record is added on the hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 added.retransfer A >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that the change has not been transferred due to notify ($n)" ret=0 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 added.retransfer A >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done -if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi +if [ $ans != 1 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check rndc retransfer of a inline secondary zone works ($n)" ret=0 $RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 added.retransfer A >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done [ $ans = 1 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -796,29 +798,28 @@ echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are ret=0 # The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2, # which means it should not yet be available on ns3. -$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA >dig.out.ns3.pre.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.pre.test$n >/dev/null || ret=1 # Switch the zone to NSEC3. An "NSEC3 -> NSEC -> NSEC3" sequence is used purely # to test that multiple queued "rndc signing -nsec3param" requests are handled # properly. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1 # Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone. -sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new +sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf >ns2/named.conf.new mv ns2/named.conf.new ns2/named.conf $RNDCCMD 10.53.0.2 reconfig || ret=1 # Request ns3 to retransfer the "retransfer3" zone. $RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1 # Check whether "retransfer3" uses NSEC3 as requested. -for i in 0 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 - grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 - test $ret -eq 0 && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.post.test$n.$i || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i >/dev/null || ret=1 + grep "NSEC3" dig.out.ns3.post.test$n.$i >/dev/null || ret=1 + test $ret -eq 0 && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -826,25 +827,23 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.pre.test$n || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.pre.test$n >/dev/null || ans=1 + grep "NSEC3" dig.out.ns3.pre.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done $RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.post.test$n || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.post.test$n >/dev/null || ans=1 + grep "NSEC3" dig.out.ns3.post.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done [ $ans = 1 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -858,25 +857,23 @@ ret=0 zone=nsec3-loop # Add secondary zone using rndc $RNDCCMD 10.53.0.7 addzone $zone \ - '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1 + '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1 # Wait until secondary zone is fully signed using NSEC -for i in 1 2 3 4 5 6 7 8 9 0 -do - ret=1 - $RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys -eq 3 ] && ret=0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + ret=1 + $RNDCCMD 10.53.0.7 signing -list $zone >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys -eq 3 ] && ret=0 && break + sleep 1 done # Switch secondary zone to NSEC3 -$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone >/dev/null 2>&1 || ret=1 # Wait until secondary zone is fully signed using NSEC3 -for i in 1 2 3 4 5 6 7 8 9 0 -do - ret=1 - nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1 - test "$nsec3param" = "1 0 2 12345678" && ret=0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + ret=1 + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1 + test "$nsec3param" = "1 0 2 12345678" && ret=0 && break + sleep 1 done # Attempt to retransfer the secondary zone from primary $RNDCCMD 10.53.0.7 retransfer $zone || ret=1 @@ -887,12 +884,14 @@ $RNDCCMD 10.53.0.7 retransfer $zone || ret=1 # instead of sending SOA queries to the signer as these may influence its # behavior in a way which may prevent the desired scenario from being # reproduced (see comment in ns7/named.conf) -for i in 1 2 3 4 5 6 7 8 9 0 -do - ret=1 - { grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1; rc=$?; } || true - [ $rc -eq 0 ] && ret=0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + ret=1 + { + grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run >/dev/null 2>&1 + rc=$? + } || true + [ $rc -eq 0 ] && ret=0 && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -918,14 +917,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 primary SOA > dig.out.ns3.test$n || ret=1 - grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 primary SOA >dig.out.ns3.test$n || ret=1 + grep "hostmaster" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -938,83 +936,82 @@ ret=1 # that the file modification time has no possibility of being equal to # the one stored during server startup. sleep 1 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null cp ns3/primary5.db.in ns3/primary.db rndc_reload ns3 10.53.0.3 -for i in 1 2 3 4 5 6 7 8 9 10 -do - if nextpart ns3/named.run | grep "zone primary.*sending notifies" > /dev/null; then - ret=0 - break - fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + if nextpart ns3/named.run | grep "zone primary.*sending notifies" >/dev/null; then + ret=0 + break + fi + sleep 1 done # Sanity check: file updates should be reflected in the signed zone, # i.e. SOA RNAME should no longer be set to "hostmaster". -$DIG $DIGOPTS @10.53.0.3 primary SOA > dig.out.ns3.test$n || ret=1 -grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 primary SOA >dig.out.ns3.test$n || ret=1 +grep "hostmaster" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that reloading errors prevent synchronization ($n)" ret=1 -$DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA >dig.out.ns3.test$n.1 || ret=1 sleep 1 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null cp ns3/primary6.db.in ns3/primary.db rndc_reload ns3 10.53.0.3 -for i in 1 2 3 4 5 6 7 8 9 10 -do - if nextpart ns3/named.run | grep "not loaded due to errors" > /dev/null - then - ret=0 - break - fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + if nextpart ns3/named.run | grep "not loaded due to errors" >/dev/null; then + ret=0 + break + fi + sleep 1 done # Sanity check: the SOA record should be unchanged -$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' > dig.out.ns3.test$n.2 -diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' >dig.out.ns3.test$n.2 +diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check inline-signing with an include file ($n)" ret=0 -$DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA >dig.out.ns3.test$n.1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) sleep 1 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null cp ns3/primary7.db.in ns3/primary.db rndc_reload ns3 10.53.0.3 _includefile_loaded() { - $DIG $DIGOPTS @10.53.0.3 f.primary A > dig.out.ns3.test$n || return 1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || return 1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || return 1 - grep "10\.0\.0\.7" dig.out.ns3.test$n > /dev/null || return 1 - return 0 + $DIG $DIGOPTS @10.53.0.3 f.primary A >dig.out.ns3.test$n || return 1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || return 1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || return 1 + grep "10\.0\.0\.7" dig.out.ns3.test$n >/dev/null || return 1 + return 0 } retry_quiet 10 _includefile_loaded # Sanity check: the SOA record should be changed -$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' > dig.out.ns3.test$n.2 -diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null && ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' >dig.out.ns3.test$n.2 +diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test add/del zone combinations ($n)" ret=0 -for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z -do -$RNDCCMD 10.53.0.2 addzone test-$zone \ - '{ type primary; file "bits.db.in"; allow-transfer { any; }; };' || ret=1 -$DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n || ret=1 -grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; } -$RNDCCMD 10.53.0.3 addzone test-$zone \ - '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1 -$RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 || ret=1 +for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z; do + $RNDCCMD 10.53.0.2 addzone test-$zone \ + '{ type primary; file "bits.db.in"; allow-transfer { any; }; };' || ret=1 + $DIG $DIGOPTS @10.53.0.2 test-$zone SOA >dig.out.ns2.$zone.test$n || ret=1 + grep "status: NOERROR," dig.out.ns2.$zone.test$n >/dev/null || { + ret=1 + cat dig.out.ns2.$zone.test$n + } + $RNDCCMD 10.53.0.3 addzone test-$zone \ + '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1 + $RNDCCMD 10.53.0.3 delzone test-$zone >/dev/null 2>&1 || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1022,22 +1019,27 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing adding external keys to a inline zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n || ret=1 -for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER} -do - [ $alg = 13 -a ! -f checkecdsa ] && continue; - - case $alg in - 7) echo_i "checking NSEC3RSASHA1";; - 8) echo_i "checking RSASHA256";; - 13) echo_i "checking ECDSAP256SHA256";; - *) echo_i "checking $alg";; - esac - - dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) - rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) - test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } - test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } +$DIG $DIGOPTS @10.53.0.3 dnskey externalkey >dig.out.ns3.test$n || ret=1 +for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER}; do + [ $alg = 13 -a ! -f checkecdsa ] && continue + + case $alg in + 7) echo_i "checking NSEC3RSASHA1" ;; + 8) echo_i "checking RSASHA256" ;; + 13) echo_i "checking ECDSAP256SHA256" ;; + *) echo_i "checking $alg" ;; + esac + + dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) + rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) + test ${dnskeys:-0} -eq 3 || { + echo_i "failed $alg (dnskeys ${dnskeys:-0})" + ret=1 + } + test ${rrsigs:-0} -eq 2 || { + echo_i "failed $alg (rrsigs ${rrsigs:-0})" + ret=1 + } done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1048,21 +1050,21 @@ ret=0 key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example) cp ${key}.key import.key # import should fail -$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1 +$IMPORTKEY -f import.key import.example >/dev/null 2>&1 && ret=1 rm -f ${key}.private # private key removed; import should now succeed -$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 +$IMPORTKEY -f import.key import.example >/dev/null 2>&1 || ret=1 # now that it's an external key, re-import should succeed -$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 +$IMPORTKEY -f import.key import.example >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)" ret=0 -$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) -$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' /dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1070,12 +1072,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)" ret=0 -$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n || ret=1 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) -$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' /dev/null 2>&1 || ret=1 sleep 1 -$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n || ret=1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.ns3.post.test$n || ret=1 serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) [ ${oldserial:-0} -eq ${serial:-1} ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1087,12 +1089,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)" ret=0 -$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n || ret=1 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) -$RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1 || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 thaw nsec3 >/dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1100,9 +1102,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)" ret=0 -$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) -$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' /dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1110,10 +1112,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)" ret=0 -$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 +$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n || ret=1 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) -$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' /dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1122,12 +1124,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)" ret=0 -$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 +$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n || ret=1 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) -$RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1 || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits >/dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.2 thaw bits >/dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1137,29 +1139,28 @@ n=$((n + 1)) echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 soa inactivezsk >dig.out.ns3.pre.test$n || ret=1 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n) -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns3.post.test$n || ret=1 - soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) - test ${soa1:-0} -ne ${soa2:-0} && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + $DIG $DIGOPTS @10.53.0.3 soa inactivezsk >dig.out.ns3.post.test$n || ret=1 + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) + test ${soa1:-0} -ne ${soa2:-0} && break + sleep 1 done test ${soa1:-0} -ne ${soa2:-0} || ret=1 -$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 3," dig.out.ns3.test$n >/dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1 +grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1 +grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1168,31 +1169,31 @@ n=$((n + 1)) echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk >dig.out.ns3.test$n || ret=1 # # check that DNSKEY is signed with ZSK for default algorithm # awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' -zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 +zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}') +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n >/dev/null || ret=1 awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' -kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 +kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}') +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null && ret=1 # # check that DNSKEY is signed with KSK for alternative algorithm # awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' -zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 +zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}') +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n >/dev/null && ret=1 awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' -kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 +kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}') +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1205,14 +1206,13 @@ status=$((status + ret)) # is logged (which means the zone was not modified and will not be modified any # further in response to the relevant raw zone update). wait_until_raw_zone_update_is_processed() { - zone="$1" - for i in 1 2 3 4 5 6 7 8 9 10 - do - if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" > /dev/null; then - return - fi - sleep 1 - done + zone="$1" + for i in 1 2 3 4 5 6 7 8 9 10; do + if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" >/dev/null; then + return + fi + sleep 1 + done } n=$((n + 1)) @@ -1220,14 +1220,14 @@ echo_i "checking that changes to raw zone are applied to a previously unsigned s ret=0 # Query for bar.nokeys/A and ensure the response is negative. As this zone # does not have any signing keys set up, the response must be unsigned. -$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A >dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null && ret=1 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Add a record to the raw zone on the primary. -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns3.post.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A >dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null || ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1247,16 +1247,16 @@ echo_i "checking that changes to raw zone are not applied to a previously signed ret=0 # Query for bar.removedkeys-primary/A and ensure the response is negative. As # this zone has signing keys set up, the response must be signed. -$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1 # Remove the signing keys for this zone. mv -f ns3/Kremovedkeys-primary* ns3/removedkeys # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Add a record to the raw zone on the primary. -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns3.post.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1276,14 +1276,14 @@ echo_i "checking that backlogged changes to raw zone are applied after keys beco ret=0 # Restore the signing keys for this zone. mv ns3/removedkeys/Kremovedkeys-primary* ns3 -$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary >/dev/null 2>&1 || ret=1 # Determine what a SOA record with a bumped serial number should look like. BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}') # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Bump the SOA serial number of the raw zone. -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns3.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1304,16 +1304,16 @@ echo_i "checking that changes to raw zone are not applied to a previously signed ret=0 # Query for bar.removedkeys-secondary/A and ensure the response is negative. As this # zone does have signing keys set up, the response must be signed. -$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1 # Remove the signing keys for this zone. mv -f ns3/Kremovedkeys-secondary* ns3/removedkeys # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Add a record to the raw zone on the primary. -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns3.post.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1333,14 +1333,14 @@ echo_i "checking that backlogged changes to raw zone are applied after keys beco ret=0 # Restore the signing keys for this zone. mv ns3/removedkeys/Kremovedkeys-secondary* ns3 -$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary >/dev/null 2>&1 || ret=1 # Determine what a SOA record with a bumped serial number should look like. BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}') # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Bump the SOA serial number of the raw zone on the primary. -$NSUPDATE << EOF || ret=1 +$NSUPDATE < dig.out.ns3.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # Check that the file $2 for zone $1 does not contain RRSIG records # while the journal file for that zone does contain them. ensure_sigs_only_in_journal() { - origin="$1" - masterfile="$2" - $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1 - $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1 + origin="$1" + masterfile="$2" + $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG >/dev/null && ret=1 + $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG >/dev/null || ret=1 } n=$((n + 1)) @@ -1373,12 +1373,12 @@ ret=0 # Move keys into place now and load them, which will cause DNSSEC records to # only be present in the journal for the signed version of the zone. mv Kdelayedkeys* ns3/ -$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 loadkeys delayedkeys >rndc.out.ns3.pre.test$n 2>&1 || ret=1 # Wait until the zone is signed. -check_done_signing () ( - $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 || true - num=$(grep "Done signing with" signing.out.test$n | wc -l) - [ $num -eq 2 ] +check_done_signing() ( + $RNDCCMD 10.53.0.3 signing -list delayedkeys >signing.out.test$n 2>&1 || true + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num -eq 2 ] ) retry_quiet 10 check_done_signing || ret=1 # Halt rather than stopping the server to prevent the file from being @@ -1394,31 +1394,31 @@ start_server --noclean --restart --port ${PORT} ns3 || ret=1 # receive_secure_serial() should refrain from introducing any zone changes. stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 || ret=1 ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 || ret=1 # We can now test whether the secure zone journal was correctly processed: # unless the records contained in it were scheduled for resigning, no resigning # event will be scheduled at all since the secure zone file contains no # DNSSEC records. wait_for_log 20 "all zones loaded" ns3/named.run || ret=1 -$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1 -grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus delayedkeys >rndc.out.ns3.post.test$n 2>&1 || ret=1 +grep "next resign node:" rndc.out.ns3.post.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 zonestatus primary > rndc.out.ns3.test$n || ret=1 -grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus primary >rndc.out.ns3.test$n || ret=1 +grep "type: primary" rndc.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n || ret=1 -grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus bits >rndc.out.ns3.test$n || ret=1 +grep "type: secondary" rndc.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1426,7 +1426,7 @@ n=$((n + 1)) echo_i "checking reload of touched inline zones ($n)" ret=0 echo_ic "pre-reload 'next key event'" -nextpart ns8/named.run > nextpart.pre$n.out +nextpart ns8/named.run >nextpart.pre$n.out count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l) echo_ic "found: $count/16" [ $count -eq 16 ] || ret=1 @@ -1435,7 +1435,7 @@ touch ns8/example??.com.db $RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i sleep 5 echo_ic "post-reload 'next key event'" -nextpart ns8/named.run > nextpart.post$n.out +nextpart ns8/named.run >nextpart.post$n.out count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l) echo_ic "found: $count/16" [ $count -eq 16 ] || ret=1 @@ -1445,24 +1445,24 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking second reload of touched inline zones ($n)" ret=0 -nextpart ns8/named.run > nextpart.pre$n.out +nextpart ns8/named.run >nextpart.pre$n.out $RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i sleep 5 -nextpart ns8/named.run > nextpart.post$n.out +nextpart ns8/named.run >nextpart.post$n.out grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" ret=0 -dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1 +dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa1 || ret=1 cp ns8/example2.db.in ns8/example.db || ret=1 -nextpart ns8/named.run > /dev/null +nextpart ns8/named.run >/dev/null rndccmd 10.53.0.8 reload || ret=1 wait_for_log 3 "all zones loaded" ns8/named.run sleep 1 -dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1 +dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa2 || ret=1 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1) soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2) ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1) @@ -1471,22 +1471,22 @@ test ${soa1:-1000} -lt ${soa2:-0} || ret=1 test ${ttl1:-0} -eq 300 || ret=1 test ${ttl2:-0} -eq 300 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check that restart with zone changes and deleted journal works ($n)" TSIG= ret=0 -dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1 +dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa1 || ret=1 stop_server --use-rndc --port ${CONTROLPORT} ns8 || ret=1 # TTL of all records change from 300 to 400 cp ns8/example3.db.in ns8/example.db || ret=1 rm -f ns8/example.db.jnl -nextpart ns8/named.run > /dev/null +nextpart ns8/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns8 || ret=1 wait_for_log 3 "all zones loaded" ns8/named.run sleep 1 -dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1 +dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa2 || ret=1 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1) soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2) ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1) @@ -1495,7 +1495,7 @@ test ${soa1:-1000} -lt ${soa2:-0} || ret=1 test ${ttl1:-0} -eq 300 || ret=1 test ${ttl2:-0} -eq 400 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/integrity/ns1/named.conf.in b/bin/tests/system/integrity/ns1/named.conf.in index 00d9dba..c1c092f 100644 --- a/bin/tests/system/integrity/ns1/named.conf.in +++ b/bin/tests/system/integrity/ns1/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "mx-cname-fail" { diff --git a/bin/tests/system/integrity/tests.sh b/bin/tests/system/integrity/tests.sh index 65648b4..6c87273 100644 --- a/bin/tests/system/integrity/tests.sh +++ b/bin/tests/system/integrity/tests.sh @@ -22,108 +22,108 @@ n=1 echo_i "check that 'check-integrity yes; check-mx-cname fail;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx mx-cname-fail > dig.out.test$n || ret=1 -grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1 -grep "zone mx-cname-fail/IN: mx-cname-fail/MX 'cname.mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-fail >dig.out.test$n || ret=1 +grep "status: SERVFAIL," dig.out.test$n >/dev/null || ret=1 +grep "zone mx-cname-fail/IN: mx-cname-fail/MX 'cname.mx-cname-fail' is a CNAME (illegal)" ns1/named.run >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-mx-cname warn;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx mx-cname-warn > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone mx-cname-warn/IN: mx-cname-warn/MX 'cname.mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-warn >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone mx-cname-warn/IN: mx-cname-warn/MX 'cname.mx-cname-warn' is a CNAME (illegal)" ns1/named.run >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-mx-cname ignore;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx mx-cname-ignore > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone mx-cname-ignore/IN: mx-cname-ignore/MX 'cname.mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-ignore >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone mx-cname-ignore/IN: mx-cname-ignore/MX 'cname.mx-cname-ignore' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-mx-cname fail;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-fail > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-mx-cname-fail/IN: no-mx-cname-fail/MX 'cname.no-mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-fail >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-mx-cname-fail/IN: no-mx-cname-fail/MX 'cname.no-mx-cname-fail' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-mx-cname warn;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-warn > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-mx-cname-warn/IN: no-mx-cname-warn/MX 'cname.no-mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-warn >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-mx-cname-warn/IN: no-mx-cname-warn/MX 'cname.no-mx-cname-warn' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-mx-cname ignore;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-ignore > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-mx-cname-ignore/IN: no-mx-cname-ignore/MX 'cname.no-mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-ignore >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-mx-cname-ignore/IN: no-mx-cname-ignore/MX 'cname.no-mx-cname-ignore' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-srv-cname fail;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv srv-cname-fail > dig.out.test$n || ret=1 -grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1 -grep "zone srv-cname-fail/IN: srv-cname-fail/SRV 'cname.srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-fail >dig.out.test$n || ret=1 +grep "status: SERVFAIL," dig.out.test$n >/dev/null || ret=1 +grep "zone srv-cname-fail/IN: srv-cname-fail/SRV 'cname.srv-cname-fail' is a CNAME (illegal)" ns1/named.run >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-srv-cname warn;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv srv-cname-warn > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone srv-cname-warn/IN: srv-cname-warn/SRV 'cname.srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-warn >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone srv-cname-warn/IN: srv-cname-warn/SRV 'cname.srv-cname-warn' is a CNAME (illegal)" ns1/named.run >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-srv-cname ignore;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv srv-cname-ignore > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone srv-cname-ignore/IN: srv-cname-ignore/SRV 'cname.srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-ignore >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone srv-cname-ignore/IN: srv-cname-ignore/SRV 'cname.srv-cname-ignore' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-srv-cname fail;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-fail > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-srv-cname-fail/IN: no-srv-cname-fail/SRV 'cname.no-srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-fail >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-srv-cname-fail/IN: no-srv-cname-fail/SRV 'cname.no-srv-cname-fail' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-srv-cname warn;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-warn > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-srv-cname-warn/IN: no-srv-cname-warn/SRV 'cname.no-srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-warn >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-srv-cname-warn/IN: no-srv-cname-warn/SRV 'cname.no-srv-cname-warn' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-srv-cname ignore;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-ignore > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-srv-cname-ignore/IN: no-srv-cname-ignore/SRV 'cname.no-srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-ignore >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-srv-cname-ignore/IN: no-srv-cname-ignore/SRV 'cname.no-srv-cname-ignore' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/isctest/__init__.py b/bin/tests/system/isctest/__init__.py new file mode 100644 index 0000000..0f2eae1 --- /dev/null +++ b/bin/tests/system/isctest/__init__.py @@ -0,0 +1,13 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from . import check +from . import query diff --git a/bin/tests/system/isctest/check.py b/bin/tests/system/isctest/check.py new file mode 100644 index 0000000..1fabad7 --- /dev/null +++ b/bin/tests/system/isctest/check.py @@ -0,0 +1,34 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from typing import Any + +import dns.rcode +import dns.message + + +# compatiblity with dnspython<2.0.0 +try: + # In dnspython>=2.0.0, dns.rcode.Rcode class is available + # pylint: disable=invalid-name + dns_rcode = dns.rcode.Rcode # type: Any +except AttributeError: + # In dnspython<2.0.0, selected rcodes are available as integers directly + # from dns.rcode + dns_rcode = dns.rcode + + +def rcode(message: dns.message.Message, expected_rcode) -> None: + assert message.rcode() == expected_rcode, str(message) + + +def noerror(message: dns.message.Message) -> None: + rcode(message, dns_rcode.NOERROR) diff --git a/bin/tests/system/isctest/query.py b/bin/tests/system/isctest/query.py new file mode 100644 index 0000000..5da1ef8 --- /dev/null +++ b/bin/tests/system/isctest/query.py @@ -0,0 +1,35 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +from typing import Optional + +import dns.query +import dns.message + + +QUERY_TIMEOUT = 10 + + +def udp( + message: dns.message.Message, ip: str, port: Optional[int] = None +) -> dns.message.Message: + if port is None: + port = int(os.environ["PORT"]) + return dns.query.udp(message, ip, QUERY_TIMEOUT, port=port) + + +def tcp( + message: dns.message.Message, ip: str, port: Optional[int] = None +) -> dns.message.Message: + if port is None: + port = int(os.environ["PORT"]) + return dns.query.tcp(message, ip, QUERY_TIMEOUT, port=port) diff --git a/bin/tests/system/ixfr/prereq.sh b/bin/tests/system/ixfr/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/ixfr/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh index 65aedf6..0c5a282 100644 --- a/bin/tests/system/ixfr/setup.sh +++ b/bin/tests/system/ixfr/setup.sh @@ -24,8 +24,8 @@ copy_setports ns5/named.conf.in ns5/named.conf # versions of the zone, the second and third having small changes # and the fourth having a large one. -testdb () { - cat << EOF +testdb() { + cat < ns3/mytest.db -testdb test. 2 61 > ns3/mytest1.db -testdb test. 3 62 > ns3/mytest2.db -testdb test. 4 0 > ns3/mytest3.db +testdb test. 1 60 >ns3/mytest.db +testdb test. 2 61 >ns3/mytest1.db +testdb test. 3 62 >ns3/mytest2.db +testdb test. 4 0 >ns3/mytest3.db # Set up similar db files for sub.test, which will have IXFR disabled -testdb sub.test. 1 60 > ns3/subtest.db -testdb sub.test. 3 61 > ns3/subtest1.db +testdb sub.test. 1 60 >ns3/subtest.db +testdb sub.test. 3 61 >ns3/subtest1.db # Set up a large zone i=0 -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 3 > ns3/large.db +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 3 >ns3/large.db while [ $i -lt 10000 ]; do - echo "record$i 10 IN TXT this is record %i" >> ns3/large.db - i=$((i+1)) + echo "record$i 10 IN TXT this is record %i" >>ns3/large.db + i=$((i + 1)) done diff --git a/bin/tests/system/ixfr/tests.sh b/bin/tests/system/ixfr/tests.sh index f1e3b62..ca13639 100644 --- a/bin/tests/system/ixfr/tests.sh +++ b/bin/tests/system/ixfr/tests.sh @@ -21,23 +21,22 @@ set -e . ../conf.sh wait_for_serial() ( - $DIG $DIGOPTS "@$1" "$2" SOA > "$4" - serial=$(awk '$4 == "SOA" { print $7 }' "$4") - [ "$3" -eq "${serial:--1}" ] + $DIG $DIGOPTS "@$1" "$2" SOA >"$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] ) status=0 n=0 DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf -s" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf -s" sendcmd() { - send 10.53.0.2 "${EXTRAPORT1}" + send 10.53.0.2 "${EXTRAPORT1}" } - -n=$((n+1)) +n=$((n + 1)) echo_i "testing initial AXFR ($n)" ret=0 @@ -75,9 +74,9 @@ retry_quiet 10 wait_for_serial 10.53.0.1 nil. 1 dig.out.test$n || ret=1 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'initial AXFR' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing successful IXFR ($n)" ret=0 @@ -108,9 +107,9 @@ sleep 2 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'successful IXFR' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing AXFR fallback after IXFR failure (not exact error) ($n)" ret=0 @@ -143,9 +142,9 @@ sleep 2 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'fallback AXFR' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing AXFR fallback after IXFR failure (bad SOA owner) ($n)" ret=0 @@ -180,12 +179,12 @@ $RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i # malformed IXFR. Instead, check transfer progress by querying for a TXT record # at test.nil. which is present in both IXFR and AXFR (with different contents). _wait_until_transfer_is_finished() { - $DIG $DIGOPTS +tries=1 +time=1 @10.53.0.1 test.nil. TXT > dig.out.test$n.1 && - grep -q -F "serial 4" dig.out.test$n.1 + $DIG $DIGOPTS +tries=1 +time=1 @10.53.0.1 test.nil. TXT >dig.out.test$n.1 \ + && grep -q -F "serial 4" dig.out.test$n.1 } if ! retry_quiet 10 _wait_until_transfer_is_finished; then - echo_i "timed out waiting for version 4 of zone nil. to be transferred" - ret=1 + echo_i "timed out waiting for version 4 of zone nil. to be transferred" + ret=1 fi # At this point a broken server would be serving a zone with no SOA records. @@ -196,27 +195,29 @@ $RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i # happened by now, a broken server would never serve the record which is only # present in the fallback AXFR, so checking for that is enough to verify if a # server is broken or not; if it is, it is bound to crash shortly anyway. -$DIG $DIGOPTS test.nil. TXT @10.53.0.1 > dig.out.test$n.2 || ret=1 +$DIG $DIGOPTS test.nil. TXT @10.53.0.1 >dig.out.test$n.2 || ret=1 grep -q -F "serial 4, fallback AXFR" dig.out.test$n.2 || ret=1 # Ensure the expected error is logged. nextpart ns1/named.run | grep -q -F "SOA name mismatch" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences option ($n)" # ns3 is primary; ns4 is secondary -{ $CHECKZONE test. ns3/mytest.db > /dev/null 2>&1; rc=$?; } || true -if [ $rc -ne 0 ] -then - echo_i "named-checkzone returned failure on ns3/mytest.db" +{ + $CHECKZONE test. ns3/mytest.db >/dev/null 2>&1 + rc=$? +} || true +if [ $rc -ne 0 ]; then + echo_i "named-checkzone returned failure on ns3/mytest.db" fi retry_quiet 10 wait_for_serial 10.53.0.4 test. 1 dig.out.test$n || ret=1 -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null # modify the primary sleep 1 @@ -230,16 +231,16 @@ retry_quiet 10 wait_for_serial 10.53.0.3 test. 2 dig.out.test$n || ret=1 tret=0 retry_quiet 5 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || ret=1 fi wait_for_log 10 'got incremental' ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing 'request-ixfr no' option inheritance from view ($n)" ret=0 # There's a view with 2 zones. In the view, "request-ixfr yes" @@ -249,7 +250,7 @@ ret=0 sleep 1 cp ns3/subtest1.db ns3/subtest.db # change to sub.test zone, should be AXFR -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null $RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i # wait for primary to reload @@ -259,21 +260,21 @@ retry_quiet 10 wait_for_serial 10.53.0.3 sub.test. 3 dig.out.test$n || ret=1 tret=0 retry_quiet 5 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify sub.test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify sub.test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || ret=1 fi wait_for_log 10 'got nonincremental response' ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing 'request-ixfr yes' option inheritance from view ($n)" ret=0 sleep 1 cp ns3/mytest2.db ns3/mytest.db # change to test zone, should be IXFR -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null $RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i # wait for primary to reload @@ -283,144 +284,144 @@ retry_quiet 10 wait_for_serial 10.53.0.3 test. 3 dig.out.test$n || ret=1 tret=0 retry_quiet 5 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || ret=1 fi wait_for_log 10 'got incremental response' ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "testing DiG's handling of a multi message AXFR style IXFR response ($n)" ( -(sleep 10 && kill $$) 2>/dev/null & -sub=$! -$DIG -p ${PORT} ixfr=0 large @10.53.0.3 > dig.out.test$n -kill $sub + (sleep 10 && kill $$) 2>/dev/null & + sub=$! + $DIG -p ${PORT} ixfr=0 large @10.53.0.3 >dig.out.test$n + kill $sub ) lines=$(grep hostmaster.large dig.out.test$n | wc -l) test ${lines:-0} -eq 2 || ret=1 messages=$(sed -n 's/^;;.*messages \([0-9]*\),.*/\1/p' dig.out.test$n) test ${messages:-0} -gt 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'dig +notcp ixfr=' vs 'dig ixfr= +notcp' vs 'dig ixfr=' ($n)" ret=0 # Should be "switch to TCP" response -$DIG $DIGOPTS +notcp ixfr=1 test @10.53.0.4 > dig.out1.test$n || ret=1 -$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.4 > dig.out2.test$n || ret=1 +$DIG $DIGOPTS +notcp ixfr=1 test @10.53.0.4 >dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.4 >dig.out2.test$n || ret=1 digcomp dig.out1.test$n dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { if ($7 == 3) exit(0); else exit(1);}' dig.out1.test$n || ret=1 # -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null # Should be incremental transfer. -$DIG $DIGOPTS ixfr=1 test @10.53.0.4 > dig.out3.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 test @10.53.0.4 >dig.out3.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END { if (soacnt == 6) exit(0); else exit(1);}' dig.out3.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check estimated IXFR size ($n)" ret=0 # note IXFR delta size will be slightly bigger with version 1 transaction # headers as there is no correction for the overall record length storage. # Ver1 = 4 * (6 + 10 + 10 + 17 + 5 * 4) + 2 * (13 + 10 + 4) + (6 * 4) = 330 # Ver2 = 4 * (6 + 10 + 10 + 17 + 5 * 4) + 2 * (13 + 10 + 4) = 306 -nextpart ns4/named.run | grep "IXFR delta size (306 bytes)" > /dev/null || ret=1 +nextpart ns4/named.run | grep "IXFR delta size (306 bytes)" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # make sure ns5 has transfered the zone # wait for secondary to reload tret=0 retry_quiet 5 wait_for_serial 10.53.0.5 test. 4 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.5 test. 3 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.5 test. 3 dig.out.test$n || ret=1 fi -n=$((n+1)) +n=$((n + 1)) echo_i "test 'provide-ixfr no;' (serial < current) ($n)" ret=0 -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null # Should be "AXFR style" response -$DIG $DIGOPTS ixfr=1 test @10.53.0.5 > dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 test @10.53.0.5 >dig.out1.test$n || ret=1 # Should be "switch to TCP" response -$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.5 >dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 2) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 msg="IXFR delta response disabled due to 'provide-ixfr no;' being set" -nextpart ns5/named.run | grep "$msg" > /dev/null || ret=1 +nextpart ns5/named.run | grep "$msg" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'provide-ixfr no;' (serial = current) ($n)" ret=0 # Should be "AXFR style" response -$DIG $DIGOPTS ixfr=3 test @10.53.0.5 > dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=3 test @10.53.0.5 >dig.out1.test$n || ret=1 # Should be "switch to TCP" response -$DIG $DIGOPTS ixfr=3 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +$DIG $DIGOPTS ixfr=3 +notcp test @10.53.0.5 >dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'provide-ixfr no;' (serial > current) ($n)" ret=0 # Should be "AXFR style" response -$DIG $DIGOPTS ixfr=4 test @10.53.0.5 > dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=4 test @10.53.0.5 >dig.out1.test$n || ret=1 # Should be "switch to TCP" response -$DIG $DIGOPTS ixfr=4 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +$DIG $DIGOPTS ixfr=4 +notcp test @10.53.0.5 >dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether dig calculates IXFR statistics correctly ($n)" ret=0 -$DIG $DIGOPTS +noedns +stat -b 10.53.0.4 @10.53.0.4 test. ixfr=2 > dig.out1.test$n -get_dig_xfer_stats dig.out1.test$n > stats.dig -diff ixfr-stats.good stats.dig > /dev/null || ret=1 +$DIG $DIGOPTS +noedns +stat -b 10.53.0.4 @10.53.0.4 test. ixfr=2 >dig.out1.test$n +get_dig_xfer_stats dig.out1.test$n >stats.dig +diff ixfr-stats.good stats.dig >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Note: in the next two tests, we use ns4 logs for checking both incoming and # outgoing transfer statistics as ns4 is both a secondary server (for ns3) and a # primary server (for dig queries from the previous test) for "test". -_wait_for_stats () { - get_named_xfer_stats ns4/named.run "$1" test "$2" > "$3" - diff ixfr-stats.good "$3" > /dev/null || return 1 - return 0 +_wait_for_stats() { + get_named_xfer_stats ns4/named.run "$1" test "$2" >"$3" + diff ixfr-stats.good "$3" >/dev/null || return 1 + return 0 } -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether named calculates incoming IXFR statistics correctly ($n)" ret=0 retry_quiet 10 _wait_for_stats 10.53.0.3 "Transfer completed" stats.incoming || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether named calculates outgoing IXFR statistics correctly ($n)" retry_quiet 10 _wait_for_stats 10.53.0.4 "IXFR ended" stats.outgoing || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "testing fallback to AXFR when max-ixfr-ratio is exceeded ($n)" -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null sleep 1 cp ns3/mytest3.db ns3/mytest.db # change to test zone, too big for IXFR @@ -430,14 +431,14 @@ $RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i tret=0 retry_quiet 5 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || ret=1 fi wait_for_log 10 'got nonincremental response' ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/journal/setup.sh b/bin/tests/system/journal/setup.sh index e9b0072..6017f1c 100644 --- a/bin/tests/system/journal/setup.sh +++ b/bin/tests/system/journal/setup.sh @@ -44,7 +44,7 @@ cp ns1/generic.db.in ns1/maxjournal2.db cp ns1/maxjournal2.jnl.saved ns1/maxjournal2.db.jnl cp ns1/managed-keys.bind.in ns1/managed-keys.bind -$PERL ../fromhex.pl < ns1/managed-keys.bind.jnl.in > ns1/managed-keys.bind.jnl +$PERL ../fromhex.pl ns1/managed-keys.bind.jnl copy_setports ns2/named.conf.in ns2/named.conf cp ns2/managed-keys.bind.in ns2/managed-keys.bind diff --git a/bin/tests/system/journal/tests.sh b/bin/tests/system/journal/tests.sh index 5dbceb8..79b90ba 100644 --- a/bin/tests/system/journal/tests.sh +++ b/bin/tests/system/journal/tests.sh @@ -16,11 +16,11 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" @10.53.0.1 -p "$PORT" +tcp "$@" + "$DIG" @10.53.0.1 -p "$PORT" +tcp "$@" } rndc_with_opts() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } status=0 @@ -29,26 +29,26 @@ n=0 n=$((n + 1)) echo_i "check outdated journal rolled forward (dynamic) ($n)" ret=0 -dig_with_opts changed soa > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010902' dig.out.test$n > /dev/null || ret=1 -grep 'zone changed/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null || ret=1 +dig_with_opts changed soa >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010902' dig.out.test$n >/dev/null || ret=1 +grep 'zone changed/IN: journal rollforward completed successfully using old journal format' ns1/named.run >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check outdated empty journal did not cause an error (dynamic) ($n)" ret=0 -dig_with_opts unchanged soa > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010901' dig.out.test$n > /dev/null || ret=1 +dig_with_opts unchanged soa >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010901' dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check outdated journals were updated or removed (dynamic) ($n)" ret=0 -cat -v ns1/changed.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +cat -v ns1/changed.db.jnl | grep "BIND LOG V9.2" >/dev/null || ret=1 [ -f ns1/unchanged.db.jnl ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -56,36 +56,36 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check updated journal has correct RR count (dynamic) ($n)" ret=0 -$JOURNALPRINT -x ns1/changed.db.jnl | grep "rrcount 3 " > /dev/null || ret=1 +$JOURNALPRINT -x ns1/changed.db.jnl | grep "rrcount 3 " >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check new-format journal rolled forward (dynamic) ($n)" ret=0 -dig_with_opts changed2 soa > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010902' dig.out.test$n > /dev/null || ret=1 -grep 'zone changed2/IN: journal rollforward completed successfully: success' ns1/named.run > /dev/null || ret=1 -grep 'zone changed2/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null && ret=1 +dig_with_opts changed2 soa >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010902' dig.out.test$n >/dev/null || ret=1 +grep 'zone changed2/IN: journal rollforward completed successfully: success' ns1/named.run >/dev/null || ret=1 +grep 'zone changed2/IN: journal rollforward completed successfully using old journal format' ns1/named.run >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check new-format empty journal did not cause error (dynamic) ($n)" ret=0 -dig_with_opts unchanged2 soa > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010901' dig.out.test$n > /dev/null || ret=1 -grep 'zone unchanged2/IN: journal rollforward completed successfully' ns1/named.run > /dev/null && ret=1 -grep 'zone unchanged2/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null && ret=1 +dig_with_opts unchanged2 soa >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010901' dig.out.test$n >/dev/null || ret=1 +grep 'zone unchanged2/IN: journal rollforward completed successfully' ns1/named.run >/dev/null && ret=1 +grep 'zone unchanged2/IN: journal rollforward completed successfully using old journal format' ns1/named.run >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check new-format journals were updated or removed (dynamic) ($n)" ret=0 -cat -v ns1/changed2.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +cat -v ns1/changed2.db.jnl | grep "BIND LOG V9.2" >/dev/null || ret=1 [ -f ns1/unchanged2.db.jnl ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -93,29 +93,29 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check outdated up-to-date journal succeeded (ixfr-from-differences) ($n)" ret=0 -dig_with_opts -t soa ixfr > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010902' dig.out.test$n > /dev/null || ret=1 -grep 'zone ixfr/IN: journal rollforward completed successfully using old journal format: up to date' ns1/named.run > /dev/null || ret=1 +dig_with_opts -t soa ixfr >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010902' dig.out.test$n >/dev/null || ret=1 +grep 'zone ixfr/IN: journal rollforward completed successfully using old journal format: up to date' ns1/named.run >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check outdated journal was updated (ixfr-from-differences) ($n)" ret=0 -cat -v ns1/ixfr.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +cat -v ns1/ixfr.db.jnl | grep "BIND LOG V9.2" >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check journal with mixed headers succeeded (version 1,2,1,2) ($n)" ret=0 -dig_with_opts -t soa hdr1d1d2d1d2 > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010905' dig.out.test$n > /dev/null || ret=1 -grep 'zone hdr1d1d2d1d2/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run > /dev/null || ret=1 -grep 'zone_journal_compact: zone hdr1d1d2d1d2/IN: repair full journal' ns1/named.run > /dev/null || ret=1 -grep 'hdr1d1d2d1d2/IN: dns_journal_compact: success' ns1/named.run > /dev/null || ret=1 +dig_with_opts -t soa hdr1d1d2d1d2 >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010905' dig.out.test$n >/dev/null || ret=1 +grep 'zone hdr1d1d2d1d2/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run >/dev/null || ret=1 +grep 'zone_journal_compact: zone hdr1d1d2d1d2/IN: repair full journal' ns1/named.run >/dev/null || ret=1 +grep 'hdr1d1d2d1d2/IN: dns_journal_compact: success' ns1/named.run >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -132,12 +132,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check journal with mixed headers succeeded (version 2,1,2,1) ($n)" ret=0 -dig_with_opts -t soa hdr1d2d1d2d1 > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010905' dig.out.test$n > /dev/null || ret=1 -grep 'zone hdr1d2d1d2d1/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run > /dev/null || ret=1 -grep 'zone_journal_compact: zone hdr1d2d1d2d1/IN: repair full journal' ns1/named.run > /dev/null || ret=1 -grep 'zone hdr1d2d1d2d1/IN: dns_journal_compact: success' ns1/named.run > /dev/null || ret=1 +dig_with_opts -t soa hdr1d2d1d2d1 >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010905' dig.out.test$n >/dev/null || ret=1 +grep 'zone hdr1d2d1d2d1/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run >/dev/null || ret=1 +grep 'zone_journal_compact: zone hdr1d2d1d2d1/IN: repair full journal' ns1/named.run >/dev/null || ret=1 +grep 'zone hdr1d2d1d2d1/IN: dns_journal_compact: success' ns1/named.run >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -165,10 +165,9 @@ echo_i "Check that journal with mixed headers can be compacted (version 1,2,1,2) ret=0 journal=ns1/d1212.jnl.saved seriallist=$($JOURNALPRINT -x $journal | awk '$1 == "Transaction:" { print $11 }') -for serial in $seriallist -do - cp $journal tmp.jnl - $JOURNALPRINT -c $serial tmp.jnl || ret=1 +for serial in $seriallist; do + cp $journal tmp.jnl + $JOURNALPRINT -c $serial tmp.jnl || ret=1 done [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -178,10 +177,9 @@ echo_i "Check that journal with mixed headers can be compacted (version 2,1,2,1) ret=0 journal=ns1/d2121.jnl.saved seriallist=$($JOURNALPRINT -x $journal | awk '$1 == "Transaction:" { print $11 }') -for serial in $seriallist -do - cp ns1/d1212.jnl.saved tmp.jnl - $JOURNALPRINT -c $serial tmp.jnl || ret=1 +for serial in $seriallist; do + cp ns1/d1212.jnl.saved tmp.jnl + $JOURNALPRINT -c $serial tmp.jnl || ret=1 done [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -189,7 +187,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check upgrade of managed-keys.bind.jnl succeeded($n)" ret=0 -$JOURNALPRINT ns1/managed-keys.bind.jnl > journalprint.out.test$n +$JOURNALPRINT ns1/managed-keys.bind.jnl >journalprint.out.test$n lines=$(awk '$1 == "add" && $5 == "SOA" && $8 == "3297" { print }' journalprint.out.test$n | wc -l) test $lines -eq 1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -212,12 +210,12 @@ n=$((n + 1)) echo_i "check max-journal-size works after journal update ($n)" ret=0 # journal was repaired, it should still be big -[ $(wc -c < ns1/maxjournal.db.jnl) -gt 12000 ] || ret=1 +[ $(wc -c &1 | grep -q "Offset mismatch" && ret=1 + $JOURNALPRINT -x $jnl 2>&1 | grep -q "Offset mismatch" && ret=1 done [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -250,7 +248,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that journal is applied to zone with keydata placeholder record" ret=0 -grep 'managed-keys-zone: journal rollforward completed successfully: up to date' ns2/named.run > /dev/null 2>&1 || ret=1 +grep 'managed-keys-zone: journal rollforward completed successfully: up to date' ns2/named.run >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" echo_i "exit status: $status" diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index 4c44ac9..26487cd 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -69,70 +69,69 @@ VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0=" # STATE_STAT key_key() { - echo "${1}__${2}" + echo "${1}__${2}" } key_get() { - eval "echo \${$(key_key "$1" "$2")}" + eval "echo \${$(key_key "$1" "$2")}" } key_set() { - eval "$(key_key "$1" "$2")='$3'" + eval "$(key_key "$1" "$2")='$3'" } key_stat() { - $PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1" + $PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1" } # Save certain values in the KEY array. -key_save() -{ - # Save key id. - key_set "$1" ID "$KEY_ID" - # Save base filename. - key_set "$1" BASEFILE "$BASE_FILE" - # Save creation date. - key_set "$1" CREATED "${KEY_CREATED}" - # Save key change time. - key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private") - key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key") - key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state") +key_save() { + # Save key id. + key_set "$1" ID "$KEY_ID" + # Save base filename. + key_set "$1" BASEFILE "$BASE_FILE" + # Save creation date. + key_set "$1" CREATED "${KEY_CREATED}" + # Save key change time. + key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private") + key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key") + key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state") } # Clear key state. # # This will update either the KEY1, KEY2, or KEY3 array. key_clear() { - key_set "$1" "ID" 'no' - key_set "$1" "IDPAD" 'no' - key_set "$1" "EXPECT" 'no' - key_set "$1" "ROLE" 'none' - key_set "$1" "KSK" 'no' - key_set "$1" "ZSK" 'no' - key_set "$1" "FLAGS" '0' - key_set "$1" "LIFETIME" 'none' - key_set "$1" "ALG_NUM" '0' - key_set "$1" "ALG_STR" 'none' - key_set "$1" "ALG_LEN" '0' - key_set "$1" "CREATED" '0' - key_set "$1" "PUBLISHED" 'none' - key_set "$1" "SYNCPUBLISH" 'none' - key_set "$1" "ACTIVE" 'none' - key_set "$1" "RETIRED" 'none' - key_set "$1" "REVOKED" 'none' - key_set "$1" "REMOVED" 'none' - key_set "$1" "GOAL" 'none' - key_set "$1" "STATE_DNSKEY" 'none' - key_set "$1" "STATE_KRRSIG" 'none' - key_set "$1" "STATE_ZRRSIG" 'none' - key_set "$1" "STATE_DS" 'none' - key_set "$1" "EXPECT_ZRRSIG" 'no' - key_set "$1" "EXPECT_KRRSIG" 'no' - key_set "$1" "LEGACY" 'no' - key_set "$1" "PRIVATE" 'yes' - key_set "$1" "PRIVKEY_STAT" '0' - key_set "$1" "PUBKEY_STAT" '0' - key_set "$1" "STATE_STAT" '0' + key_set "$1" "ID" 'no' + key_set "$1" "IDPAD" 'no' + key_set "$1" "EXPECT" 'no' + key_set "$1" "ROLE" 'none' + key_set "$1" "KSK" 'no' + key_set "$1" "ZSK" 'no' + key_set "$1" "FLAGS" '0' + key_set "$1" "LIFETIME" 'none' + key_set "$1" "ALG_NUM" '0' + key_set "$1" "ALG_STR" 'none' + key_set "$1" "ALG_LEN" '0' + key_set "$1" "CREATED" '0' + key_set "$1" "PUBLISHED" 'none' + key_set "$1" "SYNCPUBLISH" 'none' + key_set "$1" "ACTIVE" 'none' + key_set "$1" "RETIRED" 'none' + key_set "$1" "REVOKED" 'none' + key_set "$1" "REMOVED" 'none' + key_set "$1" "GOAL" 'none' + key_set "$1" "STATE_DNSKEY" 'none' + key_set "$1" "STATE_KRRSIG" 'none' + key_set "$1" "STATE_ZRRSIG" 'none' + key_set "$1" "STATE_DS" 'none' + key_set "$1" "EXPECT_ZRRSIG" 'no' + key_set "$1" "EXPECT_KRRSIG" 'no' + key_set "$1" "LEGACY" 'no' + key_set "$1" "PRIVATE" 'yes' + key_set "$1" "PRIVKEY_STAT" '0' + key_set "$1" "PUBKEY_STAT" '0' + key_set "$1" "STATE_STAT" '0' } # Start clear. @@ -150,122 +149,122 @@ key_clear "KEY4" # Call dig with default options. _dig_with_opts() { - if [ -n "$TSIG" ]; then - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" - else - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" - fi + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi } # RNDC. _rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # Print IDs of keys used for generating RRSIG records for RRsets of type $1 # found in dig output file $2. get_keys_which_signed() { - _qtype=$1 - _output=$2 - # The key ID is the 11th column of the RRSIG record line. - awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$_output" + _qtype=$1 + _output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$_output" } # Get the key ids from key files for zone $2 in directory $1. get_keyids() { - _dir=$1 - _zone=$2 - _regex="K${_zone}.+*+*.key" + _dir=$1 + _zone=$2 + _regex="K${_zone}.+*+*.key" - find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2," + find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2," } # By default log errors and don't quit immediately. _log=1 _log_error() { - test $_log -eq 1 && echo_i "error: $1" - ret=$((ret+1)) + test $_log -eq 1 && echo_i "error: $1" + ret=$((ret + 1)) } disable_logerror() { - _log=0 + _log=0 } enable_logerror() { - _log=1 + _log=1 } # Set server key-directory ($1) and address ($2) for testing keys. set_server() { - DIR=$1 - SERVER=$2 + DIR=$1 + SERVER=$2 } # Set zone name for testing keys. set_zone() { - ZONE=$1 - DYNAMIC="no" + ZONE=$1 + DYNAMIC="no" } # By default zones are considered static. # When testing dynamic zones, call 'set_dynamic' after 'set_zone'. set_dynamic() { - DYNAMIC="yes" + DYNAMIC="yes" } # Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys. set_policy() { - POLICY=$1 - NUM_KEYS=$2 - DNSKEY_TTL=$3 - CDS_DELETE="no" + POLICY=$1 + NUM_KEYS=$2 + DNSKEY_TTL=$3 + CDS_DELETE="no" } # By default policies are considered to be secure. # If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the # system test to expect a CDS and CDNSKEY Delete record. set_cdsdelete() { - CDS_DELETE="yes" + CDS_DELETE="yes" } # Set key properties for testing keys. # $1: Key to update (KEY1, KEY2, ...) # $2: Value set_keyrole() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "ROLE" "$2" - key_set "$1" "KSK" "no" - key_set "$1" "ZSK" "no" - key_set "$1" "FLAGS" "0" + key_set "$1" "EXPECT" "yes" + key_set "$1" "ROLE" "$2" + key_set "$1" "KSK" "no" + key_set "$1" "ZSK" "no" + key_set "$1" "FLAGS" "0" - test "$2" = "ksk" && key_set "$1" "KSK" "yes" - test "$2" = "ksk" && key_set "$1" "FLAGS" "257" + test "$2" = "ksk" && key_set "$1" "KSK" "yes" + test "$2" = "ksk" && key_set "$1" "FLAGS" "257" - test "$2" = "zsk" && key_set "$1" "ZSK" "yes" - test "$2" = "zsk" && key_set "$1" "FLAGS" "256" + test "$2" = "zsk" && key_set "$1" "ZSK" "yes" + test "$2" = "zsk" && key_set "$1" "FLAGS" "256" - test "$2" = "csk" && key_set "$1" "KSK" "yes" - test "$2" = "csk" && key_set "$1" "ZSK" "yes" - test "$2" = "csk" && key_set "$1" "FLAGS" "257" + test "$2" = "csk" && key_set "$1" "KSK" "yes" + test "$2" = "csk" && key_set "$1" "ZSK" "yes" + test "$2" = "csk" && key_set "$1" "FLAGS" "257" - return 0 + return 0 } set_keylifetime() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "LIFETIME" "$2" + key_set "$1" "EXPECT" "yes" + key_set "$1" "LIFETIME" "$2" } # The algorithm value consists of three parts: # $2: Algorithm (number) # $3: Algorithm (string-format) # $4: Algorithm length set_keyalgorithm() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "ALG_NUM" "$2" - key_set "$1" "ALG_STR" "$3" - key_set "$1" "ALG_LEN" "$4" + key_set "$1" "EXPECT" "yes" + key_set "$1" "ALG_NUM" "$2" + key_set "$1" "ALG_STR" "$3" + key_set "$1" "ALG_LEN" "$4" } set_keysigning() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "EXPECT_KRRSIG" "$2" + key_set "$1" "EXPECT" "yes" + key_set "$1" "EXPECT_KRRSIG" "$2" } set_zonesigning() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "EXPECT_ZRRSIG" "$2" + key_set "$1" "EXPECT" "yes" + key_set "$1" "EXPECT_ZRRSIG" "$2" } # Set key timing metadata. Set to "none" to unset. @@ -273,8 +272,8 @@ set_zonesigning() { # $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). # $3: Value set_keytime() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "$2" "$3" + key_set "$1" "EXPECT" "yes" + key_set "$1" "$2" "$3" } # Set key timing metadata to a value plus additional time. @@ -283,12 +282,12 @@ set_keytime() { # $3: Value # $4: Additional time. set_addkeytime() { - if [ -x "$PYTHON" ]; then - # Convert "%Y%m%d%H%M%S" format to epoch seconds. - # Then, add the additional time (can be negative). - _value=$3 - _plus=$4 - $PYTHON > python.out.$ZONE.$1.$2 <python.out.$ZONE.$1.$2 < "${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE" - KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created") - - if [ "$_private" = "yes" ]; then - grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch created in $PRIVATE_FILE" - fi - if [ "$_legacy" = "no" ]; then - grep "Generated: ${KEY_CREATED}" "$STATE_FILE" > /dev/null || _log_error "mismatch generated in $STATE_FILE" - fi - - test $_log -eq 1 && echo_i "check key file $BASE_FILE" - - # Check the public key file. - grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" > /dev/null || _log_error "mismatch top comment in $KEY_FILE" - grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" > /dev/null || _log_error "mismatch DNSKEY record in $KEY_FILE" - # Now check the private key file. - if [ "$_private" = "yes" ]; then - grep "Private-key-format: v1.3" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch private key format in $PRIVATE_FILE" - grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch algorithm in $PRIVATE_FILE" - fi - # Now check the key state file. - if [ "$_legacy" = "no" ]; then - grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" > /dev/null || _log_error "mismatch top comment in $STATE_FILE" - if [ "$_lifetime" = "none" ]; then - grep "Lifetime: " "$STATE_FILE" > /dev/null && _log_error "unexpected lifetime in $STATE_FILE" - else - grep "Lifetime: ${_lifetime}" "$STATE_FILE" > /dev/null || _log_error "mismatch lifetime in $STATE_FILE" - fi - grep "Algorithm: ${_alg_num}" "$STATE_FILE" > /dev/null || _log_error "mismatch algorithm in $STATE_FILE" - grep "Length: ${_length}" "$STATE_FILE" > /dev/null || _log_error "mismatch length in $STATE_FILE" - grep "KSK: ${_ksk}" "$STATE_FILE" > /dev/null || _log_error "mismatch ksk in $STATE_FILE" - grep "ZSK: ${_zsk}" "$STATE_FILE" > /dev/null || _log_error "mismatch zsk in $STATE_FILE" - - # Check key states. - if [ "$_goal" = "none" ]; then - grep "GoalState: " "$STATE_FILE" > /dev/null && _log_error "unexpected goal state in $STATE_FILE" - else - grep "GoalState: ${_goal}" "$STATE_FILE" > /dev/null || _log_error "mismatch goal state in $STATE_FILE" - fi - - if [ "$_state_dnskey" = "none" ]; then - grep "DNSKEYState: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey state in $STATE_FILE" - grep "DNSKEYChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey change in $STATE_FILE" - else - grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey state in $STATE_FILE" - grep "DNSKEYChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey change in $STATE_FILE" - fi - - if [ "$_state_zrrsig" = "none" ]; then - grep "ZRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig state in $STATE_FILE" - grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig change in $STATE_FILE" - else - grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig state in $STATE_FILE" - grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig change in $STATE_FILE" - fi - - if [ "$_state_krrsig" = "none" ]; then - grep "KRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig state in $STATE_FILE" - grep "KRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig change in $STATE_FILE" - else - grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig state in $STATE_FILE" - grep "KRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig change in $STATE_FILE" - fi - - if [ "$_state_ds" = "none" ]; then - grep "DSState: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds state in $STATE_FILE" - grep "DSChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds change in $STATE_FILE" - else - grep "DSState: ${_state_ds}" "$STATE_FILE" > /dev/null || _log_error "mismatch ds state in $STATE_FILE" - grep "DSChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch ds change in $STATE_FILE" - fi - fi - - return 0 + _dir="$DIR" + _zone="$ZONE" + _role=$(key_get "$1" ROLE) + _key_idpad="$2" + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$(key_get "$1" ALG_NUM) + _alg_numpad=$(printf "%03d" "$_alg_num") + _alg_string=$(key_get "$1" ALG_STR) + _length=$(key_get "$1" "ALG_LEN") + _dnskey_ttl="$DNSKEY_TTL" + _lifetime=$(key_get "$1" LIFETIME) + _legacy=$(key_get "$1" LEGACY) + _private=$(key_get "$1" PRIVATE) + _flags=$(key_get "$1" FLAGS) + + _published=$(key_get "$1" PUBLISHED) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + _goal=$(key_get "$1" GOAL) + _state_dnskey=$(key_get "$1" STATE_DNSKEY) + _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) + _state_krrsig=$(key_get "$1" STATE_KRRSIG) + _state_ds=$(key_get "$1" STATE_DS) + + _ksk="no" + _zsk="no" + if [ "$_role" = "ksk" ]; then + _ksk="yes" + elif [ "$_role" = "zsk" ]; then + _zsk="yes" + elif [ "$_role" = "csk" ]; then + _zsk="yes" + _ksk="yes" + fi + + _role2="none" + if [ "$_flags" = "257" ]; then + _role2="key-signing" + elif [ "$_flags" = "256" ]; then + _role2="zone-signing" + fi + + BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" + KEY_FILE="${BASE_FILE}.key" + PRIVATE_FILE="${BASE_FILE}.private" + STATE_FILE="${BASE_FILE}.state" + KEY_ID="${_key_id}" + + # Check file existence. + [ -s "$KEY_FILE" ] || ret=1 + if [ "$_private" = "yes" ]; then + [ -s "$PRIVATE_FILE" ] || ret=1 + fi + if [ "$_legacy" = "no" ]; then + [ -s "$STATE_FILE" ] || ret=1 + fi + [ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing" + [ "$ret" -eq 0 ] || return 0 + + # Retrieve creation date. + grep "; Created:" "$KEY_FILE" >"${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE" + KEY_CREATED=$(awk '{print $3}' <"${ZONE}.${KEY_ID}.${_alg_num}.created") + + if [ "$_private" = "yes" ]; then + grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch created in $PRIVATE_FILE" + fi + if [ "$_legacy" = "no" ]; then + grep "Generated: ${KEY_CREATED}" "$STATE_FILE" >/dev/null || _log_error "mismatch generated in $STATE_FILE" + fi + + test $_log -eq 1 && echo_i "check key file $BASE_FILE" + + # Check the public key file. + grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" >/dev/null || _log_error "mismatch top comment in $KEY_FILE" + grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" >/dev/null || _log_error "mismatch DNSKEY record in $KEY_FILE" + # Now check the private key file. + if [ "$_private" = "yes" ]; then + grep "Private-key-format: v1.3" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch private key format in $PRIVATE_FILE" + grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch algorithm in $PRIVATE_FILE" + fi + # Now check the key state file. + if [ "$_legacy" = "no" ]; then + grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" >/dev/null || _log_error "mismatch top comment in $STATE_FILE" + if [ "$_lifetime" = "none" ]; then + grep "Lifetime: " "$STATE_FILE" >/dev/null && _log_error "unexpected lifetime in $STATE_FILE" + else + grep "Lifetime: ${_lifetime}" "$STATE_FILE" >/dev/null || _log_error "mismatch lifetime in $STATE_FILE" + fi + grep "Algorithm: ${_alg_num}" "$STATE_FILE" >/dev/null || _log_error "mismatch algorithm in $STATE_FILE" + grep "Length: ${_length}" "$STATE_FILE" >/dev/null || _log_error "mismatch length in $STATE_FILE" + grep "KSK: ${_ksk}" "$STATE_FILE" >/dev/null || _log_error "mismatch ksk in $STATE_FILE" + grep "ZSK: ${_zsk}" "$STATE_FILE" >/dev/null || _log_error "mismatch zsk in $STATE_FILE" + + # Check key states. + if [ "$_goal" = "none" ]; then + grep "GoalState: " "$STATE_FILE" >/dev/null && _log_error "unexpected goal state in $STATE_FILE" + else + grep "GoalState: ${_goal}" "$STATE_FILE" >/dev/null || _log_error "mismatch goal state in $STATE_FILE" + fi + + if [ "$_state_dnskey" = "none" ]; then + grep "DNSKEYState: " "$STATE_FILE" >/dev/null && _log_error "unexpected dnskey state in $STATE_FILE" + grep "DNSKEYChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected dnskey change in $STATE_FILE" + else + grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" >/dev/null || _log_error "mismatch dnskey state in $STATE_FILE" + grep "DNSKEYChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch dnskey change in $STATE_FILE" + fi + + if [ "$_state_zrrsig" = "none" ]; then + grep "ZRRSIGState: " "$STATE_FILE" >/dev/null && _log_error "unexpected zrrsig state in $STATE_FILE" + grep "ZRRSIGChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected zrrsig change in $STATE_FILE" + else + grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" >/dev/null || _log_error "mismatch zrrsig state in $STATE_FILE" + grep "ZRRSIGChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch zrrsig change in $STATE_FILE" + fi + + if [ "$_state_krrsig" = "none" ]; then + grep "KRRSIGState: " "$STATE_FILE" >/dev/null && _log_error "unexpected krrsig state in $STATE_FILE" + grep "KRRSIGChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected krrsig change in $STATE_FILE" + else + grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" >/dev/null || _log_error "mismatch krrsig state in $STATE_FILE" + grep "KRRSIGChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch krrsig change in $STATE_FILE" + fi + + if [ "$_state_ds" = "none" ]; then + grep "DSState: " "$STATE_FILE" >/dev/null && _log_error "unexpected ds state in $STATE_FILE" + grep "DSChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected ds change in $STATE_FILE" + else + grep "DSState: ${_state_ds}" "$STATE_FILE" >/dev/null || _log_error "mismatch ds state in $STATE_FILE" + grep "DSChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch ds change in $STATE_FILE" + fi + fi + + return 0 } # Check the key timing metadata for key $1. check_timingmetadata() { - _dir="$DIR" - _zone="$ZONE" - _key_idpad=$(key_get "$1" ID) - _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') - _alg_num=$(key_get "$1" ALG_NUM) - _alg_numpad=$(printf "%03d" "$_alg_num") - - _published=$(key_get "$1" PUBLISHED) - _active=$(key_get "$1" ACTIVE) - _retired=$(key_get "$1" RETIRED) - _revoked=$(key_get "$1" REVOKED) - _removed=$(key_get "$1" REMOVED) - - _goal=$(key_get "$1" GOAL) - _state_dnskey=$(key_get "$1" STATE_DNSKEY) - _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) - _state_krrsig=$(key_get "$1" STATE_KRRSIG) - _state_ds=$(key_get "$1" STATE_DS) - - _base_file=$(key_get "$1" BASEFILE) - _key_file="${_base_file}.key" - _private_file="${_base_file}.private" - _state_file="${_base_file}.state" - _legacy=$(key_get "$1" LEGACY) - _private=$(key_get "$1" PRIVATE) - - _published=$(key_get "$1" PUBLISHED) - _syncpublish=$(key_get "$1" SYNCPUBLISH) - _active=$(key_get "$1" ACTIVE) - _retired=$(key_get "$1" RETIRED) - _revoked=$(key_get "$1" REVOKED) - _removed=$(key_get "$1" REMOVED) - - # Check timing metadata. - n=$((n+1)) - echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)" - ret=0 - - if [ "$_published" = "none" ]; then - grep "; Publish:" "${_key_file}" > /dev/null && _log_error "unexpected publish comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Publish:" "${_private_file}" > /dev/null && _log_error "unexpected publish in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Published: " "${_state_file}" > /dev/null && _log_error "unexpected publish in ${_state_file}" - fi - else - grep "; Publish: $_published" "${_key_file}" > /dev/null || _log_error "mismatch publish comment in ${_key_file} (expected ${_published})" - if [ "$_private" = "yes" ]; then - grep "Publish: $_published" "${_private_file}" > /dev/null || _log_error "mismatch publish in ${_private_file} (expected ${_published})" - fi - if [ "$_legacy" = "no" ]; then - grep "Published: $_published" "${_state_file}" > /dev/null || _log_error "mismatch publish in ${_state_file} (expected ${_published})" - fi - fi - - if [ "$_syncpublish" = "none" ]; then - grep "; SyncPublish:" "${_key_file}" > /dev/null && _log_error "unexpected syncpublish comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "SyncPublish:" "${_private_file}" > /dev/null && _log_error "unexpected syncpublish in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "PublishCDS: " "${_state_file}" > /dev/null && _log_error "unexpected syncpublish in ${_state_file}" - fi - else - grep "; SyncPublish: $_syncpublish" "${_key_file}" > /dev/null || _log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})" - if [ "$_private" = "yes" ]; then - grep "SyncPublish: $_syncpublish" "${_private_file}" > /dev/null || _log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})" - fi - if [ "$_legacy" = "no" ]; then - grep "PublishCDS: $_syncpublish" "${_state_file}" > /dev/null || _log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})" - fi - fi - - if [ "$_active" = "none" ]; then - grep "; Activate:" "${_key_file}" > /dev/null && _log_error "unexpected active comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Activate:" "${_private_file}" > /dev/null && _log_error "unexpected active in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Active: " "${_state_file}" > /dev/null && _log_error "unexpected active in ${_state_file}" - fi - else - grep "; Activate: $_active" "${_key_file}" > /dev/null || _log_error "mismatch active comment in ${_key_file} (expected ${_active})" - if [ "$_private" = "yes" ]; then - grep "Activate: $_active" "${_private_file}" > /dev/null || _log_error "mismatch active in ${_private_file} (expected ${_active})" - fi - if [ "$_legacy" = "no" ]; then - grep "Active: $_active" "${_state_file}" > /dev/null || _log_error "mismatch active in ${_state_file} (expected ${_active})" - fi - fi - - if [ "$_retired" = "none" ]; then - grep "; Inactive:" "${_key_file}" > /dev/null && _log_error "unexpected retired comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Inactive:" "${_private_file}" > /dev/null && _log_error "unexpected retired in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Retired: " "${_state_file}" > /dev/null && _log_error "unexpected retired in ${_state_file}" - fi - else - grep "; Inactive: $_retired" "${_key_file}" > /dev/null || _log_error "mismatch retired comment in ${_key_file} (expected ${_retired})" - if [ "$_private" = "yes" ]; then - grep "Inactive: $_retired" "${_private_file}" > /dev/null || _log_error "mismatch retired in ${_private_file} (expected ${_retired})" - fi - if [ "$_legacy" = "no" ]; then - grep "Retired: $_retired" "${_state_file}" > /dev/null || _log_error "mismatch retired in ${_state_file} (expected ${_retired})" - fi - fi - - if [ "$_revoked" = "none" ]; then - grep "; Revoke:" "${_key_file}" > /dev/null && _log_error "unexpected revoked comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Revoke:" "${_private_file}" > /dev/null && _log_error "unexpected revoked in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Revoked: " "${_state_file}" > /dev/null && _log_error "unexpected revoked in ${_state_file}" - fi - else - grep "; Revoke: $_revoked" "${_key_file}" > /dev/null || _log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})" - if [ "$_private" = "yes" ]; then - grep "Revoke: $_revoked" "${_private_file}" > /dev/null || _log_error "mismatch revoked in ${_private_file} (expected ${_revoked})" - fi - if [ "$_legacy" = "no" ]; then - grep "Revoked: $_revoked" "${_state_file}" > /dev/null || _log_error "mismatch revoked in ${_state_file} (expected ${_revoked})" - fi - fi - - if [ "$_removed" = "none" ]; then - grep "; Delete:" "${_key_file}" > /dev/null && _log_error "unexpected removed comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Delete:" "${_private_file}" > /dev/null && _log_error "unexpected removed in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Removed: " "${_state_file}" > /dev/null && _log_error "unexpected removed in ${_state_file}" - fi - else - grep "; Delete: $_removed" "${_key_file}" > /dev/null || _log_error "mismatch removed comment in ${_key_file} (expected ${_removed})" - if [ "$_private" = "yes" ]; then - grep "Delete: $_removed" "${_private_file}" > /dev/null || _log_error "mismatch removed in ${_private_file} (expected ${_removed})" - fi - if [ "$_legacy" = "no" ]; then - grep "Removed: $_removed" "${_state_file}" > /dev/null || _log_error "mismatch removed in ${_state_file} (expected ${_removed})" - fi - fi - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _dir="$DIR" + _zone="$ZONE" + _key_idpad=$(key_get "$1" ID) + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$(key_get "$1" ALG_NUM) + _alg_numpad=$(printf "%03d" "$_alg_num") + + _published=$(key_get "$1" PUBLISHED) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + _goal=$(key_get "$1" GOAL) + _state_dnskey=$(key_get "$1" STATE_DNSKEY) + _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) + _state_krrsig=$(key_get "$1" STATE_KRRSIG) + _state_ds=$(key_get "$1" STATE_DS) + + _base_file=$(key_get "$1" BASEFILE) + _key_file="${_base_file}.key" + _private_file="${_base_file}.private" + _state_file="${_base_file}.state" + _legacy=$(key_get "$1" LEGACY) + _private=$(key_get "$1" PRIVATE) + + _published=$(key_get "$1" PUBLISHED) + _syncpublish=$(key_get "$1" SYNCPUBLISH) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + # Check timing metadata. + n=$((n + 1)) + echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)" + ret=0 + + if [ "$_published" = "none" ]; then + grep "; Publish:" "${_key_file}" >/dev/null && _log_error "unexpected publish comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Publish:" "${_private_file}" >/dev/null && _log_error "unexpected publish in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Published: " "${_state_file}" >/dev/null && _log_error "unexpected publish in ${_state_file}" + fi + else + grep "; Publish: $_published" "${_key_file}" >/dev/null || _log_error "mismatch publish comment in ${_key_file} (expected ${_published})" + if [ "$_private" = "yes" ]; then + grep "Publish: $_published" "${_private_file}" >/dev/null || _log_error "mismatch publish in ${_private_file} (expected ${_published})" + fi + if [ "$_legacy" = "no" ]; then + grep "Published: $_published" "${_state_file}" >/dev/null || _log_error "mismatch publish in ${_state_file} (expected ${_published})" + fi + fi + + if [ "$_syncpublish" = "none" ]; then + grep "; SyncPublish:" "${_key_file}" >/dev/null && _log_error "unexpected syncpublish comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "SyncPublish:" "${_private_file}" >/dev/null && _log_error "unexpected syncpublish in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "PublishCDS: " "${_state_file}" >/dev/null && _log_error "unexpected syncpublish in ${_state_file}" + fi + else + grep "; SyncPublish: $_syncpublish" "${_key_file}" >/dev/null || _log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})" + if [ "$_private" = "yes" ]; then + grep "SyncPublish: $_syncpublish" "${_private_file}" >/dev/null || _log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})" + fi + if [ "$_legacy" = "no" ]; then + grep "PublishCDS: $_syncpublish" "${_state_file}" >/dev/null || _log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})" + fi + fi + + if [ "$_active" = "none" ]; then + grep "; Activate:" "${_key_file}" >/dev/null && _log_error "unexpected active comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Activate:" "${_private_file}" >/dev/null && _log_error "unexpected active in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Active: " "${_state_file}" >/dev/null && _log_error "unexpected active in ${_state_file}" + fi + else + grep "; Activate: $_active" "${_key_file}" >/dev/null || _log_error "mismatch active comment in ${_key_file} (expected ${_active})" + if [ "$_private" = "yes" ]; then + grep "Activate: $_active" "${_private_file}" >/dev/null || _log_error "mismatch active in ${_private_file} (expected ${_active})" + fi + if [ "$_legacy" = "no" ]; then + grep "Active: $_active" "${_state_file}" >/dev/null || _log_error "mismatch active in ${_state_file} (expected ${_active})" + fi + fi + + if [ "$_retired" = "none" ]; then + grep "; Inactive:" "${_key_file}" >/dev/null && _log_error "unexpected retired comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Inactive:" "${_private_file}" >/dev/null && _log_error "unexpected retired in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Retired: " "${_state_file}" >/dev/null && _log_error "unexpected retired in ${_state_file}" + fi + else + grep "; Inactive: $_retired" "${_key_file}" >/dev/null || _log_error "mismatch retired comment in ${_key_file} (expected ${_retired})" + if [ "$_private" = "yes" ]; then + grep "Inactive: $_retired" "${_private_file}" >/dev/null || _log_error "mismatch retired in ${_private_file} (expected ${_retired})" + fi + if [ "$_legacy" = "no" ]; then + grep "Retired: $_retired" "${_state_file}" >/dev/null || _log_error "mismatch retired in ${_state_file} (expected ${_retired})" + fi + fi + + if [ "$_revoked" = "none" ]; then + grep "; Revoke:" "${_key_file}" >/dev/null && _log_error "unexpected revoked comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Revoke:" "${_private_file}" >/dev/null && _log_error "unexpected revoked in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Revoked: " "${_state_file}" >/dev/null && _log_error "unexpected revoked in ${_state_file}" + fi + else + grep "; Revoke: $_revoked" "${_key_file}" >/dev/null || _log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})" + if [ "$_private" = "yes" ]; then + grep "Revoke: $_revoked" "${_private_file}" >/dev/null || _log_error "mismatch revoked in ${_private_file} (expected ${_revoked})" + fi + if [ "$_legacy" = "no" ]; then + grep "Revoked: $_revoked" "${_state_file}" >/dev/null || _log_error "mismatch revoked in ${_state_file} (expected ${_revoked})" + fi + fi + + if [ "$_removed" = "none" ]; then + grep "; Delete:" "${_key_file}" >/dev/null && _log_error "unexpected removed comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Delete:" "${_private_file}" >/dev/null && _log_error "unexpected removed in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Removed: " "${_state_file}" >/dev/null && _log_error "unexpected removed in ${_state_file}" + fi + else + grep "; Delete: $_removed" "${_key_file}" >/dev/null || _log_error "mismatch removed comment in ${_key_file} (expected ${_removed})" + if [ "$_private" = "yes" ]; then + grep "Delete: $_removed" "${_private_file}" >/dev/null || _log_error "mismatch removed in ${_private_file} (expected ${_removed})" + fi + if [ "$_legacy" = "no" ]; then + grep "Removed: $_removed" "${_state_file}" >/dev/null || _log_error "mismatch removed in ${_state_file} (expected ${_removed})" + fi + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } check_keytimes() { - # The script relies on Python to set keytimes. - if [ -x "$PYTHON" ]; then - - if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - check_timingmetadata "KEY1" - fi - if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - check_timingmetadata "KEY2" - fi - if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - check_timingmetadata "KEY3" - fi - if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - check_timingmetadata "KEY4" - fi - fi + # The script relies on Python to set keytimes. + if [ -x "$PYTHON" ]; then + + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY1" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY2" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY3" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY4" + fi + fi } # Check the key with key id $1 and see if it is unused. @@ -641,143 +640,142 @@ check_keytimes() { # STATE_FILE="${BASE_FILE}.state" # KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//') key_unused() { - _dir=$DIR - _zone=$ZONE - _key_idpad=$1 - _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') - _alg_num=$2 - _alg_numpad=$(printf "%03d" "$_alg_num") - - BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" - KEY_FILE="${BASE_FILE}.key" - PRIVATE_FILE="${BASE_FILE}.private" - STATE_FILE="${BASE_FILE}.state" - KEY_ID="${_key_id}" - - test $_log -eq 1 && echo_i "key unused $KEY_ID?" - - # Check file existence. - [ -s "$KEY_FILE" ] || ret=1 - [ -s "$PRIVATE_FILE" ] || ret=1 - [ -s "$STATE_FILE" ] || ret=1 - [ "$ret" -eq 0 ] || return 0 - - # Treat keys that have been removed from the zone as unused. - _check_removed=1 - grep "; Created:" "$KEY_FILE" > created.key-${KEY_ID}.test${n} || _check_removed=0 - grep "; Delete:" "$KEY_FILE" > unused.key-${KEY_ID}.test${n} || _check_removed=0 - if [ "$_check_removed" -eq 1 ]; then - _created=$(awk '{print $3}' < created.key-${KEY_ID}.test${n}) - _removed=$(awk '{print $3}' < unused.key-${KEY_ID}.test${n}) - [ "$_removed" -le "$_created" ] && return - fi - - # If no timing metadata is set, this key is unused. - grep "; Publish:" "$KEY_FILE" > /dev/null && _log_error "unexpected publish comment in $KEY_FILE" - grep "; Activate:" "$KEY_FILE" > /dev/null && _log_error "unexpected active comment in $KEY_FILE" - grep "; Inactive:" "$KEY_FILE" > /dev/null && _log_error "unexpected retired comment in $KEY_FILE" - grep "; Revoke:" "$KEY_FILE" > /dev/null && _log_error "unexpected revoked comment in $KEY_FILE" - grep "; Delete:" "$KEY_FILE" > /dev/null && _log_error "unexpected removed comment in $KEY_FILE" - - grep "Publish:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected publish in $PRIVATE_FILE" - grep "Activate:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected active in $PRIVATE_FILE" - grep "Inactive:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected retired in $PRIVATE_FILE" - grep "Revoke:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected revoked in $PRIVATE_FILE" - grep "Delete:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected removed in $PRIVATE_FILE" - - grep "Published: " "$STATE_FILE" > /dev/null && _log_error "unexpected publish in $STATE_FILE" - grep "Active: " "$STATE_FILE" > /dev/null && _log_error "unexpected active in $STATE_FILE" - grep "Retired: " "$STATE_FILE" > /dev/null && _log_error "unexpected retired in $STATE_FILE" - grep "Revoked: " "$STATE_FILE" > /dev/null && _log_error "unexpected revoked in $STATE_FILE" - grep "Removed: " "$STATE_FILE" > /dev/null && _log_error "unexpected removed in $STATE_FILE" - - return 0 + _dir=$DIR + _zone=$ZONE + _key_idpad=$1 + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$2 + _alg_numpad=$(printf "%03d" "$_alg_num") + + BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" + KEY_FILE="${BASE_FILE}.key" + PRIVATE_FILE="${BASE_FILE}.private" + STATE_FILE="${BASE_FILE}.state" + KEY_ID="${_key_id}" + + test $_log -eq 1 && echo_i "key unused $KEY_ID?" + + # Check file existence. + [ -s "$KEY_FILE" ] || ret=1 + [ -s "$PRIVATE_FILE" ] || ret=1 + [ -s "$STATE_FILE" ] || ret=1 + [ "$ret" -eq 0 ] || return 0 + + # Treat keys that have been removed from the zone as unused. + _check_removed=1 + grep "; Created:" "$KEY_FILE" >created.key-${KEY_ID}.test${n} || _check_removed=0 + grep "; Delete:" "$KEY_FILE" >unused.key-${KEY_ID}.test${n} || _check_removed=0 + if [ "$_check_removed" -eq 1 ]; then + _created=$(awk '{print $3}' /dev/null && _log_error "unexpected publish comment in $KEY_FILE" + grep "; Activate:" "$KEY_FILE" >/dev/null && _log_error "unexpected active comment in $KEY_FILE" + grep "; Inactive:" "$KEY_FILE" >/dev/null && _log_error "unexpected retired comment in $KEY_FILE" + grep "; Revoke:" "$KEY_FILE" >/dev/null && _log_error "unexpected revoked comment in $KEY_FILE" + grep "; Delete:" "$KEY_FILE" >/dev/null && _log_error "unexpected removed comment in $KEY_FILE" + + grep "Publish:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected publish in $PRIVATE_FILE" + grep "Activate:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected active in $PRIVATE_FILE" + grep "Inactive:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected retired in $PRIVATE_FILE" + grep "Revoke:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected revoked in $PRIVATE_FILE" + grep "Delete:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected removed in $PRIVATE_FILE" + + grep "Published: " "$STATE_FILE" >/dev/null && _log_error "unexpected publish in $STATE_FILE" + grep "Active: " "$STATE_FILE" >/dev/null && _log_error "unexpected active in $STATE_FILE" + grep "Retired: " "$STATE_FILE" >/dev/null && _log_error "unexpected retired in $STATE_FILE" + grep "Revoked: " "$STATE_FILE" >/dev/null && _log_error "unexpected revoked in $STATE_FILE" + grep "Removed: " "$STATE_FILE" >/dev/null && _log_error "unexpected removed in $STATE_FILE" + + return 0 } # Test: dnssec-verify zone $1. -dnssec_verify() -{ - n=$((n+1)) - echo_i "dnssec-verify zone ${ZONE} ($n)" - ret=0 - _dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed" - $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +dnssec_verify() { + n=$((n + 1)) + echo_i "dnssec-verify zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "$ZONE" "@${SERVER}" AXFR >dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed" + $VERIFY -z -o "$ZONE" dig.out.axfr.test$n >verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Wait for the zone to be signed. # The apex NSEC record indicates that it is signed. _wait_for_nsec() { - _dig_with_opts "@${SERVER}" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1 - grep "NS SOA" "dig.out.nsec.test$n" > /dev/null || return 1 - grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" > /dev/null || return 1 - return 0 + _dig_with_opts "@${SERVER}" "$ZONE" NSEC >"dig.out.nsec.test$n" || return 1 + grep "NS SOA" "dig.out.nsec.test$n" >/dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" >/dev/null || return 1 + return 0 } wait_for_nsec() { - n=$((n+1)) - ret=0 - echo_i "wait for ${ZONE} to be signed ($n)" - retry_quiet 10 _wait_for_nsec || _log_error "wait for ${ZONE} to be signed failed" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + n=$((n + 1)) + ret=0 + echo_i "wait for ${ZONE} to be signed ($n)" + retry_quiet 10 _wait_for_nsec || _log_error "wait for ${ZONE} to be signed failed" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } check_numkeys() { - _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) - test "$_numkeys" -eq "$NUM_KEYS" || return 1 - return 0 + _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) + test "$_numkeys" -eq "$NUM_KEYS" || return 1 + return 0 } _check_keys() { - ret=0 - _ret=0 - - # Clear key ids. - key_set KEY1 ID "no" - key_set KEY2 ID "no" - key_set KEY3 ID "no" - key_set KEY4 ID "no" - - # Check key files. - _ids=$(get_keyids "$DIR" "$ZONE") - for _id in $_ids; do - # There are multiple key files with the same algorithm. - # Check them until a match is found. - ret=0 - echo_i "check key id $_id" - - if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - ret=0 - check_key "KEY1" "$_id" - test "$ret" -eq 0 && key_save KEY1 && continue - fi - if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - ret=0 - check_key "KEY2" "$_id" - test "$ret" -eq 0 && key_save KEY2 && continue - fi - if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - ret=0 - check_key "KEY3" "$_id" - test "$ret" -eq 0 && key_save KEY3 && continue - fi - if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - ret=0 - check_key "KEY4" "$_id" - test "$ret" -eq 0 && key_save KEY4 && continue - fi - - # This may be an unused key. Assume algorithm of KEY1. - ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)" - test "$ret" -eq 0 && continue - - # If ret is still non-zero, none of the files matched. - echo_i "failed" - _ret=1 - done - - return $_ret + ret=0 + _ret=0 + + # Clear key ids. + key_set KEY1 ID "no" + key_set KEY2 ID "no" + key_set KEY3 ID "no" + key_set KEY4 ID "no" + + # Check key files. + _ids=$(get_keyids "$DIR" "$ZONE") + for _id in $_ids; do + # There are multiple key files with the same algorithm. + # Check them until a match is found. + ret=0 + echo_i "check key id $_id" + + if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY1" "$_id" + test "$ret" -eq 0 && key_save KEY1 && continue + fi + if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY2" "$_id" + test "$ret" -eq 0 && key_save KEY2 && continue + fi + if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY3" "$_id" + test "$ret" -eq 0 && key_save KEY3 && continue + fi + if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY4" "$_id" + test "$ret" -eq 0 && key_save KEY4 && continue + fi + + # This may be an unused key. Assume algorithm of KEY1. + ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)" + test "$ret" -eq 0 && continue + + # If ret is still non-zero, none of the files matched. + echo_i "failed" + _ret=1 + done + + return $_ret } # Check keys for a configured zone. This verifies: @@ -787,47 +785,47 @@ _check_keys() { # It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly. # Found key identifiers are stored in the right key array. check_keys() { - n=$((n+1)) - echo_i "check keys are created for zone ${ZONE} ($n)" - ret=0 - - echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" - retry_quiet 10 check_numkeys || ret=1 - if [ $ret -ne 0 ]; then - _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) - _log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)" - status=$((status+ret)) - fi - - # Temporarily don't log errors because we are searching multiple files. - disable_logerror - - retry_quiet 3 _check_keys || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - # Turn error logs on again. - enable_logerror - - ret=0 - if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - echo_i "KEY1 ID $(key_get KEY1 ID)" - test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}" - fi - if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - echo_i "KEY2 ID $(key_get KEY2 ID)" - test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}" - fi - if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - echo_i "KEY3 ID $(key_get KEY3 ID)" - test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}" - fi - if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - echo_i "KEY4 ID $(key_get KEY4 ID)" - test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}" - fi - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + n=$((n + 1)) + echo_i "check keys are created for zone ${ZONE} ($n)" + ret=0 + + echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" + retry_quiet 10 check_numkeys || ret=1 + if [ $ret -ne 0 ]; then + _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) + _log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)" + status=$((status + ret)) + fi + + # Temporarily don't log errors because we are searching multiple files. + disable_logerror + + retry_quiet 3 _check_keys || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + # Turn error logs on again. + enable_logerror + + ret=0 + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + echo_i "KEY1 ID $(key_get KEY1 ID)" + test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + echo_i "KEY2 ID $(key_get KEY2 ID)" + test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + echo_i "KEY3 ID $(key_get KEY3 ID)" + test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + echo_i "KEY4 ID $(key_get KEY4 ID)" + test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}" + fi + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Call rndc dnssec -status on server $1 for zone $3 in view $4 with policy $2 @@ -838,407 +836,406 @@ check_keys() { # it is scheduled to do so, and it shows the states for the various # DNSSEC records. check_dnssecstatus() { - _server=$1 - _policy=$2 - _zone=$3 - _view=$4 - - n=$((n+1)) - echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)" - ret=0 - - _rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed" - - if [ "$_policy" = "none" ]; then - grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}" - else - grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "bad dnssec status for signed zone ${_zone}" - if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status" - fi - if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status" - fi - if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status" - fi - if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status" - fi - fi - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _server=$1 + _policy=$2 + _zone=$3 + _view=$4 + + n=$((n + 1)) + echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)" + ret=0 + + _rndccmd $_server dnssec -status $_zone in $_view >rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed" + + if [ "$_policy" = "none" ]; then + grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n >/dev/null || log_error "bad dnssec status for unsigned zone ${_zone}" + else + grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "bad dnssec status for signed zone ${_zone}" + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status" + fi + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if # inline-signing is enabled. check_inlinesigning() { - _server=$1 - _zone=$2 - _view=$3 + _server=$1 + _zone=$2 + _view=$3 - _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 - grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 + _rndccmd $_server zonestatus $_zone in $_view >rndc.zonestatus.out.$_zone.$n || return 1 + grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n >/dev/null || return 1 } # Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if # the zone is dynamic. check_isdynamic() { - _server=$1 - _zone=$2 - _view=$3 + _server=$1 + _zone=$2 + _view=$3 - _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 - grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 + _rndccmd $_server zonestatus $_zone in $_view >rndc.zonestatus.out.$_zone.$n || return 1 + grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n >/dev/null || return 1 } # Check if RRset of type $1 in file $2 is signed with the right keys. # The right keys are the ones that expect a signature and matches the role $3. _check_signatures() { - _qtype=$1 - _file=$2 - _role=$3 - - numsigs=0 - - if [ "$_role" = "KSK" ]; then - _expect_type=EXPECT_KRRSIG - elif [ "$_role" = "ZSK" ]; then - _expect_type=EXPECT_ZRRSIG - fi - - if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null || return 1 - numsigs=$((numsigs+1)) - elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null && return 1 - fi - - if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null || return 1 - numsigs=$((numsigs+1)) - elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null && return 1 - fi - - if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null || return 1 - numsigs=$((numsigs+1)) - elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null && return 1 - fi - - if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null || return 1 - numsigs=$((numsigs+1)) - elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null && return 1 - fi - - lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l) - test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)" - test "$lines" -eq "$numsigs" || return 1 - - return 0 + _qtype=$1 + _file=$2 + _role=$3 + + numsigs=0 + + if [ "$_role" = "KSK" ]; then + _expect_type=EXPECT_KRRSIG + elif [ "$_role" = "ZSK" ]; then + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null || return 1 + numsigs=$((numsigs + 1)) + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null && return 1 + fi + + if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null || return 1 + numsigs=$((numsigs + 1)) + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null && return 1 + fi + + if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null || return 1 + numsigs=$((numsigs + 1)) + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null && return 1 + fi + + if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null || return 1 + numsigs=$((numsigs + 1)) + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null && return 1 + fi + + lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l) + test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)" + test "$lines" -eq "$numsigs" || return 1 + + return 0 } check_signatures() { - retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed" + retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed" } response_has_cds_for_key() ( - awk -v zone="${ZONE%%.}." \ - -v ttl="${DNSKEY_TTL}" \ - -v qtype="CDS" \ - -v keyid="$(key_get "${1}" ID)" \ - -v keyalg="$(key_get "${1}" ALG_NUM)" \ - -v hashalg="2" \ - 'BEGIN { ret=1; } + awk -v zone="${ZONE%%.}." \ + -v ttl="${DNSKEY_TTL}" \ + -v qtype="CDS" \ + -v keyid="$(key_get "${1}" ID)" \ + -v keyalg="$(key_get "${1}" ALG_NUM)" \ + -v hashalg="2" \ + 'BEGIN { ret=1; } $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; } END { exit ret; }' \ - "$2" + "$2" ) response_has_cdnskey_for_key() ( - awk -v zone="${ZONE%%.}." \ - -v ttl="${DNSKEY_TTL}" \ - -v qtype="CDNSKEY" \ - -v flags="$(key_get "${1}" FLAGS)" \ - -v keyalg="$(key_get "${1}" ALG_NUM)" \ - 'BEGIN { ret=1; } + awk -v zone="${ZONE%%.}." \ + -v ttl="${DNSKEY_TTL}" \ + -v qtype="CDNSKEY" \ + -v flags="$(key_get "${1}" FLAGS)" \ + -v keyalg="$(key_get "${1}" ALG_NUM)" \ + 'BEGIN { ret=1; } $1 == zone && $2 == ttl && $4 == qtype && $5 == flags && $7 == keyalg { ret=0; exit; } END { exit ret; }' \ - "$2" + "$2" ) # Test CDS and CDNSKEY publication. check_cds() { - n=$((n+1)) - echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)" - ret=0 - - _checksig=0 - - _dig_with_opts "$ZONE" "@${SERVER}" "CDS" > "dig.out.$DIR.test$n.cds" || _log_error "dig ${ZONE} CDS failed" - grep "status: NOERROR" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "mismatch status in DNS response" - - _dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" > "dig.out.$DIR.test$n.cdnskey" || _log_error "dig ${ZONE} CDNSKEY failed" - grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "mismatch status in DNS response" - - if [ "$CDS_DELETE" = "no" ]; then - grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null && _log_error "unexpected CDS DELETE record in DNS response" - grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null && _log_error "unexpected CDNSKEY DELETE record in DNS response" - else - grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "missing CDS DELETE record in DNS response" - grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "missing CDNSKEY DELETE record in DNS response" - _checksig=1 - fi - - if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)" - response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)" - _checksig=1 - elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)" - # KEY1 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. - fi - - if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)" - response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)" - _checksig=1 - elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)" - # KEY2 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. - fi - - if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)" - response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)" - _checksig=1 - elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)" - # KEY3 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. - fi - - if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)" - response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)" - _checksig=1 - elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)" - # KEY4 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. - fi - - test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" - test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + n=$((n + 1)) + echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)" + ret=0 + + _checksig=0 + + _dig_with_opts "$ZONE" "@${SERVER}" "CDS" >"dig.out.$DIR.test$n.cds" || _log_error "dig ${ZONE} CDS failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.cds" >/dev/null || _log_error "mismatch status in DNS response" + + _dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" >"dig.out.$DIR.test$n.cdnskey" || _log_error "dig ${ZONE} CDNSKEY failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" >/dev/null || _log_error "mismatch status in DNS response" + + if [ "$CDS_DELETE" = "no" ]; then + grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" >/dev/null && _log_error "unexpected CDS DELETE record in DNS response" + grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" >/dev/null && _log_error "unexpected CDNSKEY DELETE record in DNS response" + else + grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" >/dev/null || _log_error "missing CDS DELETE record in DNS response" + grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" >/dev/null || _log_error "missing CDNSKEY DELETE record in DNS response" + _checksig=1 + fi + + if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)" + response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)" + _checksig=1 + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)" + # KEY1 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)" + response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)" + _checksig=1 + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)" + # KEY2 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)" + response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)" + _checksig=1 + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)" + # KEY3 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)" + response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)" + _checksig=1 + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)" + # KEY4 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" + test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } _find_dnskey() { - _owner="${ZONE}." - _alg="$(key_get $1 ALG_NUM)" - _flags="$(key_get $1 FLAGS)" - _key_file="$(key_get $1 BASEFILE).key" + _owner="${ZONE}." + _alg="$(key_get $1 ALG_NUM)" + _flags="$(key_get $1 FLAGS)" + _key_file="$(key_get $1 BASEFILE).key" - awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file" + awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' <"$_key_file" } - # Test DNSKEY query. _check_apex_dnskey() { - _dig_with_opts "$ZONE" "@${SERVER}" "DNSKEY" > "dig.out.$DIR.test$n" || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1 - - _checksig=0 - - if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then - _pubkey=$(_find_dnskey KEY1) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 - _checksig=1 - elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - _pubkey=$(_find_dnskey KEY1) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 - fi - - if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then - _pubkey=$(_find_dnskey KEY2) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 - _checksig=1 - elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - _pubkey=$(_find_dnskey KEY2) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 - fi - - if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then - _pubkey=$(_find_dnskey KEY3) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 - _checksig=1 - elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - _pubkey=$(_find_dnskey KEY3) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 - fi - - if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then - _pubkey=$(_find_dnskey KEY4) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 - _checksig=1 - elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - _pubkey=$(_find_dnskey KEY4) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 - fi - - test "$_checksig" -eq 0 && return 0 - - _check_signatures "DNSKEY" "dig.out.$DIR.test$n" "KSK" || return 1 - - return 0 + _dig_with_opts "$ZONE" "@${SERVER}" "DNSKEY" >"dig.out.$DIR.test$n" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || return 1 + + _checksig=0 + + if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY1) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY1) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1 + fi + + if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY2) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY2) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1 + fi + + if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY3) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY3) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1 + fi + + if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY4) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY4) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1 + fi + + test "$_checksig" -eq 0 && return 0 + + _check_signatures "DNSKEY" "dig.out.$DIR.test$n" "KSK" || return 1 + + return 0 } # Test the apex of a configured zone. This checks that the SOA and DNSKEY # RRsets are signed correctly and with the appropriate keys. check_apex() { - # Test DNSKEY query. - n=$((n+1)) - echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_apex_dnskey || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - # We retry the DNSKEY query for at most ten seconds to avoid test - # failures due to timing issues. If the DNSKEY query check passes this - # means the zone is resigned and further apex checks (SOA, CDS, CDNSKEY) - # don't need to be retried quietly. - - # Test SOA query. - n=$((n+1)) - echo_i "check SOA rrset is signed correctly for zone ${ZONE} ($n)" - ret=0 - _dig_with_opts "$ZONE" "@${SERVER}" "SOA" > "dig.out.$DIR.test$n" || _log_error "dig ${ZONE} SOA failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response" - grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*SOA.*" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing SOA record in response" - check_signatures "SOA" "dig.out.$DIR.test$n" "ZSK" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - # Test CDS and CDNSKEY publication. - check_cds + # Test DNSKEY query. + n=$((n + 1)) + echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_apex_dnskey || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + # We retry the DNSKEY query for at most ten seconds to avoid test + # failures due to timing issues. If the DNSKEY query check passes this + # means the zone is resigned and further apex checks (SOA, CDS, CDNSKEY) + # don't need to be retried quietly. + + # Test SOA query. + n=$((n + 1)) + echo_i "check SOA rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "$ZONE" "@${SERVER}" "SOA" >"dig.out.$DIR.test$n" || _log_error "dig ${ZONE} SOA failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || _log_error "mismatch status in DNS response" + grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*SOA.*" "dig.out.$DIR.test$n" >/dev/null || _log_error "missing SOA record in response" + check_signatures "SOA" "dig.out.$DIR.test$n" "ZSK" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + # Test CDS and CDNSKEY publication. + check_cds } # Test an RRset below the apex and verify it is signed correctly. check_subdomain() { - _qtype="A" - n=$((n+1)) - echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" - ret=0 - _dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response" - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response" - lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) - check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _qtype="A" + n=$((n + 1)) + echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype >"dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || _log_error "mismatch status in DNS response" + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" >/dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response" + lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) + check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Check if "CDS/CDNSKEY Published" is logged. check_cdslog() { - _dir=$1 - _zone=$2 - _key=$3 + _dir=$1 + _zone=$2 + _key=$3 - _alg=$(key_get $_key ALG_STR) - _id=$(key_get $_key ID) + _alg=$(key_get $_key ALG_STR) + _id=$(key_get $_key ID) - n=$((n+1)) - echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)" - ret=0 + n=$((n + 1)) + echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)" + ret=0 - grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 - grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" >/dev/null || ret=1 + grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" >/dev/null || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Tell named that the DS for the key in given zone has been seen in the # parent (this does not actually has to be true, we just issue the command # to make named believe it can continue with the rollover). rndc_checkds() { - _server=$1 - _dir=$2 - _key=$3 - _when=$4 - _what=$5 - _zone=$6 - _view=$7 - - _keycmd="" - if [ "${_key}" != "-" ]; then - _keyid=$(key_get $_key ID) - _keycmd=" -key ${_keyid}" - fi - - _whencmd="" - if [ "${_when}" != "now" ]; then - _whencmd=" -when ${_when}" - fi - - n=$((n+1)) - echo_i "calling rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} in ${_view} ($n)" - ret=0 - - _rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed" - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _server=$1 + _dir=$2 + _key=$3 + _when=$4 + _what=$5 + _zone=$6 + _view=$7 + + _keycmd="" + if [ "${_key}" != "-" ]; then + _keyid=$(key_get $_key ID) + _keycmd=" -key ${_keyid}" + fi + + _whencmd="" + if [ "${_when}" != "now" ]; then + _whencmd=" -when ${_when}" + fi + + n=$((n + 1)) + echo_i "calling rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} in ${_view} ($n)" + ret=0 + + _rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view >rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Tell named to schedule a key rollover. rndc_rollover() { - _server=$1 - _dir=$2 - _keyid=$3 - _when=$4 - _zone=$5 - _view=$6 - - _whencmd="" - if [ "${_when}" != "now" ]; then - _whencmd="-when ${_when}" - fi - - n=$((n+1)) - echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)" - ret=0 - - _rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed" - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _server=$1 + _dir=$2 + _keyid=$3 + _when=$4 + _zone=$5 + _view=$6 + + _whencmd="" + if [ "${_when}" != "now" ]; then + _whencmd="-when ${_when}" + fi + + n=$((n + 1)) + echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)" + ret=0 + + _rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view >rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index db264c2..d31b53a 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -29,6 +29,7 @@ rm -f ns*/*.mkeys rm -f ns*/zones ns*/*.db.infile rm -f ns*/*.zsk1 ns*/*.zsk2 rm -f ns3/legacy-keys.* +rm -rf ns3/keys/ rm -f *.created published.test* retired.test* rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.* rm -f python.out.* diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index a6e8b3a..8debcd2 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -49,6 +49,15 @@ zone "default.kasp" { dnssec-policy "default"; }; +/* A zone with special characters. */ +zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." { + type primary; + file "i-am.special.kasp.db"; + check-names ignore; + inline-signing yes; + dnssec-policy "default"; +}; + /* checkds: Zone with one KSK. */ zone "checkds-ksk.kasp" { type primary; @@ -146,6 +155,18 @@ zone "dynamic-inline-signing.kasp" { inline-signing yes; }; +/* + * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the + * raw version of the zone. + */ +zone "dynamic-signed-inline-signing.kasp" { + type primary; + file "dynamic-signed-inline-signing.kasp.db.signed"; + key-directory "keys"; + dnssec-policy "default"; + allow-update { any; }; +}; + /* An inline-signed zone with dnssec-policy. */ zone "inline-signing.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 8af40ed..41cf379 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -17,20 +17,20 @@ echo_i "ns3/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - echo "$zone" >> zones + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >>zones } # Set in the key state files the Predecessor/Successor fields. # Key $1 is the predecessor of key $2. key_successor() { - id1=$(keyfile_to_key_id "$1") - id2=$(keyfile_to_key_id "$2") - echo "Predecessor: ${id1}" >> "${2}.state" - echo "Successor: ${id2}" >> "${1}.state" + id1=$(keyfile_to_key_id "$1") + id2=$(keyfile_to_key_id "$2") + echo "Predecessor: ${id1}" >>"${2}.state" + echo "Successor: ${id2}" >>"${1}.state" } # Make lines shorter by storing key states in environment variables. @@ -43,94 +43,100 @@ U="UNRETENTIVE" # Set up zones that will be initially signed. # for zn in default dnssec-keygen some-keys legacy-keys pregenerated \ - rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \ - dynamic dynamic-inline-signing inline-signing \ - checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ - manual-rollover multisigner-model2 -do - setup "${zn}.kasp" - cp template.db.in "$zonefile" + rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \ + dynamic dynamic-inline-signing inline-signing \ + checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ + manual-rollover multisigner-model2; do + setup "${zn}.kasp" + cp template.db.in "$zonefile" done +# +# Setup special zone +# +zone="i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." +echo_i "setting up zone: $zone" +cp template.db.in "i-am.special.kasp.db" + # # Set up RSASHA1 based zones # -for zn in rsasha1 rsasha1-nsec3 -do - if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) - then - setup "${zn}.kasp" - cp template.db.in "$zonefile" - else - # don't add to zones. - echo_i "setting up zone: ${zn}.kasp" - cp template.db.in "${zn}.kasp.db" - fi +for zn in rsasha1 rsasha1-nsec3; do + if ( + cd .. + $SHELL ../testcrypto.sh -q RSASHA1 + ); then + setup "${zn}.kasp" + cp template.db.in "$zonefile" + else + # don't add to zones. + echo_i "setting up zone: ${zn}.kasp" + cp template.db.in "${zn}.kasp.db" + fi done if [ -f ../ed25519-supported.file ]; then - setup "ed25519.kasp" - cp template.db.in "$zonefile" - cat ed25519.conf >> named.conf + setup "ed25519.kasp" + cp template.db.in "$zonefile" + cat ed25519.conf >>named.conf fi if [ -f ../ed448-supported.file ]; then - setup "ed448.kasp" - cp template.db.in "$zonefile" - cat ed448.conf >> named.conf + setup "ed448.kasp" + cp template.db.in "$zonefile" + cat ed448.conf >>named.conf fi # Set up zones that stay unsigned. -for zn in unsigned insecure max-zone-ttl -do - zone="${zn}.kasp" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - cp template.db.in $infile - cp template.db.in $zonefile +for zn in unsigned insecure max-zone-ttl; do + zone="${zn}.kasp" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in $infile + cp template.db.in $zonefile done # Some of these zones already have keys. zone="dnssec-keygen.kasp" echo_i "setting up zone: $zone" -$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1 zone="some-keys.kasp" echo_i "setting up zone: $zone" -$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone >keygen.out.$zone.1 2>&1 +$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone >keygen.out.$zone.2 2>&1 zone="legacy-keys.kasp" echo_i "setting up zone: $zone" -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1) -KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2) -echo $ZSK > legacy-keys.kasp.zsk -echo $KSK > legacy-keys.kasp.ksk +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.1) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.2) +echo $ZSK >legacy-keys.kasp.zsk +echo $KSK >legacy-keys.kasp.ksk # Predecessor keys: Tact="now-9mo" Tret="now-3mo" -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3) -KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4) -$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1 -$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1 +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.3) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.4) +$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" >settime.out.$zone.1 2>&1 +$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" >settime.out.$zone.2 2>&1 zone="pregenerated.kasp" echo_i "setting up zone: $zone" -$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1 +$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1 zone="multisigner-model2.kasp" echo_i "setting up zone: $zone" # Import the ZSK sets of the other providers into their DNSKEY RRset. -ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2) +ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.1) +ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.2) # ZSK1 will be added to the unsigned zonefile. -cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db" -cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1" +cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db" +cat "../${ZSK1}.key" | grep -v ";.*" >"${zone}.zsk1" rm -f "../${ZSK1}.*" # ZSK2 will be used with a Dynamic Update. -cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2" +cat "../${ZSK2}.key" | grep -v ";.*" >"${zone}.zsk2" rm -f "../${ZSK2}.*" zone="rumoured.kasp" @@ -138,12 +144,12 @@ echo_i "setting up zone: $zone" Tpub="now" Tact="now+1d" keytimes="-P ${Tpub} -A ${Tact}" -KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" >settime.out.$zone.2 2>&1 # # Set up zones that are already signed. @@ -154,78 +160,91 @@ setup manual-rollover.kasp T="now-1d" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# We are signing the raw version of the zone here. This is unusual and not +# common operation, but want to make sure that in such a case BIND 9 does not +# schedule a resigning operation on the raw version. Add expired signatures so +# a resign is imminent. +setup dynamic-signed-inline-signing.kasp +T="now-1d" +csktimes="-P $T -A $T -P sync $T" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +cp $infile $zonefile +$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # These signatures are still good, and can be reused. setup fresh-sigs.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # These signatures are still good, but not fresh enough, update immediately. setup unfresh-sigs.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # These signatures are still good, but the private KSK is missing. setup ksk-missing.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 -echo "KSK: yes" >> "${KSK}".state -echo "ZSK: no" >> "${KSK}".state -echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 +echo "KSK: yes" >>"${KSK}".state +echo "ZSK: no" >>"${KSK}".state +echo "Lifetime: 63072000" >>"${KSK}".state # PT2Y rm -f "${KSK}".private # These signatures are still good, but the private ZSK is missing. @@ -233,18 +252,18 @@ setup zsk-missing.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 -echo "KSK: no" >> "${ZSK}".state -echo "ZSK: yes" >> "${ZSK}".state -echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 +echo "KSK: no" >>"${ZSK}".state +echo "ZSK: yes" >>"${ZSK}".state +echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y rm -f "${ZSK}".private # These signatures are already expired, and the private ZSK is retired. @@ -252,16 +271,16 @@ setup zsk-retired.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T -I now" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 -$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 +$SETTIME -s -g HIDDEN "$ZSK" >settime.out.$zone.3 2>&1 # # The zones at enable-dnssec.autosign represent the various steps of the @@ -289,12 +308,12 @@ TpubN="now-900s" # Total: 43800 seconds TsbmN="now+43800s" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # The zone signatures have been published long enough to become OMNIPRESENT. @@ -306,12 +325,12 @@ TcotN="now-43800s" # We can submit the DS now. TsbmN="now" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # The DS has been submitted long enough ago to become OMNIPRESENT. @@ -326,13 +345,12 @@ TpubN="now-56700s" TcotN="now-55800s" TsbmN="now-12000s" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 -setup step4.enable-dnssec.autosign +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at zsk-prepub.autosign represent the various steps of a ZSK @@ -345,15 +363,15 @@ setup step1.zsk-prepub.autosign TactN="now" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # It is time to pre-publish the successor ZSK. @@ -385,15 +403,15 @@ setup step2.zsk-prepub.autosign TactN="now-694h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # After the publication interval has passed the DNSKEY of the successor ZSK @@ -442,21 +460,21 @@ TremN1="now+961h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # After the retire interval has passed the predecessor DNSKEY can be @@ -505,18 +523,18 @@ TremN1="now+30d" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" cp $infile $zonefile -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -541,21 +559,21 @@ TremN1="now+719h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -580,21 +598,21 @@ TremN1="now+718h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at ksk-doubleksk.autosign represent the various steps of a KSK @@ -607,13 +625,13 @@ setup step1.ksk-doubleksk.autosign TactN="now" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # It is time to submit the introduce the new KSK. @@ -657,15 +675,15 @@ setup step2.ksk-doubleksk.autosign TactN="now-1413h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS. @@ -718,21 +736,21 @@ TremN1="now+1490h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # The DS should be swapped now. @@ -779,21 +797,21 @@ TremN1="now+60d" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -818,21 +836,21 @@ TremN1="now+1442h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -857,21 +875,21 @@ TremN1="now+1441h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at csk-roll.autosign represent the various steps of a CSK rollover @@ -883,12 +901,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil setup step1.csk-roll.autosign TactN="now" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -911,12 +929,12 @@ setup step2.csk-roll.autosign # = now - 4464h + 3h = now - 4461h TactN="now-4461h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -960,18 +978,18 @@ TretN1="now+186d" TremN1="now+5091h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -1007,18 +1025,18 @@ TretN1="now+4460h" TremN1="now+5087h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # After the DS is swapped in step 4, also the KRRSIG records can be removed. @@ -1043,18 +1061,18 @@ TretN1="now+4458h" TremN1="now+5085h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # After the retire interval has passed the predecessor DNSKEY can be @@ -1087,18 +1105,18 @@ TretN1="now+3837h" TremN1="now+186d" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 7: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1122,18 +1140,18 @@ TretN1="now+3835h" TremN1="now+4462h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 8: # The predecessor DNSKEY can be purged. @@ -1157,18 +1175,18 @@ TretN1="now+3834h" TremN1="now+4461h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at csk-roll2.autosign represent the various steps of a CSK rollover @@ -1182,12 +1200,12 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i setup step1.csk-roll2.autosign TactN="now" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -1210,12 +1228,12 @@ setup step2.csk-roll2.autosign # = now - 4464h + 3h = now - 4461h TactN="now-4461h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -1259,18 +1277,18 @@ TretN1="now+186d" TremN1="now+4634h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -1307,18 +1325,18 @@ TretN1="now+4426h" TremN1="now+4429h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # Some time later the DS can be swapped and the old DNSKEY can be removed from @@ -1344,18 +1362,18 @@ TretN1="now+4294h" TremN1="now+4360h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1380,18 +1398,18 @@ TretN1="now+4292h" TremN1="now+4358h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 7: # The predecessor DNSKEY can be purged, but purge-keys is disabled. @@ -1415,18 +1433,18 @@ TretN1="now+2134h" TremN1="now+2200h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Test #2375, the "three is a crowd" bug, where a new key is introduced but the # previous rollover has not finished yet. In other words, we have a key KEY2 @@ -1453,18 +1471,18 @@ TremN1="now+1490h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh index 61b049d..c488bc4 100644 --- a/bin/tests/system/kasp/ns4/setup.sh +++ b/bin/tests/system/kasp/ns4/setup.sh @@ -20,13 +20,12 @@ echo_i "ns4/setup.sh" # Set up zones that potentially will be initially signed. # for zn in inherit.inherit override.inherit none.inherit \ - inherit.override override.override none.override \ - inherit.none override.none none.none -do - zone="$zn.signed" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - cp template.db.in $zonefile + inherit.override override.override none.override \ + inherit.none override.none none.none; do + zone="$zn.signed" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile done cp example1.db.in example1.db diff --git a/bin/tests/system/kasp/ns5/setup.sh b/bin/tests/system/kasp/ns5/setup.sh index 59c7a41..47d2870 100644 --- a/bin/tests/system/kasp/ns5/setup.sh +++ b/bin/tests/system/kasp/ns5/setup.sh @@ -20,11 +20,10 @@ echo_i "ns5/setup.sh" # Set up zones that potentially will be initially signed. # for zn in inherit.inherit override.inherit none.inherit \ - inherit.override override.override none.override \ - inherit.none override.none none.none -do - zone="$zn.unsigned" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - cp template.db.in $zonefile + inherit.override override.override none.override \ + inherit.none override.none none.none; do + zone="$zn.unsigned" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile done diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 6764f1b..1c2fd01 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -17,10 +17,10 @@ echo_i "ns6/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" } # Make lines shorter by storing key states in environment variables. @@ -31,57 +31,56 @@ U="UNRETENTIVE" # The child zones (step1, step2) beneath these zones represent the various # steps of unsigning a zone. -for zn in going-insecure.kasp going-insecure-dynamic.kasp -do - # Step 1: - # Set up a zone with dnssec-policy that is going insecure. - setup step1.$zn - echo "$zone" >> zones - T="now-10d" - ksktimes="-P $T -A $T -P sync $T" - zsktimes="-P $T -A $T" - KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) - ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) - cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +for zn in going-insecure.kasp going-insecure-dynamic.kasp; do + # Step 1: + # Set up a zone with dnssec-policy that is going insecure. + setup step1.$zn + echo "$zone" >>zones + T="now-10d" + ksktimes="-P $T -A $T -P sync $T" + zsktimes="-P $T -A $T" + KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) + ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) + cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - # Step 2: - # Set up a zone with dnssec-policy that is going insecure. Don't add - # this zone to the zones file, because this zone is no longer expected - # to be fully signed. - setup step2.$zn - # The DS was withdrawn from the parent zone 26 hours ago. - Trem="now-26h" - ksktimes="-P $T -A $T -P sync $T" - zsktimes="-P $T -A $T" - KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) - ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) - $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1 - $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 - # Fake lifetime of old algorithm keys. - echo "Lifetime: 0" >> "${KSK}.state" - echo "Lifetime: 5184000" >> "${ZSK}.state" - cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + # Step 2: + # Set up a zone with dnssec-policy that is going insecure. Don't add + # this zone to the zones file, because this zone is no longer expected + # to be fully signed. + setup step2.$zn + # The DS was withdrawn from the parent zone 26 hours ago. + Trem="now-26h" + ksktimes="-P $T -A $T -P sync $T" + zsktimes="-P $T -A $T" + KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) + ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) + $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" >settime.out.$zone.1 2>&1 + $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 + # Fake lifetime of old algorithm keys. + echo "Lifetime: 0" >>"${KSK}.state" + echo "Lifetime: 5184000" >>"${ZSK}.state" + cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 done # This zone is going straight to "none" policy. This is undefined behavior. setup step1.going-straight-to-none.kasp -echo "$zone" >> zones +echo "$zone" >>zones TactN="now" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" -CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK @@ -91,19 +90,19 @@ $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in # Step 1: # Introduce the first key. This will immediately be active. setup step1.algorithm-roll.kasp -echo "$zone" >> zones +echo "$zone" >>zones TactN="now" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 8 "$KSK" >> "$infile" -private_type_record $zone 8 "$ZSK" >> "$infile" +KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone 8 "$KSK" >>"$infile" +private_type_record $zone 8 "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. @@ -118,24 +117,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" zsk1times="-P ${TactN} -A ${TactN} -I now" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # The zone signatures are also OMNIPRESENT. @@ -149,24 +148,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # The DS is swapped and can become OMNIPRESENT. @@ -181,24 +180,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # The DNSKEY is removed long enough to be HIDDEN. @@ -214,24 +213,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. @@ -248,24 +247,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK @@ -275,15 +274,15 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-algorithm-roll.kasp -echo "$zone" >> zones +echo "$zone" >>zones TactN="now" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone 5 "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone 5 "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. @@ -293,17 +292,17 @@ TactN="now-3h" TpubN1="now-3h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # The zone signatures are also OMNIPRESENT. @@ -315,17 +314,17 @@ TpubN1="now-9h" TactN1="now-6h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # The DS is swapped and can become OMNIPRESENT. @@ -338,17 +337,17 @@ TactN1="now-35h" TsubN1="now-29h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # The DNSKEY is removed long enough to be HIDDEN. @@ -362,17 +361,17 @@ TactN1="now-37h" TsubN1="now-31h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. @@ -387,22 +386,22 @@ TactN1="now-44h" TsubN1="now-38h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # Reload testing # -echo "example" >> zones +echo "example" >>zones cp example.db.in example.db setup "dynamic2inline.kasp" diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 67cfa92..1d11ba9 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -19,62 +19,60 @@ set -e $SHELL clean.sh mkdir keys +mkdir ns3/keys copy_setports ns2/named.conf.in ns2/named.conf -if ! $SHELL ../testcrypto.sh -q RSASHA1 -then - copy_setports ns3/named-fips.conf.in ns3/named.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1; then + copy_setports ns3/named-fips.conf.in ns3/named.conf else - copy_setports ns3/named-fips.conf.in ns3/named-fips.conf - copy_setports ns3/named.conf.in ns3/named.conf + copy_setports ns3/named-fips.conf.in ns3/named-fips.conf + copy_setports ns3/named.conf.in ns3/named.conf fi copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf if $SHELL ../testcrypto.sh ed25519; then - echo "yes" > ed25519-supported.file + echo "yes" >ed25519-supported.file fi if $SHELL ../testcrypto.sh ed448; then - echo "yes" > ed448-supported.file + echo "yes" >ed448-supported.file fi copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf -if ! $SHELL ../testcrypto.sh -q RSASHA1 -then - cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1; then + cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf fi copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf -if ! $SHELL ../testcrypto.sh -q RSASHA1 -then - cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1; then + cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf fi # Setup zones ( - cd ns2 - $SHELL setup.sh + cd ns2 + $SHELL setup.sh ) ( - cd ns3 - $SHELL setup.sh + cd ns3 + $SHELL setup.sh ) ( - cd ns4 - $SHELL setup.sh + cd ns4 + $SHELL setup.sh ) ( - cd ns5 - $SHELL setup.sh + cd ns5 + $SHELL setup.sh ) ( - cd ns6 - $SHELL setup.sh + cd ns6 + $SHELL setup.sh ) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index ddbbd32..611c717 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -29,22 +29,22 @@ n=0 # Call dig with default options. dig_with_opts() { - if [ -n "$TSIG" ]; then - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" - else - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" - fi + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi } # RNDC. rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # Log error and increment failure rate. log_error() { - echo_i "error: $1" - ret=$((ret+1)) + echo_i "error: $1" + ret=$((ret + 1)) } # Default next key event threshold. May be extended by wait periods. @@ -61,93 +61,93 @@ set_zone "kasp" set_policy "kasp" "4" "200" set_server "keys" "10.53.0.1" -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" ret=0 -$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 -lines=$(wc -l < "keygen.out.$POLICY.test$n") +$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" >"keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +lines=$(wc -l <"keygen.out.$POLICY.test$n") test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines" # Temporarily don't log errors because we are searching multiple files. disable_logerror # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "31536000" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "31536000" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keyrole "KEY2" "ksk" -set_keylifetime "KEY2" "31536000" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "2592000" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "2592000" set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "yes" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "16070400" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "16070400" set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" lines=$(get_keyids "$DIR" "$ZONE" | wc -l) test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" ids=$(get_keyids "$DIR" "$ZONE") for id in $ids; do - # There are four key files with the same algorithm. - # Check them until a match is found. - ret=0 && check_key "KEY1" "$id" - test "$ret" -eq 0 && continue + # There are four key files with the same algorithm. + # Check them until a match is found. + ret=0 && check_key "KEY1" "$id" + test "$ret" -eq 0 && continue - ret=0 && check_key "KEY2" "$id" - test "$ret" -eq 0 && continue + ret=0 && check_key "KEY2" "$id" + test "$ret" -eq 0 && continue - ret=0 && check_key "KEY3" "$id" - test "$ret" -eq 0 && continue + ret=0 && check_key "KEY3" "$id" + test "$ret" -eq 0 && continue - ret=0 && check_key "KEY4" "$id" + ret=0 && check_key "KEY4" "$id" - # If ret is still non-zero, non of the files matched. - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + # If ret is still non-zero, non of the files matched. + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) done # Turn error logs on again. enable_logerror -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 set_zone "kasp" set_policy "default" "1" "3600" set_server "." "10.53.0.1" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" -$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 -lines=$(wc -l < "keygen.out.$POLICY.test$n") +$KEYGEN -G -k "$POLICY" "$ZONE" >"keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +lines=$(wc -l <"keygen.out.$POLICY.test$n") test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" ids=$(get_keyids "$DIR" "$ZONE") for id in $ids; do - check_key "KEY1" "$id" - test "$ret" -eq 0 && key_save KEY1 - check_keytimes + check_key "KEY1" "$id" + test "$ret" -eq 0 && key_save KEY1 + check_keytimes done test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # dnssec-settime @@ -156,69 +156,69 @@ status=$((status+ret)) # These test builds upon the latest created key with dnssec-keygen and uses the # environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE. CMP_FILE="${BASE_FILE}.cmp" -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)" ret=0 cp "$STATE_FILE" "$CMP_FILE" -$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed" -grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE" -grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE" +$SETTIME -P +3600 "$BASE_FILE" >/dev/null || log_error "settime failed" +grep "; Publish: " "$KEY_FILE" >/dev/null || log_error "mismatch published in $KEY_FILE" +grep "Publish: " "$PRIVATE_FILE" >/dev/null || log_error "mismatch published in $PRIVATE_FILE" diff "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)" ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) -$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keystate "KEY1" "GOAL" "omnipresent" +$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" check_key "KEY1" "$id" test "$ret" -eq 0 && key_save KEY1 -set_keytime "KEY1" "PUBLISHED" "${now}" +set_keytime "KEY1" "PUBLISHED" "${now}" check_keytimes test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)" ret=0 cp "$STATE_FILE" "$CMP_FILE" -$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keystate "KEY1" "GOAL" "none" +$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "none" set_keystate "KEY1" "STATE_DNSKEY" "none" set_keystate "KEY1" "STATE_KRRSIG" "none" set_keystate "KEY1" "STATE_ZRRSIG" "none" -set_keystate "KEY1" "STATE_DS" "none" +set_keystate "KEY1" "STATE_DS" "none" check_key "KEY1" "$id" test "$ret" -eq 0 && key_save KEY1 -set_keytime "KEY1" "PUBLISHED" "none" +set_keytime "KEY1" "PUBLISHED" "none" check_keytimes test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)" ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) -$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keystate "KEY1" "GOAL" "hidden" +$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "unretentive" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" check_key "KEY1" "$id" test "$ret" -eq 0 && key_save KEY1 -set_keytime "KEY1" "ACTIVE" "${now}" +set_keytime "KEY1" "ACTIVE" "${now}" check_keytimes test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # named @@ -228,53 +228,51 @@ status=$((status+ret)) # added as part of the last step in signing a zone. We wait for the # NSEC records to appear before proceeding with a counter to prevent # infinite loops if there is an error. -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for kasp signing changes to take effect ($n)" _wait_for_done_apexnsec() { - while read -r zone - do - dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1 - grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 - grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 - done < ns3/zones - - while read -r zone - do - dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1 - grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 - grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 - done < ns6/zones - - return 0 + while read -r zone; do + dig_with_opts "$zone" @10.53.0.3 nsec >"dig.out.ns3.test$n.$zone" || return 1 + grep "NS SOA" "dig.out.ns3.test$n.$zone" >/dev/null || return 1 + grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" >/dev/null || return 1 + done "dig.out.ns6.test$n.$zone" || return 1 + grep "NS SOA" "dig.out.ns6.test$n.$zone" >/dev/null || return 1 + grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" >/dev/null || return 1 + done /dev/null || ret=1 +grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: default.kasp. # set_keytimes_csk_policy() { - # The first key is immediately published and activated. - created=$(key_get KEY1 CREATED) - set_keytime "KEY1" "PUBLISHED" "${created}" - set_keytime "KEY1" "ACTIVE" "${created}" - # The DS can be published if the DNSKEY and RRSIG records are - # OMNIPRESENT. This happens after max-zone-ttl (1d) plus - # publish-safety (1h) plus zone-propagation-delay (300s) = - # 86400 + 3600 + 300 = 90300. - set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 - # Key lifetime is unlimited, so not setting RETIRED and REMOVED. + # The first key is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 + # Key lifetime is unlimited, so not setting RETIRED and REMOVED. } # Check the zone with default kasp policy has loaded and is signed. @@ -282,17 +280,17 @@ set_zone "default.kasp" set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -304,7 +302,7 @@ dnssec_verify # Trigger a keymgr run. Make sure the key files are not touched if there are # no modifications to the key metadata. -n=$((n+1)) +n=$((n + 1)) echo_i "make sure key files are untouched if metadata does not change ($n)" ret=0 basefile=$(key_get KEY1 BASEFILE) @@ -312,8 +310,8 @@ privkey_stat=$(key_get KEY1 PRIVKEY_STAT) pubkey_stat=$(key_get KEY1 PUBKEY_STAT) state_stat=$(key_get KEY1 STATE_STAT) -nextpart $DIR/named.run > /dev/null -rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +nextpart $DIR/named.run >/dev/null +rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run privkey_stat2=$(key_stat "${basefile}.private") pubkey_stat2=$(key_stat "${basefile}.key") @@ -322,14 +320,14 @@ test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file sta test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "again ($n)" ret=0 -nextpart $DIR/named.run > /dev/null -rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +nextpart $DIR/named.run >/dev/null +rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run privkey_stat2=$(key_stat "${basefile}.private") pubkey_stat2=$(key_stat "${basefile}.key") @@ -338,41 +336,41 @@ test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file sta test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update zone. -n=$((n+1)) +n=$((n + 1)) echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" ret=0 cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" -rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" +rndccmd 10.53.0.3 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed" update_is_signed() { - ip_a=$1 - ip_d=$2 - - if [ "$ip_a" != "-" ]; then - dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1 - lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) - test "$lines" -eq 1 || return 1 - get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1 - fi - - if [ "$ip_d" != "-" ]; then - dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1 - grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1 - lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) - test "$lines" -eq 1 || return 1 - get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1 - fi + ip_a=$1 + ip_d=$2 + + if [ "$ip_a" != "-" ]; then + dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1 + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" >/dev/null || return 1 + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) + test "$lines" -eq 1 || return 1 + get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" >/dev/null || return 1 + fi + + if [ "$ip_d" != "-" ]; then + dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n".d || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n".d >/dev/null || return 1 + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d >/dev/null || return 1 + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) + test "$lines" -eq 1 || return 1 + get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" >/dev/null || return 1 + fi } retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Move the private key file, a rekey event should not introduce replacement # keys. @@ -380,11 +378,11 @@ ret=0 echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)" basefile=$(key_get KEY1 BASEFILE) mv "${basefile}.private" "${basefile}.offline" -rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1 mv "${basefile}.offline" "${basefile}.private" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Nothing has changed. check_keys @@ -395,6 +393,16 @@ check_apex check_subdomain dnssec_verify +# +# A zone with special characters. +# +set_zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +# It is non-trivial to adapt the tests to deal with all possible different +# escaping characters, so we will just try to verify the zone. +dnssec_verify + # # Zone: dynamic.kasp # @@ -412,51 +420,51 @@ check_subdomain dnssec_verify # Update zone with nsupdate. -n=$((n+1)) +n=$((n + 1)) echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" ret=0 ( -echo zone ${ZONE} -echo server 10.53.0.3 "$PORT" -echo update del "a.${ZONE}" 300 A 10.0.0.1 -echo update add "a.${ZONE}" 300 A 10.0.0.101 -echo update add "d.${ZONE}" 300 A 10.0.0.4 -echo send + echo zone ${ZONE} + echo server 10.53.0.3 "$PORT" + echo update del "a.${ZONE}" 300 A 10.0.0.1 + echo update add "a.${ZONE}" 300 A 10.0.0.101 + echo update add "d.${ZONE}" 300 A 10.0.0.4 + echo send ) | $NSUPDATE retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update zone with nsupdate (reverting the above change). -n=$((n+1)) +n=$((n + 1)) echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" ret=0 ( -echo zone ${ZONE} -echo server 10.53.0.3 "$PORT" -echo update add "a.${ZONE}" 300 A 10.0.0.1 -echo update del "a.${ZONE}" 300 A 10.0.0.101 -echo update del "d.${ZONE}" 300 A 10.0.0.4 -echo send + echo zone ${ZONE} + echo server 10.53.0.3 "$PORT" + echo update add "a.${ZONE}" 300 A 10.0.0.1 + echo update del "a.${ZONE}" 300 A 10.0.0.101 + echo update del "d.${ZONE}" 300 A 10.0.0.4 + echo send ) | $NSUPDATE retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update zone with freeze/thaw. -n=$((n+1)) +n=$((n + 1)) echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)" ret=0 -rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" +rndccmd 10.53.0.3 freeze "$ZONE" >/dev/null || log_error "rndc freeze zone ${ZONE} failed" sleep 1 -echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db" -rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" +echo "d.${ZONE}. 300 A 10.0.0.44" >>"${DIR}/${ZONE}.db" +rndccmd 10.53.0.3 thaw "$ZONE" >/dev/null || log_error "rndc thaw zone ${ZONE} failed" retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: dynamic-inline-signing.kasp @@ -475,17 +483,34 @@ check_subdomain dnssec_verify # Update zone with freeze/thaw. -n=$((n+1)) +n=$((n + 1)) echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" ret=0 -rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" +rndccmd 10.53.0.3 freeze "$ZONE" >/dev/null || log_error "rndc freeze zone ${ZONE} failed" sleep 1 cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" -rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" +rndccmd 10.53.0.3 thaw "$ZONE" >/dev/null || log_error "rndc thaw zone ${ZONE} failed" retry_quiet 10 update_is_signed || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) + +# +# Zone: dynamic-signed-inline-signing.kasp +# +set_zone "dynamic-signed-inline-signing.kasp" +set_dynamic +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +dnssec_verify +# Ensure no zone_resigninc for the unsigned version of the zone is triggered. +n=$((n + 1)) +echo_i "check if resigning the raw version of the zone is prevented for zone ${ZONE} ($n)" +ret=0 +grep "zone_resigninc: zone $ZONE/IN (unsigned): enter" $DIR/named.run && ret=1 +grep "error reading K$ZONE" $DIR/named.run && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) # # Zone: inline-signing.kasp @@ -514,24 +539,24 @@ set_zone "checkds-ksk.kasp" set_policy "checkds-ksk" "2" "303" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" @@ -544,33 +569,33 @@ dnssec_verify basefile=$(key_get KEY1 BASEFILE) _wait_for_metadata() { - _expr=$1 - _file=$2 - grep "$_expr" $_file > /dev/null || return 1 - return 0 + _expr=$1 + _file=$2 + grep "$_expr" $_file >/dev/null || return 1 + return 0 } -n=$((n+1)) +n=$((n + 1)) echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" now=$(date +%Y%m%d%H%M%S) rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE" retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" # DS State should be forced into RUMOURED. -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" check_keys test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" now=$(date +%Y%m%d%H%M%S) rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE" retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" # DS State should be forced into UNRETENTIVE. -set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY1" "STATE_DS" "unretentive" check_keys test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: checkds-doubleksk.kasp. @@ -584,35 +609,35 @@ set_zone "checkds-doubleksk.kasp" set_policy "checkds-doubleksk" "3" "303" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -set_keyrole "KEY2" "ksk" -set_keylifetime "KEY2" "0" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "yes" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" -set_keystate "KEY2" "STATE_DS" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" @@ -625,53 +650,53 @@ dnssec_verify basefile1=$(key_get KEY1 BASEFILE) basefile2=$(key_get KEY2 BASEFILE) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)" rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE" -grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" -grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +grep "DSPublish:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)" rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE" -grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" -grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" +grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile2}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)" -rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n -grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" -grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" >rndc.dnssec.checkds.out.$ZONE.$n +grep "DSPublish:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)" -rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n -grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" -grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" +rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" >rndc.dnssec.checkds.out.$ZONE.$n +grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile2}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)" rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE" retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state" -grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)" rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE" -grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}" retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: checkds-csk.kasp. @@ -685,17 +710,17 @@ set_zone "checkds-csk.kasp" set_policy "checkds-csk" "1" "303" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -705,147 +730,146 @@ dnssec_verify basefile=$(key_get KEY1 BASEFILE) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Set keytimes for dnssec-policy with various algorithms. # These all use the same time values. set_keytimes_algorithm_policy() { - # The first KSK is immediately published and activated. - created=$(key_get KEY1 CREATED) - set_keytime "KEY1" "PUBLISHED" "${created}" - set_keytime "KEY1" "ACTIVE" "${created}" - # Key was pregenerated. - if [ "$1" = "pregenerated" ]; then - keyfile=$(key_get KEY1 BASEFILE) - grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 - published=$(awk '{print $3}' < published.test${n}.key1) - set_keytime "KEY1" "PUBLISHED" "${published}" - set_keytime "KEY1" "ACTIVE" "${published}" - fi - published=$(key_get KEY1 PUBLISHED) - - # The DS can be published if the DNSKEY and RRSIG records are - # OMNIPRESENT. This happens after max-zone-ttl (1d) plus - # publish-safety (1h) plus zone-propagation-delay (300s) = - # 86400 + 3600 + 300 = 90300. - set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 - # Key lifetime is 10 years, 315360000 seconds. - set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 - # The key is removed after the retire time plus DS TTL (1d), - # parent propagation delay (1h), and retire safety (1h) = - # 86400 + 3600 + 3600 = 93600. - retired=$(key_get KEY1 RETIRED) - set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 - - # The first ZSKs are immediately published and activated. - created=$(key_get KEY2 CREATED) - set_keytime "KEY2" "PUBLISHED" "${created}" - set_keytime "KEY2" "ACTIVE" "${created}" - # Key was pregenerated. - if [ "$1" = "pregenerated" ]; then - keyfile=$(key_get KEY2 BASEFILE) - grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 - published=$(awk '{print $3}' < published.test${n}.key2) - set_keytime "KEY2" "PUBLISHED" "${published}" - set_keytime "KEY2" "ACTIVE" "${published}" - fi - published=$(key_get KEY2 PUBLISHED) - - # Key lifetime for KSK2 is 5 years, 157680000 seconds. - set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 - # The key is removed after the retire time plus max zone ttl (1d), zone - # propagation delay (300s), retire safety (1h), and sign delay - # (signature validity minus refresh, 9d) = - # 86400 + 300 + 3600 + 777600 = 867900. - retired=$(key_get KEY2 RETIRED) - set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 - - # Second ZSK (KEY3). - created=$(key_get KEY3 CREATED) - set_keytime "KEY3" "PUBLISHED" "${created}" - set_keytime "KEY3" "ACTIVE" "${created}" - # Key was pregenerated. - if [ "$1" = "pregenerated" ]; then - keyfile=$(key_get KEY3 BASEFILE) - grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 - published=$(awk '{print $3}' < published.test${n}.key3) - set_keytime "KEY3" "PUBLISHED" "${published}" - set_keytime "KEY3" "ACTIVE" "${published}" - fi - published=$(key_get KEY3 PUBLISHED) - - # Key lifetime for KSK3 is 1 year, 31536000 seconds. - set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 - retired=$(key_get KEY3 RETIRED) - set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 + # The first KSK is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" = "pregenerated" ]; then + keyfile=$(key_get KEY1 BASEFILE) + grep "; Publish:" "${keyfile}.key" >published.test${n}.key1 + published=$(awk '{print $3}' published.test${n}.key2 + published=$(awk '{print $3}' published.test${n}.key3 + published=$(awk '{print $3}' /dev/null || log_error "rndc reload zone ${ZONE} failed" +rndccmd 10.53.0.2 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed" _wait_for_done_subdomains() { - ret=0 - dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 - check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" - if [ $ret -gt 0 ]; then return $ret; fi - - dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1 - grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1 - check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" - return $ret + ret=0 + dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1 + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" >/dev/null || return 1 + check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" + if [ $ret -gt 0 ]; then return $ret; fi + + dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.d" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.d" >/dev/null || return 1 + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" >/dev/null || return 1 + check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" + return $ret } retry_quiet 5 _wait_for_done_subdomains || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # TODO: we might want to test: # - configuring a zone with too many active keys (should trigger retire). @@ -1094,24 +1118,23 @@ status=$((status+ret)) # # Zone: rsasha1-nsec3.kasp. # -if $SHELL ../testcrypto.sh -q RSASHA1 -then - set_zone "rsasha1-nsec3.kasp" - set_policy "rsasha1-nsec3" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" - set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" - set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify +if $SHELL ../testcrypto.sh -q RSASHA1; then + set_zone "rsasha1-nsec3.kasp" + set_policy "rsasha1-nsec3" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" + set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" + set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify fi # @@ -1198,77 +1221,77 @@ dnssec_verify # Zone: ed25519.kasp. # if [ -f ed25519-supported.file ]; then - set_zone "ed25519.kasp" - set_policy "ed25519" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "15" "ED25519" "256" - set_keyalgorithm "KEY2" "15" "ED25519" "256" - set_keyalgorithm "KEY3" "15" "ED25519" "256" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify + set_zone "ed25519.kasp" + set_policy "ed25519" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "15" "ED25519" "256" + set_keyalgorithm "KEY2" "15" "ED25519" "256" + set_keyalgorithm "KEY3" "15" "ED25519" "256" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify fi # # Zone: ed448.kasp. # if [ -f ed448-supported.file ]; then - set_zone "ed448.kasp" - set_policy "ed448" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "16" "ED448" "456" - set_keyalgorithm "KEY2" "16" "ED448" "456" - set_keyalgorithm "KEY3" "16" "ED448" "456" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify + set_zone "ed448.kasp" + set_policy "ed448" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "16" "ED448" "456" + set_keyalgorithm "KEY2" "16" "ED448" "456" + set_keyalgorithm "KEY3" "16" "ED448" "456" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify fi # Set key times for 'autosign' policy. set_keytimes_autosign_policy() { - # The KSK was published six months ago (with settime). - created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 - set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 - set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 - # Key lifetime is 2 years, 63072000 seconds. - active=$(key_get KEY1 ACTIVE) - set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 - # The key is removed after the retire time plus DS TTL (1d), - # parent propagation delay (1h), retire safety (1h) = - # 86400 + 3600 + 3600 = 93600 - retired=$(key_get KEY1 RETIRED) - set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 - - # The ZSK was published six months ago (with settime). - created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 - set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 - # Key lifetime for KSK2 is 1 year, 31536000 seconds. - active=$(key_get KEY2 ACTIVE) - set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 - # The key is removed after the retire time plus: - # TTLsig (RRSIG TTL): 1 day (86400 seconds) - # Dprp (propagation delay): 5 minutes (300 seconds) - # retire-safety: 1 hour (3600 seconds) - # Dsgn (sign delay): 7 days (604800 seconds) - # Iret: 695100 seconds. - retired=$(key_get KEY2 RETIRED) - set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 + # The KSK was published six months ago (with settime). + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 + # Key lifetime is 2 years, 63072000 seconds. + active=$(key_get KEY1 ACTIVE) + set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), retire safety (1h) = + # 86400 + 3600 + 3600 = 93600 + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + + # The ZSK was published six months ago (with settime). + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 + # Key lifetime for KSK2 is 1 year, 31536000 seconds. + active=$(key_get KEY2 ACTIVE) + set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 + # The key is removed after the retire time plus: + # TTLsig (RRSIG TTL): 1 day (86400 seconds) + # Dprp (propagation delay): 5 minutes (300 seconds) + # retire-safety: 1 hour (3600 seconds) + # Dsgn (sign delay): 7 days (604800 seconds) + # Iret: 695100 seconds. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 } # @@ -1278,27 +1301,27 @@ set_zone "expired-sigs.autosign" set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "63072000" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "63072000" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "31536000" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK and ZSK stay OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Expect only two keys. @@ -1315,42 +1338,39 @@ dnssec_verify # Verify all signatures have been refreshed. check_rrsig_refresh() { - # Apex. - _qtypes="DNSKEY SOA NS NSEC" - for _qtype in $_qtypes - do - n=$((n+1)) - echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" - ret=0 - dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - # If this exact RRSIG is also in the zone file it is not refreshed. - _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") - grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - done - - # Below apex. - _labels="a b c ns3" - for _label in $_labels; - do - _qtypes="A NSEC" - for _qtype in $_qtypes - do - n=$((n+1)) - echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" - ret=0 - dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") - grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - done - done + # Apex. + _qtypes="DNSKEY SOA NS NSEC" + for _qtype in $_qtypes; do + n=$((n + 1)) + echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the zone file it is not refreshed. + _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") + grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + done + + # Below apex. + _labels="a b c ns3" + for _label in $_labels; do + _qtypes="A NSEC" + for _qtype in $_qtypes; do + n=$((n + 1)) + echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") + grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + done + done } check_rrsig_refresh @@ -1373,45 +1393,42 @@ dnssec_verify # Verify signature reuse. check_rrsig_reuse() { - # Apex. - _qtypes="NS NSEC" - for _qtype in $_qtypes - do - n=$((n+1)) - echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" - ret=0 - dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - # If this exact RRSIG is also in the signed zone file it is not refreshed. - _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") - $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null - grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - done - - # Below apex. - _labels="a b c ns3" - for _label in $_labels; - do - _qtypes="A NSEC" - for _qtype in $_qtypes - do - n=$((n+1)) - echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" - ret=0 - dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - # If this exact RRSIG is also in the signed zone file it is not refreshed. - _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") - $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null - grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - done - done + # Apex. + _qtypes="NS NSEC" + for _qtype in $_qtypes; do + n=$((n + 1)) + echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the signed zone file it is not refreshed. + _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype") + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + done + + # Below apex. + _labels="a b c ns3" + for _label in $_labels; do + _qtypes="A NSEC" + for _qtype in $_qtypes; do + n=$((n + 1)) + echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the signed zone file it is not refreshed. + _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype") + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + done + done } check_rrsig_reuse @@ -1486,19 +1503,19 @@ set_zone "zsk-retired.autosign" set_policy "autosign" "3" "300" set_server "ns3" "10.53.0.3" # The third key is not yet expected to be signing. -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "31536000" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. -set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, # the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" @@ -1508,24 +1525,24 @@ set_keytimes_autosign_policy # The old ZSK is retired. created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "RETIRED" "${created}" -set_addkeytime "KEY2" "REMOVED" "${created}" 695100 +set_keytime "KEY2" "RETIRED" "${created}" +set_addkeytime "KEY2" "REMOVED" "${created}" 695100 # The new ZSK is immediately published. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" # And becomes active after Ipub: # DNSKEY TTL: 300 seconds # zone-propagation-delay 5 minutes (300 seconds) # publish-safety: 1 hour (3600 seconds) # Ipub: 4200 seconds published=$(key_get KEY3 PUBLISHED) -set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 +set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 # Lzsk: 1 year (31536000 seconds) active=$(key_get KEY3 ACTIVE) -set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 +set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 # Iret: 695100 seconds. retired=$(key_get KEY3 RETIRED) -set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 +set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 check_keytimes check_apex @@ -1543,27 +1560,27 @@ set_policy "migrate-to-dnssec-policy" "4" "1234" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "16070400" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "16070400" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "16070400" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" # Two keys only. @@ -1575,7 +1592,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Make sure the correct legacy keys were used (and not the removed predecessor # keys). -n=$((n+1)) +n=$((n + 1)) echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)" ret=0 kskfile=$(cat ns3/legacy-keys.kasp.ksk) @@ -1587,42 +1604,42 @@ basefile=$(key_get KEY2 BASEFILE) echo_i "filename: $basefile (expect $zskfile)" test "$DIR/$zskfile" = "$basefile" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # KSK times. created=$(key_get KEY1 CREATED) keyfile=$(key_get KEY1 BASEFILE) -grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 -published=$(awk '{print $3}' < published.test${n}.key1) +grep "; Publish:" "${keyfile}.key" >published.test${n}.key1 +published=$(awk '{print $3}' published.test${n}.key2 -published=$(awk '{print $3}' < published.test${n}.key2) +grep "; Publish:" "${keyfile}.key" >published.test${n}.key2 +published=$(awk '{print $3}' "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2" wait_for_nsec @@ -1932,23 +1949,23 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" check_apex dnssec_verify # check zonestatus -n=$((n+1)) +n=$((n + 1)) echo_i "check $ZONE (view example2) zonestatus ($n)" ret=0 check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected" check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # check subdomain -n=$((n+1)) +n=$((n + 1)) echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3" wait_for_nsec @@ -1957,23 +1974,23 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" check_apex dnssec_verify # check zonestatus -n=$((n+1)) +n=$((n + 1)) echo_i "check $ZONE (view example3) zonestatus ($n)" ret=0 check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected" check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # check subdomain -n=$((n+1)) +n=$((n + 1)) echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Clear TSIG. TSIG="" @@ -1990,23 +2007,23 @@ key_clear "KEY3" key_clear "KEY4" # Key properties. -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" @@ -2018,27 +2035,27 @@ dnssec_verify # Check that the ZSKs from the other provider are published. zsks_are_published() { - dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 - # We should have three ZSKs. - lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) - test "$lines" -eq 3 || return 1 - # And one KSK. - lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) - test "$lines" -eq 1 || return 1 + dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY >"dig.out.$DIR.test$n" || return 1 + # We should have three ZSKs. + lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 3 || return 1 + # And one KSK. + lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 1 || return 1 } -n=$((n+1)) +n=$((n + 1)) echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)" ret=0 ( -echo zone ${ZONE} -echo server 10.53.0.3 "$PORT" -echo update add $(cat "${DIR}/${ZONE}.zsk2") -echo send + echo zone ${ZONE} + echo server 10.53.0.3 "$PORT" + echo update add $(cat "${DIR}/${ZONE}.zsk2") + echo send ) | $NSUPDATE retry_quiet 10 zsks_are_published || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing manual rollover. @@ -2051,24 +2068,24 @@ key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # Key properties. -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # During set up everything was set to OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" @@ -2077,12 +2094,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The first keys were published and activated a day ago. created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 -set_addkeytime "KEY1" "ACTIVE" "${created}" -86400 +set_addkeytime "KEY1" "ACTIVE" "${created}" -86400 created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400 -set_addkeytime "KEY2" "ACTIVE" "${created}" -86400 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -86400 # Key lifetimes are unlimited, so not setting RETIRED and REMOVED. check_keytimes check_apex @@ -2091,16 +2108,16 @@ dnssec_verify # Schedule KSK rollover in six months (15552000 seconds). active=$(key_get KEY1 ACTIVE) -set_addkeytime "KEY1" "RETIRED" "${active}" 15552000 +set_addkeytime "KEY1" "RETIRED" "${active}" 15552000 retired=$(key_get KEY1 RETIRED) rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE" # Rollover starts in six months, but lifetime is set to six months plus # prepublication duration = 15552000 + 7500 = 15559500 seconds. -set_keylifetime "KEY1" "15559500" -set_addkeytime "KEY1" "RETIRED" "${active}" 15559500 +set_keylifetime "KEY1" "15559500" +set_addkeytime "KEY1" "RETIRED" "${active}" 15559500 retired=$(key_get KEY1 RETIRED) # Retire interval of this policy is 26h (93600 seconds). -set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 +set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -2114,21 +2131,21 @@ set_policy "manual-rollover" "3" "3600" set_keystate "KEY1" "GOAL" "hidden" # This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. -set_keylifetime "KEY1" "93900" +set_keylifetime "KEY1" "93900" created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "RETIRED" "${created}" +set_keytime "KEY1" "RETIRED" "${created}" rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE" # New key is introduced. -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -2141,18 +2158,18 @@ set_policy "manual-rollover" "4" "3600" set_keystate "KEY2" "GOAL" "hidden" # This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. -set_keylifetime "KEY2" "93900" +set_keylifetime "KEY2" "93900" created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "RETIRED" "${created}" +set_keytime "KEY2" "RETIRED" "${created}" rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" # New key is introduced. -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "0" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "0" set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY. +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY. -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "hidden" @@ -2163,13 +2180,13 @@ check_subdomain dnssec_verify # Try to schedule a ZSK rollover for an inactive key (should fail). -n=$((n+1)) +n=$((n + 1)) echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)" ret=0 -rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n || ret=1 -grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message" +rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" >rndc.dnssec.rollover.out.$ZONE.$n || ret=1 +grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n >/dev/null || log_error "bad error message" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing DNSSEC introduction. @@ -2182,18 +2199,18 @@ set_zone "step1.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The DNSKEY and signatures are introduced first, the DS remains hidden. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" # This policy lists only one key (CSK). key_clear "KEY2" key_clear "KEY3" @@ -2205,13 +2222,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Set expected key times: # - The first key is immediately published and activated. created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${created}" -set_keytime "KEY1" "ACTIVE" "${created}" +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" # - The DS can be published if the DNSKEY and RRSIG records are # OMNIPRESENT. This happens after max-zone-ttl (12h) plus # publish-safety (5m) plus zone-propagation-delay (5m) = # 43200 + 300 + 300 = 43800. -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 # - Key lifetime is unlimited, so not setting RETIRED and REMOVED. # Various signing policy checks. @@ -2221,37 +2238,37 @@ check_subdomain dnssec_verify _check_next_key_event() { - _expect=$1 + _expect=$1 - grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1 + grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" >"keyevent.out.$ZONE.test$n" || return 1 - # Get the latest next key event. - if [ "${DYNAMIC}" = "yes" ]; then - _time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1) - else - # inline-signing zone adds "(signed)" - _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1) - fi + # Get the latest next key event. + if [ "${DYNAMIC}" = "yes" ]; then + _time=$(awk '{print $9}' <"keyevent.out.$ZONE.test$n" | tail -1) + else + # inline-signing zone adds "(signed)" + _time=$(awk '{print $10}' <"keyevent.out.$ZONE.test$n" | tail -1) + fi - # The next key event time must within threshold of the - # expected time. - _expectmin=$((_expect-next_key_event_threshold)) - _expectmax=$((_expect+next_key_event_threshold)) + # The next key event time must within threshold of the + # expected time. + _expectmin=$((_expect - next_key_event_threshold)) + _expectmax=$((_expect + next_key_event_threshold)) - test $_expectmin -le "$_time" || return 1 - test $_expectmax -ge "$_time" || return 1 + test $_expectmin -le "$_time" || return 1 + test $_expectmax -ge "$_time" || return 1 - return 0 + return 0 } check_next_key_event() { - n=$((n+1)) - echo_i "check next key event for zone ${ZONE} ($n)" - ret=0 + n=$((n + 1)) + echo_i "check next key event for zone ${ZONE} ($n)" + ret=0 - retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } @@ -2277,9 +2294,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Set expected key times: # - The key was published and activated 900 seconds ago (with settime). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -900 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 # Continue signing policy checks. check_keytimes @@ -2300,7 +2317,7 @@ set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # All signatures should be omnipresent, so the DS can be submitted. set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -2309,9 +2326,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Set expected key times: # - The key was published and activated 44700 seconds ago (with settime). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 -set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 -set_keytime "KEY1" "SYNCPUBLISH" "${created}" +set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 +set_keytime "KEY1" "SYNCPUBLISH" "${created}" # Continue signing policy checks. check_keytimes @@ -2345,9 +2362,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Set expected key times: # - The key was published and activated 56700 seconds ago (with settime). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 -set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 # Continue signing policy checks. check_keytimes @@ -2383,51 +2400,51 @@ set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" set_retired_removed() { - _Lkey=$2 - _Iret=$3 + _Lkey=$2 + _Iret=$3 - _active=$(key_get $1 ACTIVE) - set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" - _retired=$(key_get $1 RETIRED) - set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" } rollover_predecessor_keytimes() { - _addtime=$1 - - _created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" - - _created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + _addtime=$1 + + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" } # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "${Lksk}" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "${Lzsk}" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "${Lzsk}" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Initially only two keys. @@ -2457,15 +2474,15 @@ set_zone "step2.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # New ZSK (KEY3) is prepublished, but not yet signing. -key_clear "KEY3" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "${Lzsk}" +key_clear "KEY3" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "${Lzsk}" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # Key states. -set_keystate "KEY2" "GOAL" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" @@ -2505,11 +2522,11 @@ set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. # New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. -set_zonesigning "KEY2" "no" -set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" -set_zonesigning "KEY3" "yes" -set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY3" "yes" +set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" # Various signing policy checks. check_keys @@ -2520,8 +2537,8 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -2592000 # - The new ZSK is published 26 hours ago (93600 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 -set_keytime "KEY3" "ACTIVE" "${created}" +set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 +set_keytime "KEY3" "ACTIVE" "${created}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -2530,12 +2547,12 @@ check_apex # Subdomain still has good signatures of ZSK (KEY2). # Set expected zone signing on for KEY2 and off for KEY3, # testing whether signatures which are still valid are being reused. -set_zonesigning "KEY2" "yes" -set_zonesigning "KEY3" "no" +set_zonesigning "KEY2" "yes" +set_zonesigning "KEY3" "no" check_subdomain # Restore the expected zone signing properties. -set_zonesigning "KEY2" "no" -set_zonesigning "KEY3" "yes" +set_zonesigning "KEY2" "no" +set_zonesigning "KEY3" "yes" dnssec_verify # Next key event is when all the RRSIG records have been replaced with @@ -2566,9 +2583,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -3459600 # - The new ZSK is published 267 hours ago (961200 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 published=$(key_get KEY3 PUBLISHED) -set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -2600,9 +2617,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -3463200 # - The new ZSK is published 268 hours ago (964800 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 published=$(key_get KEY3 PUBLISHED) -set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -2655,26 +2672,26 @@ set_zone "step1.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "2" "7200" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "${Lksk}" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "${Lzsk}" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "${Lzsk}" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Initially only two keys. @@ -2704,18 +2721,18 @@ set_zone "step2.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). -key_clear "KEY3" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "${Lksk}" +key_clear "KEY3" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "${Lksk}" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" # Key states. -set_keystate "KEY1" "GOAL" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -2726,7 +2743,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -5086800 # - The new KSK is published now. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" # The new KSK should publish the CDS after the prepublication time. # TTLkey: 2h # DprpC: 1h @@ -2734,7 +2751,7 @@ set_keytime "KEY3" "PUBLISHED" "${created}" # IpubC: 27h (97200 seconds) IpubC=97200 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" -set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" +set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" # Continue signing policy checks. @@ -2760,8 +2777,8 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" # The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced. -set_keystate "KEY1" "STATE_DS" "unretentive" -set_keystate "KEY3" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY3" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -2774,9 +2791,9 @@ check_cdslog "$DIR" "$ZONE" KEY3 rollover_predecessor_keytimes -5184000 # - The new KSK is published 27 hours ago (97200 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 # - The new KSK CDS is published now. -set_keytime "KEY3" "SYNCPUBLISH" "${created}" +set_keytime "KEY3" "SYNCPUBLISH" "${created}" syncpub=$(key_get KEY3 SYNCPUBLISH) set_keytime "KEY3" "ACTIVE" "${syncpub}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" @@ -2789,7 +2806,7 @@ dnssec_verify # We ignore any parent registration delay, so set the DS publish time to now. rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" -rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" # Next key event is when the predecessor DS has been replaced with the # successor DS and enough time has passed such that the all validators that # have this DS RRset cached only know about the successor DS. This is the @@ -2806,11 +2823,11 @@ set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # New KSK (KEY3) DS is now OMNIPRESENT. -set_keystate "KEY3" "STATE_DS" "omnipresent" +set_keystate "KEY3" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -2821,7 +2838,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -5364000 # - The new KSK is published 77 hours ago (277200 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" syncpub=$(key_get KEY3 SYNCPUBLISH) @@ -2858,7 +2875,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -5371200 # - The new KSK is published 79 hours ago (284400 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" syncpub=$(key_get KEY3 SYNCPUBLISH) @@ -2909,13 +2926,13 @@ IretZSK=2257200 IretCSK=$IretZSK csk_rollover_predecessor_keytimes() { - _addtime=$1 + _addtime=$1 - _created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" } # @@ -2925,18 +2942,18 @@ set_zone "step1.csk-roll.autosign" set_policy "csk-roll" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "${Lcsk}" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "${Lcsk}" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # Initially only one key. key_clear "KEY2" key_clear "KEY3" @@ -2965,19 +2982,19 @@ set_zone "step2.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). -key_clear "KEY2" -set_keyrole "KEY2" "csk" -set_keylifetime "KEY2" "16070400" +key_clear "KEY2" +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" # Key states. -set_keystate "KEY1" "GOAL" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "hidden" -set_keystate "KEY2" "STATE_DS" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -2988,12 +3005,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16059600 # - The new CSK is published now. created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "PUBLISHED" "${created}" +set_keytime "KEY2" "PUBLISHED" "${created}" # - The new CSK should publish the CDS after the prepublication time. # Ipub: 3 hour (10800 seconds) Ipub="10800" set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3014,8 +3031,8 @@ set_zone "step3.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # Swap zone signing role. -set_zonesigning "KEY1" "no" -set_zonesigning "KEY2" "yes" +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" # CSK (KEY1) will be removed, so moving to UNRETENTIVE. set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" # New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED. @@ -3023,8 +3040,8 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" # The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. -set_keystate "KEY1" "STATE_DS" "unretentive" -set_keystate "KEY2" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -3037,10 +3054,10 @@ check_cdslog "$DIR" "$ZONE" KEY2 csk_rollover_predecessor_keytimes -16070400 # - The new CSK is published three hours ago, CDS must be published now. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" -set_keytime "KEY2" "SYNCPUBLISH" "${created}" +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" # - Also signatures are being introduced now. -set_keytime "KEY2" "ACTIVE" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3049,17 +3066,17 @@ check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, # testing whether signatures which are still valid are being reused. -set_zonesigning "KEY1" "yes" -set_zonesigning "KEY2" "no" +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" check_subdomain # Restore the expected zone signing properties. -set_zonesigning "KEY1" "no" -set_zonesigning "KEY2" "yes" +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" dnssec_verify # We ignore any parent registration delay, so set the DS publish time to now. rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" -rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" # Next key event is when the predecessor DS has been replaced with the # successor DS and enough time has passed such that the all validators that # have this DS RRset cached only know about the successor DS. This is the @@ -3079,9 +3096,9 @@ set_keysigning "KEY1" "no" # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" # The new CSK (KEY2) DS is now OMNIPRESENT. -set_keystate "KEY2" "STATE_DS" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -3092,10 +3109,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16084800 # - The new CSK started signing 4h ago (14400 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400 syncpub=$(key_get KEY2 SYNCPUBLISH) -set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3127,10 +3144,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16092000 # - The new CSK started signing 6h ago (21600 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 +set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600 syncpub=$(key_get KEY2 SYNCPUBLISH) -set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3168,10 +3185,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -18327600 # - The new CSK is activated 627 hours ago (2257200 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 syncpub=$(key_get KEY2 SYNCPUBLISH) -set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3203,10 +3220,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -18334800 # - The new CSK is activated 629 hours ago (2264400 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 syncpub=$(key_get KEY2 SYNCPUBLISH) -set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3262,18 +3279,18 @@ set_zone "step1.csk-roll2.autosign" set_policy "csk-roll2" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "16070400" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "16070400" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # Initially only one key. key_clear "KEY2" key_clear "KEY3" @@ -3303,19 +3320,19 @@ set_zone "step2.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). -key_clear "KEY2" -set_keyrole "KEY2" "csk" -set_keylifetime "KEY2" "16070400" +key_clear "KEY2" +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" # Key states. -set_keystate "KEY1" "GOAL" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "hidden" -set_keystate "KEY2" "STATE_DS" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -3326,12 +3343,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16059600 # - The new CSK is published now. created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "PUBLISHED" "${created}" +set_keytime "KEY2" "PUBLISHED" "${created}" # - The new CSK should publish the CDS after the prepublication time. # - Ipub: 3 hour (10800 seconds) Ipub="10800" set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3351,16 +3368,16 @@ set_zone "step3.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # CSK (KEY1) can be removed, so move to UNRETENTIVE. -set_zonesigning "KEY1" "no" -set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY1" "no" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" # New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state. -set_zonesigning "KEY2" "yes" -set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +set_zonesigning "KEY2" "yes" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" # The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. -set_keystate "KEY1" "STATE_DS" "unretentive" -set_keystate "KEY2" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -3373,10 +3390,10 @@ check_cdslog "$DIR" "$ZONE" KEY2 csk_rollover_predecessor_keytimes -16070400 # - The new CSK is published three hours ago, CDS must be published now. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" -set_keytime "KEY2" "SYNCPUBLISH" "${created}" +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" # - Also signatures are being introduced now. -set_keytime "KEY2" "ACTIVE" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3385,12 +3402,12 @@ check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, # testing whether signatures which are still valid are being reused. -set_zonesigning "KEY1" "yes" -set_zonesigning "KEY2" "no" +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" check_subdomain # Restore the expected zone signing properties. -set_zonesigning "KEY1" "no" -set_zonesigning "KEY2" "yes" +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" dnssec_verify # We ignore any parent registration delay, so set the DS publish time to now. @@ -3406,8 +3423,8 @@ rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" # positives on slow platforms by subtracting the number of seconds which # passed between key creation and invoking 'rndc dnssec -checkds'. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) -next_time=$((136800-time_passed)) +time_passed=$((now - start_time)) +next_time=$((136800 - time_passed)) check_next_key_event $next_time # @@ -3430,10 +3447,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16207200 # - The new CSK was published 41 hours (147600 seconds) ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3458,12 +3475,12 @@ set_zone "step5.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. -set_keysigning "KEY1" "no" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # The new CSK (KEY2) is now fully OMNIPRESENT. -set_keystate "KEY2" "STATE_DS" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -3474,10 +3491,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16682400 # - The new CSK was published 173 hours (622800 seconds) ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3510,10 +3527,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16689600 # - The new CSK was published 175 hours (630000 seconds) ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3556,39 +3573,39 @@ Lzsk=31536000 IretKSK=180000 IretZSK=867600 # KSK (KEY1) is outgoing. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "${Lksk}" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "hidden" -set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "unretentive" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "unretentive" # KSK (KEY2) is incoming. -key_clear "KEY2" -set_keyrole "KEY2" "ksk" -set_keylifetime "KEY2" "${Lksk}" +key_clear "KEY2" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "${Lksk}" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" -set_keystate "KEY2" "GOAL" "omnipresent" -set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY2" "STATE_DS" "rumoured" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_DS" "rumoured" # We will introduce the third KSK shortly. -key_clear "KEY3" +key_clear "KEY3" # ZSK (KEY4). -key_clear "KEY4" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "${Lzsk}" +key_clear "KEY4" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "${Lzsk}" set_keyalgorithm "KEY4" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" -set_keystate "KEY4" "GOAL" "omnipresent" -set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" # Run preliminary tests. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -3598,7 +3615,7 @@ dnssec_verify # Roll over KEY2. # Set expected key lifetime, which is DNSKEY TTL plus the zone propagation delay, # plus the publish-safety: 7200s + 1h + 1d = 97200 seconds. -set_keylifetime "KEY2" "97200" +set_keylifetime "KEY2" "97200" created=$(key_get KEY2 CREATED) rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" # Update expected number of keys and key states. @@ -3606,15 +3623,15 @@ set_keystate "KEY2" "GOAL" "hidden" set_policy "ksk-doubleksk" "4" "7200" CDNSKEY="no" # New KSK (KEY3) is introduced. -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "${Lksk}" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "${Lksk}" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" -set_keystate "KEY3" "GOAL" "omnipresent" -set_keystate "KEY3" "STATE_DNSKEY" "rumoured" -set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" # Run tests again. We now expect four keys (3x KSK, 1x ZSK). check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -3627,22 +3644,22 @@ set_zone "dynamic2inline.kasp" set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # The CSK is rumoured. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -3665,29 +3682,29 @@ set_zone "step1.algorithm-roll.kasp" set_policy "rsasha256" "2" "3600" set_server "ns6" "10.53.0.6" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" # The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" @@ -3713,21 +3730,21 @@ set_zone "step1.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # The CSK (KEY1) starts in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -3770,31 +3787,31 @@ IretKSK=93600 IretZSK=867900 init_migration_insecure() { - key_clear "KEY1" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "${Lksk}" - set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - set_keystate "KEY1" "GOAL" "omnipresent" - set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" - set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" - set_keystate "KEY1" "STATE_DS" "omnipresent" - - key_clear "KEY2" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "${Lzsk}" - set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - set_keystate "KEY2" "GOAL" "omnipresent" - set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" - set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" - - key_clear "KEY3" - key_clear "KEY4" + key_clear "KEY1" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "${Lksk}" + set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" + set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" + set_keystate "KEY1" "STATE_DS" "omnipresent" + + key_clear "KEY2" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "${Lzsk}" + set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" + set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + + key_clear "KEY3" + key_clear "KEY4" } init_migration_insecure @@ -3837,17 +3854,17 @@ set_zone "step1.going-straight-to-none.kasp" set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # This policy only has one key. key_clear "KEY2" key_clear "KEY3" @@ -3858,8 +3875,8 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The first key is immediately published and activated. created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${created}" -set_keytime "KEY1" "ACTIVE" "${created}" +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" set_keytime "KEY1" "SYNCPUBLISH" "${created}" # Key lifetime is unlimited, so not setting RETIRED and REMOVED. check_keytimes @@ -3876,45 +3893,45 @@ rndc_reconfig ns6 10.53.0.6 # Calculate time passed to correctly check for next key events. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) +time_passed=$((now - start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" # Wait until we have seen "zone_rekey done:" message for this key. _wait_for_done_signing() { - _zone=$1 - - _ksk=$(key_get $2 KSK) - _zsk=$(key_get $2 ZSK) - if [ "$_ksk" = "yes" ]; then - _role="KSK" - _expect_type=EXPECT_KRRSIG - elif [ "$_zsk" = "yes" ]; then - _role="ZSK" - _expect_type=EXPECT_ZRRSIG - fi - - if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then - _keyid=$(key_get $2 ID) - _keyalg=$(key_get $2 ALG_STR) - echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" - grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 - fi - - return 0 + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1 + fi + + return 0 } wait_for_done_signing() { - n=$((n+1)) - echo_i "wait for zone ${ZONE} is done signing ($n)" - ret=0 + n=$((n + 1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" + ret=0 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Test dynamic zones that switch to inline-signing. @@ -3922,22 +3939,22 @@ set_zone "dynamic2inline.kasp" set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # The CSK is rumoured. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -3995,14 +4012,14 @@ set_server "ns6" "10.53.0.6" # The DS is long enough removed from the zone to be considered HIDDEN. # This means the DNSKEY and the KSK signatures can be removed. -set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keysigning "KEY1" "no" -set_keystate "KEY2" "STATE_DNSKEY" "unretentive" -set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" -set_zonesigning "KEY2" "no" +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY2" "no" # Various signing policy checks. check_keys @@ -4063,14 +4080,14 @@ set_server "ns6" "10.53.0.6" # The DS is long enough removed from the zone to be considered HIDDEN. # This means the DNSKEY and the KSK signatures can be removed. -set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keysigning "KEY1" "no" -set_keystate "KEY2" "STATE_DNSKEY" "unretentive" -set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" -set_zonesigning "KEY2" "no" +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY2" "no" # Various signing policy checks. check_keys @@ -4093,17 +4110,17 @@ set_server "ns6" "10.53.0.6" # The zone will go bogus after signatures expire, but remains validly signed for now. # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # This policy only has one key. key_clear "KEY2" key_clear "KEY3" @@ -4131,47 +4148,47 @@ set_zone "step1.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # Old RSASHA1 keys. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # New ECDSAP256SHA256 keys. -key_clear "KEY3" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +key_clear "KEY3" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -key_clear "KEY4" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "0" +key_clear "KEY4" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "0" set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" # The RSAHSHA1 keys are outroducing. -set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY2" "GOAL" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # The ECDSAP256SHA256 keys are introducing. -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" @@ -4185,9 +4202,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes 0 # - KSK must be retired since it no longer matches the policy. keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' dig.out.ns6.test$n.soa2 || return 1 - soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) - soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) - ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) - ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) - test ${soa1:-1000} -lt ${soa2:-0} || return 1 - test ${ttl1:-0} -eq $1 || return 1 - test ${ttl2:-0} -eq $2 || return 1 + dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa2 || return 1 + soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) + ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) + ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) + test ${soa1:-1000} -lt ${soa2:-0} || return 1 + test ${ttl1:-0} -eq $1 || return 1 + test ${ttl2:-0} -eq $2 || return 1 } -n=$((n+1)) +n=$((n + 1)) echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" TSIG= ret=0 -dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 +dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1 cp ns6/example2.db.in ns6/example.db || ret=1 -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null rndccmd 10.53.0.6 reload || ret=1 wait_for_log 3 "all zones loaded" ns6/named.run # Check that the SOA SERIAL increases and check the TTLs (should be 300 as # defined in ns6/example2.db.in). retry_quiet 10 _check_soa_ttl 300 300 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check that restart with zone changes and deleted journal works ($n)" TSIG= ret=0 -dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 +dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1 stop_server --use-rndc --port ${CONTROLPORT} ns6 # TTL of all records change from 300 to 400 cp ns6/example3.db.in ns6/example.db || ret=1 rm ns6/example.db.jnl -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns6 wait_for_log 3 "all zones loaded" ns6/named.run # Check that the SOA SERIAL increases and check the TTLs (should be changed # from 300 to 400 as defined in ns6/example3.db.in). retry_quiet 10 _check_soa_ttl 300 400 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/keepalive/ns2/named.conf.in b/bin/tests/system/keepalive/ns2/named.conf.in index 8ccf1c4..011e1d0 100644 --- a/bin/tests/system/keepalive/ns2/named.conf.in +++ b/bin/tests/system/keepalive/ns2/named.conf.in @@ -36,7 +36,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/keepalive/ns3/named.conf.in b/bin/tests/system/keepalive/ns3/named.conf.in index 3713f13..76e5a5b 100644 --- a/bin/tests/system/keepalive/ns3/named.conf.in +++ b/bin/tests/system/keepalive/ns3/named.conf.in @@ -41,5 +41,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/keepalive/tests.sh b/bin/tests/system/keepalive/tests.sh index 7314a9e..c8b379d 100644 --- a/bin/tests/system/keepalive/tests.sh +++ b/bin/tests/system/keepalive/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" +RNDCCMD="$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" n=0 status=0 @@ -24,8 +24,8 @@ status=0 echo_i "checking that dig handles TCP keepalive ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +qr +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -33,49 +33,49 @@ echo_i "checking that dig added TCP keepalive ($n)" ret=0 n=$((n + 1)) $RNDCCMD stats -grep "EDNS TCP keepalive option received" ns2/named.stats > /dev/null || ret=1 +grep "EDNS TCP keepalive option received" ns2/named.stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that TCP keepalive is added for TCP responses ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that TCP keepalive requires TCP ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default value ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.3 > dig.out.test$n -grep "; TCP KEEPALIVE: 30.0 secs" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.3 >dig.out.test$n +grep "; TCP KEEPALIVE: 30.0 secs" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking configured value ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE: 15.0 secs" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE: 15.0 secs" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking re-configured value ($n)" ret=0 n=$((n + 1)) -$RNDCCMD tcp-timeouts 300 300 300 200 > output +$RNDCCMD tcp-timeouts 300 300 300 200 >output diff -b output expected || ret=1 -$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE: 20.0 secs" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE: 20.0 secs" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -83,12 +83,12 @@ echo_i "checking server config entry ($n)" ret=0 n=$((n + 1)) $RNDCCMD stats -oka=$(grep "EDNS TCP keepalive option received" ns2/named.stats | \ - tail -1 | awk '{ print $1}') -$DIG $DIGOPTS bar.example @10.53.0.3 > dig.out.test$n +oka=$(grep "EDNS TCP keepalive option received" ns2/named.stats \ + | tail -1 | awk '{ print $1}') +$DIG $DIGOPTS bar.example @10.53.0.3 >dig.out.test$n $RNDCCMD stats -nka=$(grep "EDNS TCP keepalive option received" ns2/named.stats | \ - tail -1 | awk '{ print $1}') +nka=$(grep "EDNS TCP keepalive option received" ns2/named.stats \ + | tail -1 | awk '{ print $1}') #echo oka ':' $oka #echo nka ':' $nka if [ "$oka" -eq "$nka" ]; then ret=1; fi diff --git a/bin/tests/system/keyfromlabel/prereq.sh b/bin/tests/system/keyfromlabel/prereq.sh index 2002c2a..66a7f81 100644 --- a/bin/tests/system/keyfromlabel/prereq.sh +++ b/bin/tests/system/keyfromlabel/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh if [ -n "${SOFTHSM2_MODULE}" ] && command -v pkcs11-tool >/dev/null && command -v softhsm2-util >/dev/null; then - exit 0 + exit 0 fi echo_i "skip: softhsm2-util or pkcs11-tool not available" diff --git a/bin/tests/system/keyfromlabel/setup.sh b/bin/tests/system/keyfromlabel/setup.sh index 703814d..a809aee 100644 --- a/bin/tests/system/keyfromlabel/setup.sh +++ b/bin/tests/system/keyfromlabel/setup.sh @@ -18,5 +18,5 @@ set -e softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-keyfromlabel" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' -printf '%s' "${HSMPIN:-1234}" > pin +printf '%s' "${HSMPIN:-1234}" >pin PWD=$(pwd) diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index 5cedbf9..6c38ec6 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -19,74 +19,72 @@ set -e PWD=$(pwd) keygen() { - type="$1" - bits="$2" - zone="$3" - id="$4" - - label="${id}-${zone}" - p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') - pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 + type="$1" + bits="$2" + zone="$3" + id="$4" + + label="${id}-${zone}" + p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id || return 1 } keyfromlabel() { - alg="$1" - zone="$2" - id="$3" - shift 3 + alg="$1" + zone="$2" + id="$3" + shift 3 - $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1 - cat keyfromlabel.out.$zone.$id + $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>>/dev/null || return 1 + cat keyfromlabel.out.$zone.$id } infile="template.db.in" for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ - ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 - # Edwards curves are not yet supported by OpenSC - # ed25519:EC:edwards25519 ed448:EC:edwards448 -do - alg=$(echo "$algtypebits" | cut -f 1 -d :) - type=$(echo "$algtypebits" | cut -f 2 -d :) - bits=$(echo "$algtypebits" | cut -f 3 -d :) - - if $SHELL ../testcrypto.sh $alg; then - zone="$alg.example" - zonefile="zone.$alg.example.db" - ret=0 - - echo_i "Generate keys $alg $type:$bits for zone $zone" - keygen $type $bits $zone keyfromlabel-zsk || ret=1 - keygen $type $bits $zone keyfromlabel-ksk || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - # Skip dnssec-keyfromlabel if key generation failed. - test $ret -eq 0 || continue - - echo_i "Get ZSK $alg $zone $type:$bits" - ret=0 - zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk) - test -z "$zsk" && ret=1 - test "$ret" -eq 0 || echo_i "failed (zsk=$zsk)" - status=$((status+ret)) - - echo_i "Get KSK $alg $zone $type:$bits" - ret=0 - ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK) - test -z "$ksk" && ret=1 - test "$ret" -eq 0 || echo_i "failed (ksk=$ksk)" - status=$((status+ret)) - - # Skip signing if dnssec-keyfromlabel failed. - test $ret -eq 0 || continue - - echo_i "Sign zone with $ksk $zsk" - ret=0 - cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" - $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" > signer.out.$zone || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - fi + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + + if $SHELL ../testcrypto.sh $alg; then + zone="$alg.example" + zonefile="zone.$alg.example.db" + ret=0 + + echo_i "Generate keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone keyfromlabel-zsk || ret=1 + keygen $type $bits $zone keyfromlabel-ksk || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + # Skip dnssec-keyfromlabel if key generation failed. + test $ret -eq 0 || continue + + echo_i "Get ZSK $alg $zone $type:$bits" + ret=0 + zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk) + test -z "$zsk" && ret=1 + test "$ret" -eq 0 || echo_i "failed (zsk=$zsk)" + status=$((status + ret)) + + echo_i "Get KSK $alg $zone $type:$bits" + ret=0 + ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK) + test -z "$ksk" && ret=1 + test "$ret" -eq 0 || echo_i "failed (ksk=$ksk)" + status=$((status + ret)) + + # Skip signing if dnssec-keyfromlabel failed. + test $ret -eq 0 || continue + + echo_i "Sign zone with $ksk $zsk" + ret=0 + cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + fi done echo_i "exit status: $status" diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh index 1fe2bb9..3f6a76f 100644 --- a/bin/tests/system/keymgr2kasp/clean.sh +++ b/bin/tests/system/keymgr2kasp/clean.sh @@ -31,4 +31,3 @@ rm -f ./retired.* rm -f ./rndc.dnssec.* rm -f ./unused.key* rm -f ./verify.out.* - diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh index 9f53851..ef2623b 100644 --- a/bin/tests/system/keymgr2kasp/ns3/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh @@ -17,10 +17,10 @@ echo_i "ns3/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" } # Make lines shorter by storing key states in environment variables. @@ -31,87 +31,87 @@ U="UNRETENTIVE" # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. setup migrate.kasp -echo "$zone" >> zones +echo "$zone" >>zones ksktimes="-P now -A now -P sync now" zsktimes="-P now -A now" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up Single-Type Signing Scheme zones with auto-dnssec maintain to # migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;' # configured, meaning the zone is signed with a single CSK. setup csk.kasp -echo "$zone" >> zones +echo "$zone" >>zones csktimes="-P now -A now -P sync now" -CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2>keygen.out.$zone.1) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 setup csk-nosep.kasp -echo "$zone" >> zones +echo "$zone" >>zones csktimes="-P now -A now -P sync now" -CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2>keygen.out.$zone.1) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are # RSASHA256 keys, and will be migrated to a dnssec-policy that dictates # ECDSAP256SHA256 keys. setup migrate-nomatch-algnum.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone 5 "$KSK" >>"$infile" +private_type_record $zone 5 "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are # 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that # dictates 3072 bits RSASHA256 keys. setup migrate-nomatch-alglen.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone 5 "$KSK" >>"$infile" +private_type_record $zone 5 "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to default dnssec-policy. # The zone is signed with KSK/ZSK split, but the dnssec-policy uses CSK. setup migrate-nomatch-kzc.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" cp $infile $zonefile -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" -$SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +private_type_record $zone 5 "$KSK" >>"$infile" +private_type_record $zone 5 "$ZSK" >>"$infile" +$SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # Set up zones to test time metadata correctly sets state. @@ -119,30 +119,30 @@ $SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infi # Key states expected to be rumoured after migration. setup rumoured.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-2h" Tkey="now-300s" Tsig="now-11h" ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Key states expected to be omnipresent after migration. setup omnipresent.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh index 63121a0..d5a63e0 100644 --- a/bin/tests/system/keymgr2kasp/ns4/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh @@ -25,22 +25,22 @@ U="UNRETENTIVE" zone="view-rsasha256.kasp" algo="RSASHA256" num="8" -echo "$zone" >> zones +echo "$zone" >>zones # Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy. # The keys for these zones are in use long enough that they should start a # rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y). ksktimes="-P -186d -A -186d -P sync -186d" zsktimes="-P -186d -A -186d" -KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2) +KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2>keygen.out.$zone.2) echo_i "setting up zone $zone (external)" view="ext" zonefile="${zone}.${view}.db" -cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile" echo_i "setting up zone $zone (internal)" view="int" zonefile="${zone}.${view}.db" -cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile" diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh index e43f798..7c53890 100644 --- a/bin/tests/system/keymgr2kasp/setup.sh +++ b/bin/tests/system/keymgr2kasp/setup.sh @@ -25,10 +25,10 @@ copy_setports ns3/kasp.conf.in ns3/kasp.conf # Setup zones ( - cd ns3 - $SHELL setup.sh + cd ns3 + $SHELL setup.sh ) ( - cd ns4 - $SHELL setup.sh + cd ns4 + $SHELL setup.sh ) diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh index 6f9caae..57c1445 100644 --- a/bin/tests/system/keymgr2kasp/tests.sh +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -29,17 +29,17 @@ n=0 # Call dig with default options. dig_with_opts() { - if [ -n "$TSIG" ]; then - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" - else - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" - fi + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi } # Log error and increment failure rate. log_error() { - echo_i "error: $1" - ret=$((ret+1)) + echo_i "error: $1" + ret=$((ret + 1)) } # Default next key event threshold. May be extended by wait periods. @@ -50,29 +50,29 @@ next_key_event_threshold=100 ############################################################################### set_retired_removed() { - _Lkey=$2 - _Iret=$3 + _Lkey=$2 + _Iret=$3 - _active=$(key_get $1 ACTIVE) - set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" - _retired=$(key_get $1 RETIRED) - set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" } rollover_predecessor_keytimes() { - _addtime=$1 + _addtime=$1 - _created=$(key_get KEY1 CREATED) + _created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" - _created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" } # Policy parameters. @@ -81,7 +81,6 @@ rollover_predecessor_keytimes() { Lksk=0 Lzsk=0 - ################################################# # Test state before switching to dnssec-policy. # ################################################# @@ -90,38 +89,38 @@ Lzsk=0 # $1 $2: Algorithm number and string. # $3 $4: KSK and ZSK size. init_migration_keys() { - key_clear "KEY1" - key_set "KEY1" "LEGACY" "yes" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "none" - set_keyalgorithm "KEY1" "$1" "$2" "$3" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - key_clear "KEY2" - key_set "KEY2" "LEGACY" "yes" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "none" - set_keyalgorithm "KEY2" "$1" "$2" "$4" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - key_clear "KEY3" - key_clear "KEY4" + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "none" + set_keyalgorithm "KEY1" "$1" "$2" "$3" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "none" + set_keyalgorithm "KEY2" "$1" "$2" "$4" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" } # Set expected key states for migration tests. # $1: Goal # $2: States init_migration_states() { - set_keystate "KEY1" "GOAL" "$1" - set_keystate "KEY1" "STATE_DNSKEY" "$2" - set_keystate "KEY1" "STATE_KRRSIG" "$2" - set_keystate "KEY1" "STATE_DS" "$2" - - set_keystate "KEY2" "GOAL" "$1" - set_keystate "KEY2" "STATE_DNSKEY" "$2" - set_keystate "KEY2" "STATE_ZRRSIG" "$2" + set_keystate "KEY1" "GOAL" "$1" + set_keystate "KEY1" "STATE_DNSKEY" "$2" + set_keystate "KEY1" "STATE_KRRSIG" "$2" + set_keystate "KEY1" "STATE_DS" "$2" + + set_keystate "KEY2" "GOAL" "$1" + set_keystate "KEY2" "STATE_DNSKEY" "$2" + set_keystate "KEY2" "STATE_ZRRSIG" "$2" } # @@ -154,21 +153,21 @@ set_zone "csk.kasp" set_policy "none" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "yes" -set_keyrole "KEY1" "ksk" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "ksk" # This key also acts as a ZSK. -key_set "KEY1" "ZSK" "yes" -set_keylifetime "KEY1" "none" +key_set "KEY1" "ZSK" "yes" +set_keylifetime "KEY1" "none" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -179,9 +178,9 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key is immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" check_keytimes check_apex @@ -197,21 +196,21 @@ set_zone "csk-nosep.kasp" set_policy "none" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "yes" -set_keyrole "KEY1" "zsk" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "zsk" # Despite the missing SEP bit, this key also acts as a KSK. -key_set "KEY1" "KSK" "yes" -set_keylifetime "KEY1" "none" +key_set "KEY1" "KSK" "yes" +set_keylifetime "KEY1" "none" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -222,9 +221,9 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key is immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" check_keytimes check_apex @@ -292,15 +291,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # -P sync: now-3h # -A : now-3900s created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 # The ZSK is immediately published and activated. # -P: now-3900s # -A: now-12h created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes check_apex check_subdomain @@ -330,15 +329,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # P sync: now-3h # A : now-3900s created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 # - The ZSK is immediately published and activated. # P: now-3900s # A: now-12h created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes check_apex check_subdomain @@ -368,15 +367,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # P sync: now-3h # A : now-3900s created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 # - The ZSK is immediately published and activated. # P: now-3900s # A: now-12h created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes check_apex check_subdomain @@ -395,47 +394,46 @@ rndc_reconfig ns3 10.53.0.3 # Calculate time passed to correctly check for next key events. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) +time_passed=$((now - start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" # Wait until we have seen "zone_rekey done:" message for this key. _wait_for_done_signing() { - _zone=$1 - - _ksk=$(key_get $2 KSK) - _zsk=$(key_get $2 ZSK) - if [ "$_ksk" = "yes" ]; then - _role="KSK" - _expect_type=EXPECT_KRRSIG - elif [ "$_zsk" = "yes" ]; then - _role="ZSK" - _expect_type=EXPECT_ZRRSIG - fi - - if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then - _keyid=$(key_get $2 ID) - _keyalg=$(key_get $2 ALG_STR) - echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" - grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 - fi - - return 0 + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1 + fi + + return 0 } wait_for_done_signing() { - n=$((n+1)) - echo_i "wait for zone ${ZONE} is done signing ($n)" - ret=0 + n=$((n + 1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" + ret=0 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } - ################################################ # Test state after switching to dnssec-policy. # ################################################ @@ -478,9 +476,9 @@ rollover_predecessor_keytimes 0 # retire-safety: 1h (3600 seconds) # IretZSK: 10d65m (867900 seconds) active=$(key_get KEY2 ACTIVE) -set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" +set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY2 RETIRED) -set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # Continue signing policy checks. check_keytimes @@ -489,13 +487,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing a good migration (CSK). @@ -504,19 +502,19 @@ set_zone "csk.kasp" set_policy "default" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "no" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -529,9 +527,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key was immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" # Continue signing policy checks. check_keytimes @@ -540,12 +538,12 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" ret=0 [ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing a good migration (CSK, no SEP). @@ -554,20 +552,20 @@ set_zone "csk-nosep.kasp" set_policy "default" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "no" -set_keyrole "KEY1" "csk" -key_set "KEY1" "FLAGS" "256" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +key_set "KEY1" "FLAGS" "256" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -580,9 +578,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key was immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" # Continue signing policy checks. check_keytimes @@ -591,12 +589,12 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" ret=0 [ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Test migration to dnssec-policy, existing keys do not match key algorithm. @@ -611,24 +609,24 @@ init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "5184000" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" @@ -650,13 +648,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # IretKSK: 4h (14400 seconds) IretKSK=14400 created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' CSK). @@ -844,18 +842,18 @@ init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" -set_keyrole "KEY3" "csk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "csk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" # This key is considered to be prepublished, so it is not yet signing. set_keystate "KEY3" "STATE_ZRRSIG" "hidden" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -875,13 +873,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # IretKSK: 4h (14400 seconds) IretKSK=14400 created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remember legacy key tags. _migrate_ext8_ksk=$(key_get KEY1 ID) @@ -1134,16 +1131,16 @@ set_keytimes_view_migration check_keytimes dnssec_verify -n=$((n+1)) +n=$((n + 1)) # check subdomain echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remember legacy key tags. _migrate_int8_ksk=$(key_get KEY1 ID) @@ -1156,7 +1153,7 @@ rndc_reconfig ns4 10.53.0.4 # Calculate time passed to correctly check for next key events. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) +time_passed=$((now - start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" # @@ -1169,26 +1166,26 @@ init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "omnipresent" "rumoured" # Key properties, timings and metadata should be the same as legacy keys above. # However, because the keys have a lifetime, kasp will set the retired time. -key_set "KEY1" "LEGACY" "no" -set_keylifetime "KEY1" "31536000" -set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" - -key_set "KEY2" "LEGACY" "no" -set_keylifetime "KEY2" "8035200" -set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +key_set "KEY1" "LEGACY" "no" +set_keylifetime "KEY1" "31536000" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY2" "8035200" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # The ZSK needs to be replaced. -set_keystate "KEY2" "GOAL" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "8035200" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "8035200" set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "no" # not yet -set_keystate "KEY3" "STATE_DNSKEY" "rumoured" -set_keystate "KEY3" "STATE_ZRRSIG" "hidden" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # not yet +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" # Various signing policy checks (external). TSIG="$DEFAULT_HMAC:external:$VIEW1" @@ -1199,11 +1196,11 @@ set_keytimes_view_migration # Set expected key times: published=$(key_get KEY1 PUBLISHED) -set_keytime "KEY1" "ACTIVE" "${published}" +set_keytime "KEY1" "ACTIVE" "${published}" set_keytime "KEY1" "SYNCPUBLISH" "${published}" # Lifetime: 1 year (8035200 seconds) active=$(key_get KEY1 ACTIVE) -set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" +set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" # Retire interval: # DS TTL: 1d # Parent zone propagation: 3h @@ -1227,7 +1224,7 @@ retired=$(key_get KEY2 RETIRED) set_addkeytime "KEY2" "REMOVED" "${retired}" "867900" created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" # Publication interval: # DNSKEY TTL: 300s # Publish safety: 1h @@ -1262,7 +1259,7 @@ check_apex dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag" @@ -1270,7 +1267,7 @@ ret=0 [ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/legacy.run.sh.in b/bin/tests/system/legacy.run.sh.in index b523637..2004615 100644 --- a/bin/tests/system/legacy.run.sh.in +++ b/bin/tests/system/legacy.run.sh.in @@ -23,15 +23,15 @@ srcdir=@abs_srcdir@ . ${builddir}/conf.sh if [ "$CI_SERVER" != "yes" ] && [ "$(id -u)" -eq "0" ] && [ "@DEVELOPER_MODE@" != "yes" ]; then - echofail "Refusing to run test as root. Build with --enable-developer to override." >&2 - exit 1 + echofail "Refusing to run test as root. Build with --enable-developer to override." >&2 + exit 1 fi export builddir export srcdir date_with_args() ( - date "+%Y-%m-%dT%T%z" + date "+%Y-%m-%dT%T%z" ) stopservers=true @@ -39,99 +39,71 @@ stopservers=true baseport=0 if [ "${SYSTEMTEST_NO_CLEAN:-0}" -eq 1 ]; then - clean=false + clean=false else - clean=true + clean=true fi -do_run=false restart=false -log_flags="-r" -while getopts "sknp:r-:t" OPT; do - log_flags="$log_flags -$OPT$OPTARG" - if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then - OPT="${OPTARG%%=*}" - OPTARG="${OPTARG#$OPT}" - OPTARG="${OPTARG#=}" - fi - - # shellcheck disable=SC2214 - case "$OPT" in - k | keep) stopservers=false ;; - n | noclean) clean=false ;; - p | port) baseport=$OPTARG ;; - r | run) do_run=true ;; - s | skip) exit 77 ;; - t | restart) restart=true ;; - -) break ;; - *) echo "invalid option" >&2; exit 1 ;; - esac +while getopts "sknp:-:t" OPT; do + if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then + OPT="${OPTARG%%=*}" + OPTARG="${OPTARG#$OPT}" + OPTARG="${OPTARG#=}" + fi + + # shellcheck disable=SC2214 + case "$OPT" in + k | keep) stopservers=false ;; + n | noclean) clean=false ;; + p | port) baseport=$OPTARG ;; + s | skip) exit 0 ;; + t | restart) restart=true ;; + -) break ;; + *) + echo "invalid option" >&2 + exit 1 + ;; + esac done -shift $((OPTIND-1)) - -if ! $do_run; then - if [ "$baseport" -eq 0 ]; then - log_flags="$log_flags -p 5300" - fi - env - \ - CYGWIN="$CYGWIN" \ - SYSTEMTEST_FORCE_COLOR="$SYSTEMTEST_FORCE_COLOR" \ - SYSTEMTEST_NO_CLEAN="$SYSTEMTEST_NO_CLEAN" \ - SLOT="$SLOT" \ - OPENSSL_CONF="$OPENSSL_CONF" \ - SOFTHSM2_CONF="$SOFTHSM2_CONF" \ - SOFTHSM2_MODULE="$SOFTHSM2_MODULE" \ - PATH="$PATH" \ - ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} \ - TESTS="$*" \ - TEST_SUITE_LOG=run.log \ - LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" \ - LOG_FLAGS="$log_flags" \ - TEST_LARGE_MAP="${TEST_LARGE_MAP}" \ - CI_ENABLE_ALL_TESTS="${CI_ENABLE_ALL_TESTS}" \ - ${VIRTUAL_ENV:+"VIRTUAL_ENV=${VIRTUAL_ENV}"} \ - ${PERL5LIB:+"PERL5LIB=${PERL5LIB}"} \ - make -e check - exit $? -fi +shift $((OPTIND - 1)) if [ $# -eq 0 ]; then - echofail "Usage: $0 [-k] [-n] [-p ] test-directory [test-options]" >&2; - exit 1 + echofail "Usage: $0 [-k] [-n] [-p ] test-directory [test-options]" >&2 + exit 1 fi systest=$(basename "${1%%/}") shift if [ ! -d "${srcdir}/$systest" ]; then - echofail "$0: $systest: no such test" >&2 - exit 1 + echofail "$0: $systest: no such test" >&2 + exit 1 fi if [ "${srcdir}" != "${builddir}" ]; then - if [ ! -d common ] || [ ! -r common/.prepared ]; then - cp -a "${srcdir}/common" "${builddir}" - fi - # Some tests require additional files to work for out-of-tree test runs. - for file in ckdnsrps.sh conftest.py digcomp.pl ditch.pl fromhex.pl get_core_dumps.sh kasp.sh packet.pl pytest_custom_markers.py start.pl stop.pl testcrypto.sh; do - if [ ! -r "${file}" ]; then - cp -a "${srcdir}/${file}" "${builddir}" - fi - done - if [ ! -d "$systest" ] || [ ! -r "$systest/.prepared" ]; then - mkdir -p "${builddir}/$systest" - cp -a "${srcdir}/$systest" "${builddir}/" - touch "$systest/.prepared" + if [ ! -d _common ] || [ ! -r _common/.prepared ]; then + cp -a "${srcdir}/_common" "${builddir}" + fi + # Some tests require additional files to work for out-of-tree test runs. + for file in ckdnsrps.sh conftest.py digcomp.pl ditch.pl fromhex.pl get_core_dumps.sh kasp.sh packet.pl start.pl stop.pl testcrypto.sh; do + if [ ! -r "${file}" ]; then + cp -a "${srcdir}/${file}" "${builddir}" fi + done + if [ ! -d "$systest" ] || [ ! -r "$systest/.prepared" ]; then + mkdir -p "${builddir}/$systest" + cp -a "${srcdir}/$systest" "${builddir}/" + touch "$systest/.prepared" + fi fi if [ ! -d "${systest}" ]; then - echofail "$0: $systest: no such test" >&2 - exit 1 + echofail "$0: $systest: no such test" >&2 + exit 1 fi - # Determine which ports to use for this system test. eval "$(cd "${srcdir}" && ./get_ports.sh -p "$baseport" -t "$systest")" @@ -140,170 +112,137 @@ eval "$(cd "${srcdir}" && ./get_ports.sh -p "$baseport" -t "$systest")" # retained for each run by calling start.pl with the --restart command-line # option for all invocations except the first one. start_servers() { - echoinfo "I:$systest:starting servers" - if $restart || [ "$run" -gt 0 ]; then - restart_opt="--restart" - fi - if ! $PERL start.pl ${restart_opt} --port "$PORT" "$systest"; then - echoinfo "I:$systest:starting servers failed" - return 1 - fi + echoinfo "I:$systest:starting servers" + if $restart || [ "$run" -gt 0 ]; then + restart_opt="--restart" + fi + if ! $PERL start.pl ${restart_opt} --port "$PORT" "$systest"; then + echoinfo "I:$systest:starting servers failed" + return 1 + fi } stop_servers() { - if $stopservers; then - echoinfo "I:$systest:stopping servers" - if ! $PERL stop.pl "$systest"; then - echoinfo "I:$systest:stopping servers failed" - return 1 - fi + if $stopservers; then + echoinfo "I:$systest:stopping servers" + if ! $PERL stop.pl "$systest"; then + echoinfo "I:$systest:stopping servers failed" + return 1 fi + fi } echostart "S:$systest:$(date_with_args)" -echoinfo "T:$systest:1:A" -echoinfo "A:$systest:System test $systest" -echoinfo "I:$systest:PORTS:${PORT},${TLSPORT},${HTTPPORT},${HTTPSPORT},${EXTRAPORT1},${EXTRAPORT2},${EXTRAPORT3},${EXTRAPORT4},${EXTRAPORT5},${EXTRAPORT6},${EXTRAPORT7},${EXTRAPORT8},${CONTROLPORT}" - -$PERL ${srcdir}/testsock.pl -p "$PORT" || { - echowarn "I:$systest:Network interface aliases not set up. Skipping test." - echowarn "R:$systest:FAIL" - echoend "E:$systest:$(date_with_args)" - exit 1; +echoinfo "T:$systest:1:A" +echoinfo "A:$systest:System test $systest" +echoinfo "I:$systest:PORTS:${PORT},${TLSPORT},${HTTPPORT},${HTTPSPORT},${EXTRAPORT1},${EXTRAPORT2},${EXTRAPORT3},${EXTRAPORT4},${EXTRAPORT5},${EXTRAPORT6},${EXTRAPORT7},${EXTRAPORT8},${CONTROLPORT}" + +$PERL ${srcdir}/testsock.pl -p "$PORT" || { + echowarn "I:$systest:Network interface aliases not set up. Skipping test." + echowarn "R:$systest:FAIL" + echoend "E:$systest:$(date_with_args)" + exit 1 } # Check for test-specific prerequisites. -test ! -f "$systest/prereq.sh" || ( cd "${systest}" && $SHELL prereq.sh "$@" ) +test ! -f "$systest/prereq.sh" || (cd "${systest}" && $SHELL prereq.sh "$@") result=$? if [ $result -eq 0 ]; then - : prereqs ok + : prereqs ok else - echowarn "I:$systest:Prerequisites missing, skipping test." - echowarn "R:$systest:SKIPPED"; - echoend "E:$systest:$(date_with_args)" - exit 77 + echowarn "I:$systest:Prerequisites missing, skipping test." + echowarn "R:$systest:SKIPPED" + echoend "E:$systest:$(date_with_args)" + exit 0 fi # Clean up files left from any potential previous runs except when # started with the --restart option. if ! $restart; then - if test -f "$systest/clean.sh"; then - if ! ( cd "${systest}" && $SHELL clean.sh "$@" ); then - echowarn "I:$systest:clean.sh script failed" - echofail "R:$systest:FAIL" - echoend "E:$systest:$(date_with_args)" - exit 1 - fi + if test -f "$systest/clean.sh"; then + if ! (cd "${systest}" && $SHELL clean.sh "$@"); then + echowarn "I:$systest:clean.sh script failed" + echofail "R:$systest:FAIL" + echoend "E:$systest:$(date_with_args)" + exit 1 fi + fi fi # Set up any dynamically generated test data -if test -f "$systest/setup.sh" -then - if ! ( cd "${systest}" && $SHELL setup.sh "$@" ); then - echowarn "I:$systest:setup.sh script failed" - echofail "R:$systest:FAIL" - echoend "E:$systest:$(date_with_args)" - exit 1 - fi +if test -f "$systest/setup.sh"; then + if ! (cd "${systest}" && $SHELL setup.sh "$@"); then + echowarn "I:$systest:setup.sh script failed" + echofail "R:$systest:FAIL" + echoend "E:$systest:$(date_with_args)" + exit 1 + fi fi status=0 run=0 # Run the tests if [ -r "$systest/tests.sh" ]; then - if start_servers; then - ( cd "$systest" && $SHELL tests.sh "$@" ) - status=$? - run=$((run+1)) - stop_servers || status=1 - else - status=1 - fi -fi - -if [ $status -eq 0 ]; then - if [ -n "$PYTEST" ]; then - for test in $(cd "${systest}" && find . -name "tests*.py" ! -name "tests_sh_*.py"); do - rm -f "$systest/$test.status" - if start_servers; then - run=$((run+1)) - test_status=0 - (cd "$systest" && LEGACY_TEST_RUNNER=1 "$PYTEST" -rsxX -v "$test" "$@" || echo "$?" > "$test.status") | SYSTESTDIR="$systest" cat_d - if [ -f "$systest/$test.status" ]; then - if [ "$(cat "$systest/$test.status")" = "5" ]; then - echowarn "R:$systest:SKIPPED" - else - echo_i "FAILED" - test_status=$(cat "$systest/$test.status") - fi - fi - status=$((status+test_status)) - stop_servers || status=1 - else - status=1 - fi - if [ $status -ne 0 ]; then - break - fi - done - rm -f "$systest/$test.status" - else - echoinfo "I:$systest:pytest not installed, skipping python tests" - fi + if start_servers; then + (cd "$systest" && $SHELL tests.sh "$@") + status=$? + run=$((run + 1)) + stop_servers || status=1 + else + status=1 + fi fi if [ "$run" -eq "0" ]; then - echoinfo "I:$systest:No tests were found and run" - status=255 + echoinfo "I:$systest:No tests were found and run" + status=255 fi -if $stopservers -then - : +if $stopservers; then + : else - exit $status + exit $status fi $SHELL get_core_dumps.sh "$systest" || status=1 print_outstanding_files() { - if test -d ${srcdir}/../../../.git; then - git status -su --ignored "${systest}/" 2>/dev/null | \ - sed -n -e 's|^?? \(.*\)|I:'"${systest}"':file \1 not removed|p' \ - -e 's|^!! \(.*/named.run\)$|I:'"${systest}"':file \1 not removed|p' \ - -e 's|^!! \(.*/named.memstats\)$|I:'"${systest}"':file \1 not removed|p' - fi + if test -d ${srcdir}/../../../.git; then + git status -su --ignored "${systest}/" 2>/dev/null \ + | sed -n -e 's|^?? \(.*\)|I:'"${systest}"':file \1 not removed|p' \ + -e 's|^!! \(.*/named.run\)$|I:'"${systest}"':file \1 not removed|p' \ + -e 's|^!! \(.*/named.memstats\)$|I:'"${systest}"':file \1 not removed|p' + fi } print_outstanding_files_oot() { - if test -d ${srcdir}/../../../.git; then - git -C "${srcdir}/${systest}" ls-files | sed "s|^|${systest}/|" > gitfiles.txt - find "${systest}/" -type f ! -name .prepared ! -name Makefile > testfiles.txt - grep -F -x -v -f gitfiles.txt testfiles.txt - rm -f gitfiles.txt testfiles.txt - fi + if test -d ${srcdir}/../../../.git; then + git -C "${srcdir}/${systest}" ls-files | sed "s|^|${systest}/|" >gitfiles.txt + find "${systest}/" -type f ! -name .prepared ! -name Makefile >testfiles.txt + grep -F -x -v -f gitfiles.txt testfiles.txt + rm -f gitfiles.txt testfiles.txt + fi } if [ $status -ne 0 ]; then - echofail "R:$systest:FAIL" + echofail "R:$systest:FAIL" else - echopass "R:$systest:PASS" - if $clean && ! $restart; then - ( cd "${systest}" && $SHELL clean.sh "$@" ) - if [ "${srcdir}" = "${builddir}" ]; then - print_outstanding_files - else - print_outstanding_files_oot | xargs rm -f - find "${systest}/" \( -type d -empty \) -delete 2>/dev/null - fi + echopass "R:$systest:PASS" + if $clean && ! $restart; then + (cd "${systest}" && $SHELL clean.sh "$@") + if [ "${srcdir}" = "${builddir}" ]; then + print_outstanding_files + else + print_outstanding_files_oot | xargs rm -f + find "${systest}/" \( -type d -empty \) -delete 2>/dev/null fi + fi fi NAMED_RUN_LINES_THRESHOLD=200000 find "${systest}" -type f -name "named.run" -exec wc -l {} \; | awk "\$1 > ${NAMED_RUN_LINES_THRESHOLD} { print \$2 }" | sort | while read -r LOG_FILE; do - echowarn "I:${systest}:${LOG_FILE} contains more than ${NAMED_RUN_LINES_THRESHOLD} lines, consider tweaking the test to limit disk I/O" + echowarn "I:${systest}:${LOG_FILE} contains more than ${NAMED_RUN_LINES_THRESHOLD} lines, consider tweaking the test to limit disk I/O" done echoend "E:$systest:$(date_with_args)" diff --git a/bin/tests/system/legacy/ns6/sign.sh b/bin/tests/system/legacy/ns6/sign.sh index f76b3c2..96ce285 100755 --- a/bin/tests/system/legacy/ns6/sign.sh +++ b/bin/tests/system/legacy/ns6/sign.sh @@ -22,9 +22,9 @@ infile=edns512.db.in zonefile=edns512.db outfile=edns512.db.signed -keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -g -o $zone -f $outfile -e +30y $zonefile >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/legacy/ns7/sign.sh b/bin/tests/system/legacy/ns7/sign.sh index c2153f9..82c6b7e 100755 --- a/bin/tests/system/legacy/ns7/sign.sh +++ b/bin/tests/system/legacy/ns7/sign.sh @@ -22,12 +22,12 @@ infile=edns512-notcp.db.in zonefile=edns512-notcp.db outfile=edns512-notcp.db.signed -keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -g -o $zone -f $outfile -e +30y $zonefile >/dev/null 2>signer.err || cat signer.err -keyfile_to_static_ds $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 >trusted.conf cp trusted.conf ../ns1 diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh index 44d3b11..ddb950b 100755 --- a/bin/tests/system/legacy/tests.sh +++ b/bin/tests/system/legacy/tests.sh @@ -20,10 +20,10 @@ DIGOPTS="-p ${PORT} +tries=1 +time=2" # Check whether the SOA record for the name provided in $1 can be resolved by # ns1. Return 0 if resolution succeeds as expected; return 1 otherwise. resolution_succeeds() { - _ret=0 - $DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n || _ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null || _ret=1 - return $_ret + _ret=0 + $DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA >dig.out.test$n || _ret=1 + grep "status: NOERROR" dig.out.test$n >/dev/null || _ret=1 + return $_ret } # Check whether the SOA record for the name provided in $1 can be resolved by @@ -32,16 +32,16 @@ resolution_succeeds() { # code of dig does not influence the result (the exit code for a SERVFAIL # response is 0 while the exit code for not getting a response at all is not 0). resolution_fails() { - _servfail=0 - _timeout=0 - $DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} TXT > dig.out.test$n - grep -F "status: SERVFAIL" dig.out.test$n > /dev/null && _servfail=1 - grep -F "timed out" dig.out.test$n > /dev/null && _timeout=1 - if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then - return 0 - else - return 1 - fi + _servfail=0 + _timeout=0 + $DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} TXT >dig.out.test$n + grep -F "status: SERVFAIL" dig.out.test$n >/dev/null && _servfail=1 + grep -F "timed out" dig.out.test$n >/dev/null && _timeout=1 + if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then + return 0 + else + return 1 + fi } status=0 @@ -50,12 +50,12 @@ n=0 n=$((n + 1)) echo_i "checking formerr edns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa > dig.out.1.test$n || ret=1 -grep "status: FORMERR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa >dig.out.1.test$n || ret=1 +grep "status: FORMERR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -69,12 +69,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking notimp edns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa > dig.out.1.test$n || ret=1 -grep "status: NOTIMP" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa >dig.out.1.test$n || ret=1 +grep "status: NOTIMP" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -88,12 +88,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking refused edns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa > dig.out.1.test$n || ret=1 -grep "status: REFUSED" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa >dig.out.1.test$n || ret=1 +grep "status: REFUSED" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -107,18 +107,18 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking drop edns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.2 dropedns soa > dig.out.1.test$n && ret=1 -grep "timed out" dig.out.1.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noedns @10.53.0.2 dropedns soa > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noedns +tcp @10.53.0.2 dropedns soa > dig.out.3.test$n || ret=1 -grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.2 dropedns soa > dig.out.4.test$n && ret=1 -grep "timed out" dig.out.4.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns @10.53.0.2 dropedns soa >dig.out.1.test$n && ret=1 +grep "timed out" dig.out.1.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.2 dropedns soa >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noedns +tcp @10.53.0.2 dropedns soa >dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.3.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.2 dropedns soa >dig.out.4.test$n && ret=1 +grep "timed out" dig.out.4.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -132,14 +132,14 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking drop edns + no tcp server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.3 dropedns-notcp soa > dig.out.1.test$n && ret=1 -grep "timed out" dig.out.1.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noedns +tcp @10.53.0.3 dropedns-notcp soa > dig.out.2.test$n && ret=1 -grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noedns @10.53.0.3 dropedns-notcp soa > dig.out.3.test$n || ret=1 -grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.3 dropedns-notcp soa >dig.out.1.test$n && ret=1 +grep "timed out" dig.out.1.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noedns +tcp @10.53.0.3 dropedns-notcp soa >dig.out.2.test$n && ret=1 +grep "connection refused" dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.3 dropedns-notcp soa >dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -153,12 +153,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking plain dns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.4 plain soa > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.4 plain soa > dig.out.2.test$n -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.4 plain soa >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.4 plain soa >dig.out.2.test$n +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -172,11 +172,11 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking plain dns + no tcp server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.5 plain-notcp soa > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.5 plain-notcp soa > dig.out.2.test$n && ret=1 -grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns @10.53.0.5 plain-notcp soa >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.5 plain-notcp soa >dig.out.2.test$n && ret=1 +grep "connection refused" dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -190,19 +190,19 @@ n=$((n + 1)) echo_i "checking edns 512 server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.6 edns512 txt > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.6 edns512 txt > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +dnssec @10.53.0.6 edns512 txt > dig.out.3.test$n && ret=1 -grep "timed out" dig.out.3.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.3.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.6 edns512 soa > dig.out.4.test$n || ret=1 -grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.4.test$n > /dev/null || ret=1 -grep "flags:.* tc[ ;]" dig.out.4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns @10.53.0.6 edns512 txt >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.6 edns512 txt >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec @10.53.0.6 edns512 txt >dig.out.3.test$n && ret=1 +grep "timed out" dig.out.3.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.3.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.6 edns512 soa >dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.4.test$n >/dev/null || ret=1 +grep "flags:.* tc[ ;]" dig.out.4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -216,18 +216,18 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking edns 512 + no tcp server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.7 edns512-notcp soa > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.7 edns512-notcp soa > dig.out.2.test$n && ret=1 -grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +dnssec @10.53.0.7 edns512-notcp soa > dig.out.3.test$n && ret=1 -grep "timed out" dig.out.3.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.3.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.7 edns512-notcp soa > dig.out.4.test$n || ret=1 -grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.4.test$n > /dev/null || ret=1 -grep "flags:.* tc[ ;]" dig.out.4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns @10.53.0.7 edns512-notcp soa >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.7 edns512-notcp soa >dig.out.2.test$n && ret=1 +grep "connection refused" dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec @10.53.0.7 edns512-notcp soa >dig.out.3.test$n && ret=1 +grep "timed out" dig.out.3.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.3.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.7 edns512-notcp soa >dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.4.test$n >/dev/null || ret=1 +grep "flags:.* tc[ ;]" dig.out.4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -243,8 +243,8 @@ echo_i "checking recursive lookup to edns 512 + no tcp server does not cause que ret=0 sent=$(grep -c -F "sending packet to 10.53.0.7" ns1/named.run) if [ $sent -ge 10 ]; then - echo_i "ns1 sent $sent queries to ns7, expected less than 10" - ret=1 + echo_i "ns1 sent $sent queries to ns7, expected less than 10" + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -257,10 +257,10 @@ n=$((n + 1)) echo_i "checking recursive lookup to edns 512 + no tcp + trust anchor fails ($n)" # retry loop in case the server restart above causes transient failure for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - resolution_fails edns512-notcp. || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + resolution_fails edns512-notcp. || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/limits/tests.sh b/bin/tests/system/limits/tests.sh index f2cf0fb..92c470a 100644 --- a/bin/tests/system/limits/tests.sh +++ b/bin/tests/system/limits/tests.sh @@ -20,37 +20,37 @@ DIGOPTS="-p ${PORT}" status=0 echo_i "1000 A records" -$DIG $DIGOPTS +tcp +norec 1000.example. @10.53.0.1 a > dig.out.1000 || status=1 +$DIG $DIGOPTS +tcp +norec 1000.example. @10.53.0.1 a >dig.out.1000 || status=1 # $DIG $DIGOPTS 1000.example. @10.53.0.1 a > knowngood.dig.out.1000 digcomp knowngood.dig.out.1000 dig.out.1000 || status=1 echo_i "2000 A records" -$DIG $DIGOPTS +tcp +norec 2000.example. @10.53.0.1 a > dig.out.2000 || status=1 +$DIG $DIGOPTS +tcp +norec 2000.example. @10.53.0.1 a >dig.out.2000 || status=1 # $DIG $DIGOPTS 2000.example. @10.53.0.1 a > knowngood.dig.out.2000 digcomp knowngood.dig.out.2000 dig.out.2000 || status=1 echo_i "3000 A records" -$DIG $DIGOPTS +tcp +norec 3000.example. @10.53.0.1 a > dig.out.3000 || status=1 +$DIG $DIGOPTS +tcp +norec 3000.example. @10.53.0.1 a >dig.out.3000 || status=1 # $DIG $DIGOPTS 3000.example. @10.53.0.1 a > knowngood.dig.out.3000 digcomp knowngood.dig.out.3000 dig.out.3000 || status=1 echo_i "4000 A records" -$DIG $DIGOPTS +tcp +norec 4000.example. @10.53.0.1 a > dig.out.4000 || status=1 +$DIG $DIGOPTS +tcp +norec 4000.example. @10.53.0.1 a >dig.out.4000 || status=1 # $DIG $DIGOPTS 4000.example. @10.53.0.1 a > knowngood.dig.out.4000 digcomp knowngood.dig.out.4000 dig.out.4000 || status=1 echo_i "exactly maximum rrset" -$DIG $DIGOPTS +tcp +norec +noedns a-maximum-rrset.example. @10.53.0.1 a > dig.out.a-maximum-rrset \ - || status=1 +$DIG $DIGOPTS +tcp +norec +noedns a-maximum-rrset.example. @10.53.0.1 a >dig.out.a-maximum-rrset \ + || status=1 # $DIG $DIGOPTS a-maximum-rrset.example. @10.53.0.1 a > knowngood.dig.out.a-maximum-rrset digcomp knowngood.dig.out.a-maximum-rrset dig.out.a-maximum-rrset || status=1 echo_i "exceed maximum rrset (5000 A records)" -$DIG $DIGOPTS +tcp +norec +noadd 5000.example. @10.53.0.1 a > dig.out.exceed || status=1 +$DIG $DIGOPTS +tcp +norec +noadd 5000.example. @10.53.0.1 a >dig.out.exceed || status=1 # Look for truncation bit (tc). -grep 'flags: .*tc.*;' dig.out.exceed > /dev/null || { - echo_i "TC bit was not set" - status=1 +grep 'flags: .*tc.*;' dig.out.exceed >/dev/null || { + echo_i "TC bit was not set" + status=1 } echo_i "exit status: $status" diff --git a/bin/tests/system/logfileconfig/named1.args b/bin/tests/system/logfileconfig/named1.args index 764d4c9..f35563b 100644 --- a/bin/tests/system/logfileconfig/named1.args +++ b/bin/tests/system/logfileconfig/named1.args @@ -1 +1 @@ --c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 +-c named.conf -m record -T nosyslog -f -d 99 -D logfileconfig-ns1 -X named.lock -U 4 diff --git a/bin/tests/system/logfileconfig/named2.args b/bin/tests/system/logfileconfig/named2.args index fb9fe57..ddae5a4 100644 --- a/bin/tests/system/logfileconfig/named2.args +++ b/bin/tests/system/logfileconfig/named2.args @@ -1 +1 @@ --c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog +-c named.conf -m record -T nosyslog -f -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog diff --git a/bin/tests/system/logfileconfig/tests.sh b/bin/tests/system/logfileconfig/tests.sh index d12fd06..f5c9b45 100644 --- a/bin/tests/system/logfileconfig/tests.sh +++ b/bin/tests/system/logfileconfig/tests.sh @@ -19,72 +19,72 @@ set -e # filesystem-dependent conditions in order to prevent false negatives caused by # directory contents not being synchronized immediately after rename() returns. test_with_retry() { - if test "$@"; then - sleep 1 - if test "$@"; then - return 0 - fi - fi - return 1 + if test "$@"; then + sleep 1 + if test "$@"; then + return 0 + fi + fi + return 1 } status=0 n=0 # First run with a known good config. -n=$((n+1)) +n=$((n + 1)) echo_i "testing log file validity (only plain files allowed) ($n)" ret=0 -cat /dev/null > ns1/named_log +cat /dev/null >ns1/named_log copy_setports ns1/named.plainconf.in ns1/named.conf -nextpart ns1/named.run > /dev/null -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +nextpart ns1/named.run >/dev/null +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now try directory, expect failure -n=$((n+1)) +n=$((n + 1)) echo_i "testing directory as log file ($n)" ret=0 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null copy_setports ns1/named.dirconf.in ns1/named.conf -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now try pipe file, expect failure -n=$((n+1)) +n=$((n + 1)) echo_i "testing pipe file as log file ($n)" ret=0 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null rm -f ns1/named_pipe if mkfifo ns1/named_pipe >/dev/null 2>&1; then - copy_setports ns1/named.pipeconf.in ns1/named.conf - rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n - wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 - if [ "$ret" -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping pipe test (unable to create pipe)" + echo_i "skipping pipe test (unable to create pipe)" fi # Now try symlink file to plain file, expect success -n=$((n+1)) +n=$((n + 1)) echo_i "testing symlink to plain file as log file ($n)" ret=0 rm -f ns1/named_log ns1/named_sym touch ns1/named_log if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then - nextpart ns1/named.run > /dev/null - copy_setports ns1/named.symconf.in ns1/named.conf - rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n - wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 - if [ "$ret" -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + nextpart ns1/named.run >/dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping symlink test (unable to create symlink)" + echo_i "skipping symlink test (unable to create symlink)" fi echo_i "repeat previous tests without named -g" @@ -93,89 +93,89 @@ stop_server --use-rndc --port ${CONTROLPORT} ns1 cp named1.args ns1/named.args start_server --noclean --restart --port ${PORT} ns1 -n=$((n+1)) +n=$((n + 1)) echo_i "testing log file validity (only plain files allowed) ($n)" ret=0 -cat /dev/null > ns1/named_log +cat /dev/null >ns1/named_log copy_setports ns1/named.plainconf.in ns1/named.conf -nextpart ns1/named.run > /dev/null -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +nextpart ns1/named.run >/dev/null +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now try directory, expect failure -n=$((n+1)) +n=$((n + 1)) echo_i "testing directory as log file ($n)" ret=0 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null copy_setports ns1/named.dirconf.in ns1/named.conf -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now try pipe file, expect failure -n=$((n+1)) +n=$((n + 1)) echo_i "testing pipe file as log file ($n)" ret=0 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null rm -f ns1/named_pipe if mkfifo ns1/named_pipe >/dev/null 2>&1; then - copy_setports ns1/named.pipeconf.in ns1/named.conf - rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n - wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 - if [ "$ret" -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping pipe test (unable to create pipe)" + echo_i "skipping pipe test (unable to create pipe)" fi # Now try symlink file to plain file, expect success -n=$((n+1)) +n=$((n + 1)) echo_i "testing symlink to plain file as log file ($n)" ret=0 rm -f ns1/named_log ns1/named_sym touch ns1/named_log if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then - nextpart ns1/named.run > /dev/null - copy_setports ns1/named.symconf.in ns1/named.conf - rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n - wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 - if [ "$ret" -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + nextpart ns1/named.run >/dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping symlink test (unable to create symlink)" + echo_i "skipping symlink test (unable to create symlink)" fi echo_i "testing logging functionality" -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "testing iso8601 timestamp ($n)" copy_setports ns1/named.iso8601.in ns1/named.conf -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n -grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 > /dev/null || ret=1 +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n +grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing iso8601-utc timestamp ($n)" ret=0 copy_setports ns1/named.iso8601-utc.in ns1/named.conf -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n -grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc > /dev/null || ret=1 +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n +grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing explicit versions ($n)" ret=0 copy_setports ns1/named.versconf.in ns1/named.conf # a seconds since epoch version number touch ns1/named_vers.1480039317 -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n -$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n +$DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 # we are configured to retain five logfiles (a current file # and 4 backups). so files with version number 5 or higher # should be removed. @@ -183,9 +183,9 @@ test_with_retry -f ns1/named_vers.1480039317 && ret=1 test_with_retry -f ns1/named_vers.5 && ret=1 test_with_retry -f ns1/named_vers.4 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing timestamped versions ($n)" ret=0 copy_setports ns1/named.tsconf.in ns1/named.conf @@ -193,94 +193,90 @@ copy_setports ns1/named.tsconf.in ns1/named.conf touch ns1/named_ts.1480039317 # a timestamp version number touch ns1/named_ts.20150101120000120 -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n _found2() ( - $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 - # we are configured to keep three versions, so the oldest - # timestamped versions should be gone, and there should - # be two or three backup ones. - [ -f ns1/named_ts.1480039317 ] && return 1 - [ -f ns1/named_ts.20150101120000120 ] && return 1 - set -- ns1/named_ts.* - [ "$#" -eq 2 -o "$#" -eq 3 ] || return 1 + # we are configured to keep three versions, so the oldest + # timestamped versions should be gone, and there should + # be two or three backup ones. + [ -f ns1/named_ts.1480039317 ] && return 1 + [ -f ns1/named_ts.20150101120000120 ] && return 1 + set -- ns1/named_ts.* + [ "$#" -eq 2 -o "$#" -eq 3 ] || return 1 ) retry_quiet 5 _found2 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incremented versions ($n)" ret=0 copy_setports ns1/named.incconf.in ns1/named.conf try=0 -while test $try -lt 12 -do - touch ns1/named_inc.$try - try=$((try + 1)) +while test $try -lt 12; do + touch ns1/named_inc.$try + try=$((try + 1)) done -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n _found2() ( - $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 - try=1 - while test $try -lt 12 - do - [ -f ns1/named_inc.$try ] && return 1 - try=$((try + 1)) - done - set -- ns1/named_inc.* - [ "$#" -eq 1 ] || return 1 + try=1 + while test $try -lt 12; do + [ -f ns1/named_inc.$try ] && return 1 + try=$((try + 1)) + done + set -- ns1/named_inc.* + [ "$#" -eq 1 ] || return 1 ) retry_quiet 5 _found2 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing absolute file path versions ($n)" ret=0 copy_setports ns1/named.abspathconf.in ns1/named.conf try=0 -while test $try -lt 12 -do - touch $TMPDIR/example.log.$try - try=$((try + 1)) +while test $try -lt 12; do + touch $TMPDIR/example.log.$try + try=$((try + 1)) done -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n _found2() ( - $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 - try=1 - while test $try -lt 12 - do - [ -f $TMPDIR/example.log.$try ] && return 1 - try=$((try + 1)) - done - set -- $TMPDIR/example.log.* - [ "$#" -eq 1 ] || return 1 + try=1 + while test $try -lt 12; do + [ -f $TMPDIR/example.log.$try ] && return 1 + try=$((try + 1)) + done + set -- $TMPDIR/example.log.* + [ "$#" -eq 1 ] || return 1 ) retry_quiet 5 _found2 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing unlimited versions ($n)" ret=0 copy_setports ns1/named.unlimited.in ns1/named.conf # a seconds since epoch version number touch ns1/named_unlimited.1480039317 -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n -$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n +$DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 test_with_retry -f ns1/named_unlimited.1480039317 || ret=1 test_with_retry -f ns1/named_unlimited.4 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing default logfile using named -L file ($n)" ret=0 stop_server ns1 @@ -291,7 +287,7 @@ copy_setports ns1/named.plainconf.in ns1/named.conf start_server --noclean --restart --port ${PORT} ns1 [ -f "ns1/named_deflog" ] || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/masterfile/ns2/named.conf.in b/bin/tests/system/masterfile/ns2/named.conf.in index 1f4ef91..2a84f86 100644 --- a/bin/tests/system/masterfile/ns2/named.conf.in +++ b/bin/tests/system/masterfile/ns2/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/masterfile/tests.sh b/bin/tests/system/masterfile/tests.sh index 5755088..b625376 100644 --- a/bin/tests/system/masterfile/tests.sh +++ b/bin/tests/system/masterfile/tests.sh @@ -38,23 +38,23 @@ status=$((status + ret)) ret=0 n=$((n + 1)) echo_i "test that the nameserver is running with a missing master file ($n)" -$DIG $DIGOPTS +tcp +noall +answer example soa @10.53.0.2 > dig.out.$n -grep SOA dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +noall +answer example soa @10.53.0.2 >dig.out.$n +grep SOA dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) ret=0 n=$((n + 1)) echo_i "test that the nameserver returns SERVFAIL for a missing master file ($n)" -$DIG $DIGOPTS +tcp +all missing soa @10.53.0.2 > dig.out.$n -grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +all missing soa @10.53.0.2 >dig.out.$n +grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) ret=0 n=$((n + 1)) echo_i "test owner inheritance after "'$INCLUDE'" ($n)" -$CHECKZONE -Dq example zone/inheritownerafterinclude.db > checkzone.out$n +$CHECKZONE -Dq example zone/inheritownerafterinclude.db >checkzone.out$n diff checkzone.out$n zone/inheritownerafterinclude.good || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index 0c2e7fb..9ea1740 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -15,20 +15,20 @@ . ../../conf.sh $CHECKZONE -D -F raw -o example.db.raw example \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o ../ns3/example.db.raw example \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o ../ns3/dynamic.db.raw dynamic \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw=1 -o example.db.raw1 example-explicit \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw=0 -o example.db.compat example-compat \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \ - example.db > /dev/null 2>&1 -$CHECKZONE -D -F raw -o large.db.raw large large.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o large.db.raw large large.db >/dev/null 2>&1 -$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed > /dev/null 2>&1 -$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed > /dev/null 2>&1 -$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null -$CHECKZONE -D -F raw -o signed.db.raw signed signed.db.signed > /dev/null 2>&1 +$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed >/dev/null 2>&1 +$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed >/dev/null 2>&1 +$SIGNER -S -f signed.db.signed -o signed signed.db >/dev/null +$CHECKZONE -D -F raw -o signed.db.raw signed signed.db.signed >/dev/null 2>&1 diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index d5fe367..c2bc0f6 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -27,5 +27,5 @@ awk 'END { for (i = 0; i < 512; i++ ) { print "a TXT", i; } for (i = 0; i < 1024; i++ ) { print "b TXT", i; } for (i = 0; i < 2000; i++ ) { print "c TXT", i; } -}' < /dev/null >> ns1/large.db +}' >ns1/large.db cd ns1 && $SHELL compile.sh diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index da9ec87..feb2a75 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -19,36 +19,36 @@ set -e status=0 n=1 -israw () { - # shellcheck disable=SC2016 - $PERL -e 'binmode STDIN; +israw() { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version > 1);' < "$1" || return $? + exit 1 if ($style != 2 || $version > 1);' <"$1" || return $? } -isfull () { - # there should be no whitespace at the beginning of a line - if grep '^[ ][ ]*' "$1" > /dev/null 2>&1; then - return 1 - else - return 0 - fi +isfull() { + # there should be no whitespace at the beginning of a line + if grep '^[ ][ ]*' "$1" >/dev/null 2>&1; then + return 1 + else + return 0 + fi } -rawversion () { - # shellcheck disable=SC2016 - $PERL -e 'binmode STDIN; +rawversion() { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; read(STDIN, $input, 8); if (length($input) < 8) { print "not raw\n"; exit 0; }; ($style, $version) = unpack("NN", $input); print ($style == 2 || $style == 3 ? "$version\n" : - "not raw\n");' < "$1" + "not raw\n");' <"$1" } -sourceserial () { - # shellcheck disable=SC2016 - $PERL -e 'binmode STDIN; +sourceserial() { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; read(STDIN, $input, 20); if (length($input) < 20) { print "UNSET\n"; exit; }; ($format, $version, $dumptime, $flags, $sourceserial) = @@ -58,12 +58,12 @@ sourceserial () { print $sourceserial . "\n"; } else { print "UNSET\n"; - }' < "$1" + }' <"$1" } -stomp () { - # shellcheck disable=SC2016 - $PERL -e 'open(my $file, "+<", $ARGV[0]); +stomp() { + # shellcheck disable=SC2016 + $PERL -e 'open(my $file, "+<", $ARGV[0]); binmode $file; seek($file, $ARGV[1], 0); for (my $i = 0; $i < $ARGV[2]; $i++) { @@ -72,17 +72,17 @@ stomp () { close($file);' "$@" } -restart () { - sleep 1 - start_server --noclean --restart --port "${PORT}" ns3 +restart() { + sleep 1 + start_server --noclean --restart --port "${PORT}" ns3 } dig_with_opts() { - "$DIG" +tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" + "$DIG" +tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" } rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" } status=0 @@ -91,27 +91,27 @@ echo_i "checking that files in raw format loaded ($n)" ret=0 set -- 1 2 3 for zone in example example-explicit example-compat; do - for server in "$@"; do - for qname in ns mx a aaaa cname dname txt rrsig nsec \ - dnskey ds cdnskey cds; do - qtype="$qname" - dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} - echo - done > dig.out.${zone}.${server}.test${n} - for qname in private-dnskey private-cdnskey; do - qtype=$(expr "$qname" : '.*-\(.*\)') - dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} - done >> dig.out.${zone}.${server}.test${n} - done - digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.2.test${n} || ret=1 - if [ "$zone" = "example" ]; then - set -- 1 2 - digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.3.test${n} || ret=1 - fi + for server in "$@"; do + for qname in ns mx a aaaa cname dname txt rrsig nsec \ + dnskey ds cdnskey cds; do + qtype="$qname" + dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} + echo + done >dig.out.${zone}.${server}.test${n} + for qname in private-dnskey private-cdnskey; do + qtype=$(expr "$qname" : '.*-\(.*\)') + dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} + done >>dig.out.${zone}.${server}.test${n} + done + digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.2.test${n} || ret=1 + if [ "$zone" = "example" ]; then + set -- 1 2 + digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.3.test${n} || ret=1 + fi done -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format versions ($n)" ret=0 @@ -121,158 +121,157 @@ israw ns1/example.db.compat || ret=1 [ "$(rawversion ns1/example.db.raw)" -eq 1 ] || ret=1 [ "$(rawversion ns1/example.db.raw1)" -eq 1 ] || ret=1 [ "$(rawversion ns1/example.db.compat)" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking source serial numbers ($n)" ret=0 [ "$(sourceserial ns1/example.db.raw)" = "UNSET" ] || ret=1 [ "$(sourceserial ns1/example.db.serial.raw)" = "3333" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "waiting for transfers to complete" -for i in 0 1 2 3 4 5 6 7 8 9 -do - test -f ns2/transfer.db.raw -a -f ns2/transfer.db.txt && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + test -f ns2/transfer.db.raw -a -f ns2/transfer.db.txt && break + sleep 1 done echo_i "checking that secondary was saved in raw format by default ($n)" ret=0 israw ns2/transfer.db.raw || ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that secondary was saved in text format when configured ($n)" ret=0 israw ns2/transfer.db.txt && ret=1 isfull ns2/transfer.db.txt && ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that secondary was saved in 'full' style when configured ($n)" ret=0 -isfull ns2/transfer.db.full > /dev/null 2>&1 || ret=1 -n=$((n+1)) +isfull ns2/transfer.db.full >/dev/null 2>&1 || ret=1 +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that secondary formerly in text format is now raw ($n)" -for i in 0 1 2 3 4 5 6 7 8 9 -do - ret=0 - israw ns2/formerly-text.db > /dev/null 2>&1 || ret=1 - [ "$(rawversion ns2/formerly-text.db)" -eq 1 ] || ret=1 - [ $ret -eq 0 ] && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + israw ns2/formerly-text.db >/dev/null 2>&1 || ret=1 + [ "$(rawversion ns2/formerly-text.db)" -eq 1 ] || ret=1 + [ $ret -eq 0 ] && break + sleep 1 done -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that large rdatasets loaded ($n)" -for i in 0 1 2 3 4 5 6 7 8 9 -do -ret=0 -for a in a b c -do - $DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" > "dig.out.ns2.test$n" - grep "status: NOERROR" "dig.out.ns2.test$n" > /dev/null || ret=1 -done -[ $ret -eq 0 ] && break -sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for a in a b c; do + $DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.test$n" + grep "status: NOERROR" "dig.out.ns2.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 done -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking format transitions: text->raw->text ($n)" ret=0 -$CHECKZONE -D -f text -F text -o baseline.txt example.nil ns1/example.db > /dev/null -$CHECKZONE -D -f text -F raw -o raw.1 example.nil baseline.txt > /dev/null -$CHECKZONE -D -f raw -F text -o text.1 example.nil raw.1 > /dev/null +$CHECKZONE -D -f text -F text -o baseline.txt example.nil ns1/example.db >/dev/null +$CHECKZONE -D -f text -F raw -o raw.1 example.nil baseline.txt >/dev/null +$CHECKZONE -D -f raw -F text -o text.1 example.nil raw.1 >/dev/null cmp -s baseline.txt text.1 || ret=0 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format loading with journal file rollforward ($n)" ret=0 -$NSUPDATE < /dev/null || status=1 +$NSUPDATE </dev/null || status=1 server 10.53.0.3 ${PORT} ttl 600 update add newtext.dynamic IN TXT "added text" update delete aaaa.dynamic send END -dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic1.ns3.test$n" -grep "added text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1 -dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic2.ns3.test$n" -grep "NXDOMAIN" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || ret=1 +dig_with_opts @10.53.0.3 newtext.dynamic txt >"dig.out.dynamic1.ns3.test$n" +grep "added text" "dig.out.dynamic1.ns3.test$n" >/dev/null 2>&1 || ret=1 +dig_with_opts +comm @10.53.0.3 added.dynamic txt >"dig.out.dynamic2.ns3.test$n" +grep "NXDOMAIN" "dig.out.dynamic2.ns3.test$n" >/dev/null 2>&1 || ret=1 # using "rndc halt" ensures that we don't dump the zone file stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 restart check_added_text() { - dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic3.ns3.test$n" || return 1 - grep "added text" "dig.out.dynamic3.ns3.test$n" > /dev/null || return 1 - return 0 + dig_with_opts @10.53.0.3 newtext.dynamic txt >"dig.out.dynamic3.ns3.test$n" || return 1 + grep "added text" "dig.out.dynamic3.ns3.test$n" >/dev/null || return 1 + return 0 } retry_quiet 10 check_added_text || ret=1 -dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic4.ns3.test$n" -grep "NXDOMAIN" "dig.out.dynamic4.ns3.test$n" > /dev/null 2>&1 || ret=1 -n=$((n+1)) +dig_with_opts +comm @10.53.0.3 added.dynamic txt >"dig.out.dynamic4.ns3.test$n" +grep "NXDOMAIN" "dig.out.dynamic4.ns3.test$n" >/dev/null 2>&1 || ret=1 +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format file dumps correctly ($n)" ret=0 -$NSUPDATE < /dev/null || status=1 +$NSUPDATE </dev/null || status=1 server 10.53.0.3 ${PORT} ttl 600 update add moretext.dynamic IN TXT "more text" send END -dig_with_opts @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic1.ns3.test$n" -grep "more text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1 +dig_with_opts @10.53.0.3 moretext.dynamic txt >"dig.out.dynamic1.ns3.test$n" +grep "more text" "dig.out.dynamic1.ns3.test$n" >/dev/null 2>&1 || ret=1 # using "rndc stop" will cause the zone file to flush before shutdown stop_server --use-rndc --port ${CONTROLPORT} ns3 rm ns3/*.jnl restart #shellcheck disable=SC2034 for i in 0 1 2 3 4 5 6 7 8 9; do - lret=0 - dig_with_opts +comm @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic2.ns3.test$n" - grep "more text" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || lret=1 - [ $lret -eq 0 ] && break; + lret=0 + dig_with_opts +comm @10.53.0.3 moretext.dynamic txt >"dig.out.dynamic2.ns3.test$n" + grep "more text" "dig.out.dynamic2.ns3.test$n" >/dev/null 2>&1 || lret=1 + [ $lret -eq 0 ] && break done [ $lret -eq 1 ] && ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format zone is scheduled for resigning (compilezone) ($n)" ret=0 -rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1 -grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 -n=$((n+1)) +rndccmd 10.53.0.1 zonestatus signed >rndc.out 2>&1 || ret=1 +grep 'next resign' rndc.out >/dev/null 2>&1 || ret=1 +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format zone is scheduled for resigning (signzone) ($n)" ret=0 -rndccmd 10.53.0.1 freeze signed > rndc.out 2>&1 || ret=1 -(cd ns1 || exit 1; $SIGNER -S -O raw -f signed.db.raw -o signed signed.db > /dev/null) +rndccmd 10.53.0.1 freeze signed >rndc.out 2>&1 || ret=1 +( + cd ns1 || exit 1 + $SIGNER -S -O raw -f signed.db.raw -o signed signed.db >/dev/null +) rndc_reload ns1 10.53.0.1 signed -rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1 -grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 -n=$((n+1)) +rndccmd 10.53.0.1 zonestatus signed >rndc.out 2>&1 || ret=1 +grep 'next resign' rndc.out >/dev/null 2>&1 || ret=1 +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh index 2d4e7cb..3998a09 100644 --- a/bin/tests/system/metadata/setup.sh +++ b/bin/tests/system/metadata/setup.sh @@ -20,41 +20,40 @@ echo_i "generating keys" # active zsk zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $czone) -echo $zsk > zsk.key +echo $zsk >zsk.key # not yet published or active pending=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P none -A none $czone) -echo $pending > pending.key +echo $pending >pending.key # published but not active standby=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A none $czone) -echo $standby > standby.key +echo $standby >standby.key # inactive inact=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P now-24h -A now-24h -I now $czone) -echo $inact > inact.key +echo $inact >inact.key # active ksk ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) -echo $ksk > ksk.key +echo $ksk >ksk.key # published but not YET active; will be active in 15 seconds rolling=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) -$SETTIME -A now+15s $rolling > /dev/null -echo $rolling > rolling.key +$SETTIME -A now+15s $rolling >/dev/null +echo $rolling >rolling.key # revoked revoke1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) -echo $revoke1 > prerev.key +echo $revoke1 >prerev.key revoke2=$($REVOKE $revoke1) -echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key +echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" >postrev.key pzsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $pzone) -echo $pzsk > parent.zsk.key +echo $pzsk >parent.zsk.key pksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $pzone) -echo $pksk > parent.ksk.key +echo $pksk >parent.ksk.key oldstyle=$($KEYGEN -Cq -a ${DEFAULT_ALGORITHM} $pzone) -echo $oldstyle > oldstyle.key - +echo $oldstyle >oldstyle.key diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index 3a91bb7..e945f88 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -21,7 +21,7 @@ status=0 n=1 echo_i "setting key timers" -$SETTIME -A now+15s $(cat rolling.key) > /dev/null +$SETTIME -A now+15s $(cat rolling.key) >/dev/null inact=$(keyfile_to_key_id "$(cat inact.key)") ksk=$(keyfile_to_key_id "$(cat ksk.key)") @@ -33,8 +33,8 @@ standby=$(keyfile_to_key_id "$(cat standby.key)") zsk=$(keyfile_to_key_id "$(cat zsk.key)") echo_i "signing zones" -$SIGNER -Sg -o $czone $cfile > /dev/null -$SIGNER -Sg -o $pzone $pfile > /dev/null +$SIGNER -Sg -o $czone $cfile >/dev/null +$SIGNER -Sg -o $pzone $pfile >/dev/null awk '$2 ~ /RRSIG/ { type = $3; @@ -43,7 +43,7 @@ awk '$2 ~ /RRSIG/ { if ($4 ~ /'${czone}'/) { print type, id } -}' < ${cfile}.signed > sigs +}' <${cfile}.signed >sigs awk '$2 ~ /DNSKEY/ { flags = $3; @@ -51,65 +51,65 @@ awk '$2 ~ /DNSKEY/ { getline; id = $NF; print flags, id; -}' < ${cfile}.signed > keys +}' <${cfile}.signed >keys echo_i "checking that KSK signed DNSKEY only ($n)" ret=0 -grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1 -grep "SOA $ksk"'$' sigs > /dev/null && ret=1 +grep "DNSKEY $ksk"'$' sigs >/dev/null || ret=1 +grep "SOA $ksk"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that ZSK signed ($n)" ret=0 -grep "SOA $zsk"'$' sigs > /dev/null || ret=1 +grep "SOA $zsk"'$' sigs >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that standby ZSK did not sign ($n)" ret=0 -grep " $standby"'$' sigs > /dev/null && ret=1 +grep " $standby"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that inactive key did not sign ($n)" ret=0 -grep " $inact"'$' sigs > /dev/null && ret=1 +grep " $inact"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that pending key was not published ($n)" ret=0 -grep " $pending"'$' keys > /dev/null && ret=1 +grep " $pending"'$' keys >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that standby KSK did not sign but is delegated ($n)" ret=0 -grep " $rolling"'$' sigs > /dev/null && ret=1 -grep " $rolling"'$' keys > /dev/null || ret=1 -grep -E "DS[ ]*$rolling[ ]" ${pfile}.signed > /dev/null || ret=1 +grep " $rolling"'$' sigs >/dev/null && ret=1 +grep " $rolling"'$' keys >/dev/null || ret=1 +grep -E "DS[ ]*$rolling[ ]" ${pfile}.signed >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that key was revoked ($n)" ret=0 -grep " $prerev"'$' keys > /dev/null && ret=1 -grep " $postrev"'$' keys > /dev/null || ret=1 +grep " $prerev"'$' keys >/dev/null && ret=1 +grep " $postrev"'$' keys >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that revoked key self-signed ($n)" ret=0 -grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1 -grep "SOA $postrev"'$' sigs > /dev/null && ret=1 +grep "DNSKEY $postrev"'$' sigs >/dev/null || ret=1 +grep "SOA $postrev"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -118,11 +118,11 @@ echo_i "waiting 20 seconds for key changes to occur" sleep 20 echo_i "re-signing zone" -$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null +$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed >/dev/null echo_i "checking that standby KSK is now active ($n)" ret=0 -grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1 +grep "DNSKEY $rolling"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -130,10 +130,10 @@ status=$((status + ret)) echo_i "checking update of an old-style key ($n)" ret=0 # printing metadata should not work with an old-style key -$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 && ret=1 -$SETTIME -f $(cat oldstyle.key) > /dev/null 2>&1 || ret=1 +$SETTIME -pall $(cat oldstyle.key) >/dev/null 2>&1 && ret=1 +$SETTIME -f $(cat oldstyle.key) >/dev/null 2>&1 || ret=1 # but now it should -$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 || ret=1 +$SETTIME -pall $(cat oldstyle.key) >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -142,10 +142,10 @@ echo_i "checking warning about permissions change on key with dnssec-settime ($n ret=0 # settime should print a warning about changing the permissions chmod 644 $(cat oldstyle.key).private -$SETTIME -P none $(cat oldstyle.key) > settime1.test$n 2>&1 || ret=1 -grep "warning: Permissions on the file.*have changed" settime1.test$n > /dev/null 2>&1 || ret=1 -$SETTIME -P none $(cat oldstyle.key) > settime2.test$n 2>&1 || ret=1 -grep "warning: Permissions on the file.*have changed" settime2.test$n > /dev/null 2>&1 && ret=1 +$SETTIME -P none $(cat oldstyle.key) >settime1.test$n 2>&1 || ret=1 +grep "warning: Permissions on the file.*have changed" settime1.test$n >/dev/null 2>&1 || ret=1 +$SETTIME -P none $(cat oldstyle.key) >settime2.test$n 2>&1 || ret=1 +grep "warning: Permissions on the file.*have changed" settime2.test$n >/dev/null 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -153,17 +153,17 @@ status=$((status + ret)) echo_i "checking warning about delete date < inactive date with dnssec-settime ($n)" ret=0 # settime should print a warning about delete < inactive -$SETTIME -I now+15s -D now $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 -grep "warning" tmp.out > /dev/null 2>&1 || ret=1 +$SETTIME -I now+15s -D now $(cat oldstyle.key) >tmp.out 2>&1 || ret=1 +grep "warning" tmp.out >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking no warning about delete date < inactive date with dnssec-settime when delete date is unset ($n)" ret=0 -$SETTIME -D none $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 -$SETTIME -p all $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 -grep "warning" tmp.out > /dev/null 2>&1 && ret=1 +$SETTIME -D none $(cat oldstyle.key) >tmp.out 2>&1 || ret=1 +$SETTIME -p all $(cat oldstyle.key) >tmp.out 2>&1 || ret=1 +grep "warning" tmp.out >/dev/null 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -171,8 +171,8 @@ status=$((status + ret)) echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)" ret=0 # keygen should print a warning about delete < inactive -$KEYGEN -q -a ${DEFAULT_ALGORITHM} -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 -grep "warning" tmp.out > /dev/null 2>&1 || ret=1 +$KEYGEN -q -a ${DEFAULT_ALGORITHM} -I now+15s -D now $czone >tmp.out 2>&1 || ret=1 +grep "warning" tmp.out >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -198,9 +198,9 @@ echo_i "checking calculation of dates for a successor key ($n)" ret=0 oldkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone) newkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone) -$SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1 -$SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1 -$SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1 +$SETTIME -A -2d -I +2d $oldkey >settime1.test$n 2>&1 || ret=1 +$SETTIME -i 1d -S $oldkey $newkey >settime2.test$n 2>&1 || ret=1 +$SETTIME -pA $newkey | grep "1970" >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -209,14 +209,14 @@ key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $czone) echo_i "checking -p output time is accepted ($n)" t=$($SETTIME -pA $key | sed 's/.*: //') -$SETTIME -Psync "$t" $key > settime2.test$n 2>&1 || ret=1 +$SETTIME -Psync "$t" $key >settime2.test$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking -up output time is accepted ($n)" t=$($SETTIME -upA $key | sed 's/.*: //') -$SETTIME -Dsync "$t" $key > settime2.test$n 2>&1 || ret=1 +$SETTIME -Dsync "$t" $key >settime2.test$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -224,7 +224,7 @@ status=$((status + ret)) echo_i "checking -p unset time is accepted ($n)" # The Delete timing metadata is unset. t=$($SETTIME -pD $key | sed 's/.*: //') -$SETTIME -Psync "$t" $key > settime2.test$n 2>&1 || ret=1 +$SETTIME -Psync "$t" $key >settime2.test$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/mirror/ns1/sign.sh b/bin/tests/system/mirror/ns1/sign.sh index ab613d5..4337500 100644 --- a/bin/tests/system/mirror/ns1/sign.sh +++ b/bin/tests/system/mirror/ns1/sign.sh @@ -13,7 +13,7 @@ . ../../conf.sh -( cd ../ns2 && $SHELL -e sign.sh ) +(cd ../ns2 && $SHELL -e sign.sh) cp ../ns2/dsset-* . @@ -21,17 +21,17 @@ zone=. infile=root.db.in zonefile=root.db -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) -keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) +keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Add a trust anchor for a name whose non-existence can be securely proved # without recursing when the root zone is mirrored. This will exercise code # attempting to send TAT queries for such names (in ns3). Key data is # irrelevant here, so just reuse the root zone key generated above. -sed "s/^\./nonexistent./;" $keyname1.key > $keyname1.modified.key +sed "s/^\./nonexistent./;" $keyname1.key >$keyname1.modified.key -keyfile_to_static_ds $keyname1 $keyname1.modified > trusted.conf +keyfile_to_static_ds $keyname1 $keyname1.modified >trusted.conf diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh index 519fd83..2cd449b 100644 --- a/bin/tests/system/mirror/ns2/sign.sh +++ b/bin/tests/system/mirror/ns2/sign.sh @@ -16,16 +16,16 @@ keys_to_trust="" for zonename in sub.example example initially-unavailable; do - zone=$zonename - infile=$zonename.db.in - zonefile=$zonename.db + zone=$zonename + infile=$zonename.db.in + zonefile=$zonename.db - keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) - keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) + keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) + keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) - cat $infile $keyname1.key $keyname2.key > $zonefile + cat $infile $keyname1.key $keyname2.key >$zonefile - $SIGNER -P -g -o $zone $zonefile > /dev/null + $SIGNER -P -g -o $zone $zonefile >/dev/null done # Only add the key for "initially-unavailable" to the list of keys trusted by @@ -39,9 +39,9 @@ zone=verify-csk infile=verify.db.in zonefile=verify-csk.db -keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) -cat $infile $keyname.key > $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) +cat $infile $keyname.key >$zonefile +$SIGNER -P -o $zone $zonefile >/dev/null keys_to_trust="$keys_to_trust $keyname" # Prepare remaining zones used in the test. @@ -50,30 +50,30 @@ UPDATED_SERIAL_BAD=$((ORIGINAL_SERIAL + 1)) UPDATED_SERIAL_GOOD=$((ORIGINAL_SERIAL + 2)) for variant in addzone axfr ixfr load reconfig untrusted; do - zone=verify-$variant - infile=verify.db.in - zonefile=verify-$variant.db - - keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) - keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) - - cat $infile $keyname1.key $keyname2.key > $zonefile - - # Prepare a properly signed version of the zone ("*.original.signed"). - $SIGNER -P -o $zone $zonefile > /dev/null - cp $zonefile.signed $zonefile.original.signed - # Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed"). - sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed > $zonefile.bad.signed - # Prepare another properly signed version of the zone ("*.good.signed"). - sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile > $zonefile.good - $SIGNER -P -o $zone $zonefile.good > /dev/null - rm -f $zonefile.good - - # Except for the "verify-untrusted" zone, declare the KSK used for - # signing the zone to be a trust anchor for ns3. - if [ "$variant" != "untrusted" ]; then - keys_to_trust="$keys_to_trust $keyname1" - fi + zone=verify-$variant + infile=verify.db.in + zonefile=verify-$variant.db + + keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) + keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) + + cat $infile $keyname1.key $keyname2.key >$zonefile + + # Prepare a properly signed version of the zone ("*.original.signed"). + $SIGNER -P -o $zone $zonefile >/dev/null + cp $zonefile.signed $zonefile.original.signed + # Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed"). + sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed >$zonefile.bad.signed + # Prepare another properly signed version of the zone ("*.good.signed"). + sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile >$zonefile.good + $SIGNER -P -o $zone $zonefile.good >/dev/null + rm -f $zonefile.good + + # Except for the "verify-untrusted" zone, declare the KSK used for + # signing the zone to be a trust anchor for ns3. + if [ "$variant" != "untrusted" ]; then + keys_to_trust="$keys_to_trust $keyname1" + fi done -keyfile_to_static_ds $keys_to_trust > trusted-mirror.conf +keyfile_to_static_ds $keys_to_trust >trusted-mirror.conf diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in index b644f45..edbfed8 100644 --- a/bin/tests/system/mirror/ns3/named.conf.in +++ b/bin/tests/system/mirror/ns3/named.conf.in @@ -37,7 +37,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "." { diff --git a/bin/tests/system/mirror/setup.sh b/bin/tests/system/mirror/setup.sh index b80e797..21d1093 100644 --- a/bin/tests/system/mirror/setup.sh +++ b/bin/tests/system/mirror/setup.sh @@ -19,7 +19,7 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf -( cd ns1 && $SHELL -e sign.sh ) +(cd ns1 && $SHELL -e sign.sh) -cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed -cat ns2/verify-load.db.bad.signed > ns3/verify-load.db.mirror +cat ns2/verify-axfr.db.bad.signed >ns2/verify-axfr.db.signed +cat ns2/verify-load.db.bad.signed >ns3/verify-load.db.mirror diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh index dc6cffa..78c884e 100644 --- a/bin/tests/system/mirror/tests.sh +++ b/bin/tests/system/mirror/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT} -b 10.53.0.1 +dnssec +time=2 +tries=1 +multi" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # Wait until the transfer of the given zone to ns3 either completes # successfully or is aborted by a verification failure or a REFUSED response @@ -25,47 +25,47 @@ RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" # end with the "IXFR failed" status, which is followed by an AXFR retry and # this test needs to check what the result of the latter transfer attempt is. wait_for_transfer() { - zone=$1 - for i in 1 2 3 4 5 6 7 8 9 10; do - # Wait until a "freeing transfer context" message is logged - # after one of the transfer results we are looking for is - # logged. This is needed to prevent races when checking for - # "mirror zone is now in use" messages. - nextpartpeek ns3/named.run | \ - awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" | \ - grep "'$zone/IN'.*freeing transfer context" > /dev/null && return - sleep 1 - done - echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run" - ret=1 + zone=$1 + for i in 1 2 3 4 5 6 7 8 9 10; do + # Wait until a "freeing transfer context" message is logged + # after one of the transfer results we are looking for is + # logged. This is needed to prevent races when checking for + # "mirror zone is now in use" messages. + nextpartpeek ns3/named.run \ + | awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" \ + | grep "'$zone/IN'.*freeing transfer context" >/dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run" + ret=1 } # Wait until loading the given zone on the given server either completes # successfully for the specified serial number or fails. wait_for_load() { - zone=$1 - serial=$2 - log=$3 - for i in 1 2 3 4 5 6 7 8 9 10; do - # Wait until a "zone_postload: (...): done" message is logged - # after one of the loading-related messages we are looking for - # is logged. This is needed to prevent races when checking for - # "mirror zone is now in use" messages. - nextpartpeek $log | \ - awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" | \ - grep "zone_postload: zone $zone/IN: done" > /dev/null && return - sleep 1 - done - echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log" - ret=1 + zone=$1 + serial=$2 + log=$3 + for i in 1 2 3 4 5 6 7 8 9 10; do + # Wait until a "zone_postload: (...): done" message is logged + # after one of the loading-related messages we are looking for + # is logged. This is needed to prevent races when checking for + # "mirror zone is now in use" messages. + nextpartpeek $log \ + | awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" \ + | grep "zone_postload: zone $zone/IN: done" >/dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log" + ret=1 } # Trigger a reload of ns2 and wait until loading the given zone completes. reload_zone() { - zone=$1 - serial=$2 - rndc_reload ns2 10.53.0.2 - wait_for_load $zone $serial ns2/named.run + zone=$1 + serial=$2 + rndc_reload ns2 10.53.0.2 + wait_for_load $zone $serial ns2/named.run } status=0 @@ -79,11 +79,11 @@ n=$((n + 1)) echo_i "checking that an unsigned mirror zone is rejected ($n)" ret=0 wait_for_transfer verify-unsigned -$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -92,11 +92,11 @@ echo_i "checking that a mirror zone signed using an untrusted key is rejected ($ ret=0 nextpartreset ns3/named.run wait_for_transfer verify-untrusted -$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -105,10 +105,10 @@ echo_i "checking that a mirror zone signed using a CSK without the SEP bit set i ret=0 nextpartreset ns3/named.run wait_for_transfer verify-csk -$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -117,26 +117,26 @@ echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ( ret=0 nextpartreset ns3/named.run wait_for_transfer verify-axfr -$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-axfr SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-axfr SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that an AXFR of an updated, correctly signed mirror zone is accepted ($n)" ret=0 -nextpart ns3/named.run > /dev/null -cat ns2/verify-axfr.db.good.signed > ns2/verify-axfr.db.signed +nextpart ns3/named.run >/dev/null +cat ns2/verify-axfr.db.good.signed >ns2/verify-axfr.db.signed reload_zone verify-axfr ${UPDATED_SERIAL_GOOD} -$RNDCCMD 10.53.0.3 retransfer verify-axfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 retransfer verify-axfr >/dev/null 2>&1 wait_for_transfer verify-axfr -$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -147,59 +147,59 @@ ret=0 wait_for_transfer verify-ixfr # Sanity check: the initial, properly signed version of the zone should have # been announced as coming into effect. -nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1 +nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null || ret=1 # Make a copy of the original zone file for reuse in journal tests below. cp ns2/verify-ixfr.db.signed ns3/verify-journal.db.mirror # Wait 1 second so that the zone file timestamp changes and the subsequent # invocation of "rndc reload" triggers a zone reload. sleep 1 -cat ns2/verify-ixfr.db.bad.signed > ns2/verify-ixfr.db.signed +cat ns2/verify-ixfr.db.bad.signed >ns2/verify-ixfr.db.signed reload_zone verify-ixfr ${UPDATED_SERIAL_BAD} # Make a copy of the bad zone journal for reuse in journal tests below. cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.bad.mirror.jnl # Trigger IXFR. -$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 refresh verify-ixfr >/dev/null 2>&1 wait_for_transfer verify-ixfr # Ensure the transfer was incremental as expected. if [ $(nextpartpeek ns3/named.run | grep "verify-ixfr.*got incremental response" | wc -l) -eq 0 ]; then - echo_i "failed: did not get an incremental response" - ret=1 + echo_i "failed: did not get an incremental response" + ret=1 fi # Ensure the new, bad version of the zone was not accepted. -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 # A positive answer is expected as the original version of the "verify-ixfr" # zone should have been successfully verified. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" >/dev/null || ret=1 # Despite the verification failure for this IXFR, this mirror zone should still # be in use as its previous version should have been verified successfully. -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that an IXFR of an updated, correctly signed mirror zone is accepted after AXFR failover ($n)" ret=0 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Wait 1 second so that the zone file timestamp changes and the subsequent # invocation of "rndc reload" triggers a zone reload. sleep 1 -cat ns2/verify-ixfr.db.good.signed > ns2/verify-ixfr.db.signed +cat ns2/verify-ixfr.db.good.signed >ns2/verify-ixfr.db.signed reload_zone verify-ixfr ${UPDATED_SERIAL_GOOD} # Make a copy of the good zone journal for reuse in journal tests below. cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.good.mirror.jnl # Trigger IXFR. -$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 refresh verify-ixfr >/dev/null 2>&1 wait_for_transfer verify-ixfr # Ensure the new, good version of the zone was accepted. -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 # The log message announcing the mirror zone coming into effect should not have # been logged this time since the mirror zone in question is expected to # already be in use before this test case is checked. -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -208,11 +208,11 @@ echo_i "checking that loading an incorrectly signed mirror zone from disk fails ret=0 nextpartreset ns3/named.run wait_for_load verify-load ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-load SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-load SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -220,7 +220,7 @@ n=$((n + 1)) echo_i "ensuring trust anchor telemetry queries are sent upstream for a mirror zone ($n)" ret=0 # ns3 is started with "-T tat=3", so TAT queries should have already been sent. -grep "_ta-[-0-9a-f]*/NULL" ns1/named.run > /dev/null || ret=1 +grep "_ta-[-0-9a-f]*/NULL" ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -228,14 +228,14 @@ n=$((n + 1)) echo_i "checking that loading a correctly signed mirror zone from disk succeeds ($n)" ret=0 stop_server --use-rndc --port ${CONTROLPORT} ns3 -cat ns2/verify-load.db.good.signed > ns3/verify-load.db.mirror -nextpart ns3/named.run > /dev/null +cat ns2/verify-load.db.good.signed >ns3/verify-load.db.mirror +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-load ${UPDATED_SERIAL_GOOD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -253,22 +253,22 @@ cp ns3/verify-journal.db.bad.mirror.jnl ns3/verify-ixfr.db.mirror.jnl # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-ixfr" {$/,/^};$/ { s/10.53.0.3/10.53.0.254/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-ixfr ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null && ret=1 # Restore transfers for the "verify-ixfr" zone on ns2. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-ixfr" {$/,/^};$/ { s/10.53.0.254/10.53.0.3/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -280,40 +280,40 @@ ret=0 stop_server --use-rndc --port ${CONTROLPORT} ns3 cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror cp ns3/verify-journal.db.good.mirror.jnl ns3/verify-ixfr.db.mirror.jnl -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-ixfr ${UPDATED_SERIAL_GOOD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking delegations sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 foo.example A +norec > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.example A +norec >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null && ret=1 # Check that a delegation containing a DS RRset and glue is present. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "example.*IN.*NS" dig.out.ns3.test$n > /dev/null || ret=1 -grep "example.*IN.*DS" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "example.*IN.*NS" dig.out.ns3.test$n >/dev/null || ret=1 +grep "example.*IN.*DS" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that resolution involving a mirror zone works as expected ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 foo.example A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.example A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Ensure ns1 was not queried. -grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1 +grep "query 'foo.example/A/IN'" ns1/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -321,13 +321,13 @@ n=$((n + 1)) echo_i "checking that non-recursive queries for names below mirror zone get responded from cache ($n)" ret=0 # Issue a non-recursive query for an RRset which is expected to be in cache. -$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Ensure the response is not a delegation. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -336,41 +336,41 @@ echo_i "checking that delegations from cache which improve mirror zone delegatio ret=0 # First, issue a recursive query in order to cache an RRset which is not within # the mirror zone's bailiwick. -$DIG $DIGOPTS @10.53.0.3 sub.example. NS > dig.out.ns3.test$n.1 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 sub.example. NS >dig.out.ns3.test$n.1 2>&1 || ret=1 # Ensure the child-side NS RRset is returned. -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Issue a non-recursive query for something below the cached zone cut. -$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A > dig.out.ns3.test$n.2 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A >dig.out.ns3.test$n.2 2>&1 || ret=1 # Ensure the cached NS RRset is returned in a delegation, along with the # parent-side DS RRset. -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 . DNSKEY >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 . SOA >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -380,30 +380,30 @@ ret=0 wait_for_transfer initially-unavailable # Query for a record in a zone that is set up to be mirrored, but # untransferrable from the configured primary. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.1 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n.1 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Sanity check: the authoritative server should have been queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null || ret=1 # Reconfigure ns2 so that the zone can be mirrored on ns3. sed '/^zone "initially-unavailable" {$/,/^};$/ { s/10.53.0.254/10.53.0.3/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 # Flush the cache on ns3 and retransfer the mirror zone. -$RNDCCMD 10.53.0.3 flush > /dev/null 2>&1 -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 retransfer initially-unavailable > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 flush >/dev/null 2>&1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 retransfer initially-unavailable >/dev/null 2>&1 wait_for_transfer initially-unavailable # Query for the same record again. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.2 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n.2 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null || ret=1 # Ensure the authoritative server was not queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null && ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -414,60 +414,60 @@ ret=0 # mirrored on ns3. sed '/^zone "initially-unavailable" {$/,/^};$/ { s/10.53.0.3/10.53.0.254/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 # Stop ns3, update the timestamp of the zone file to one far in the past, then # restart ns3. stop_server --use-rndc --port ${CONTROLPORT} ns3 touch -t 200001010000 ns3/initially-unavailable.db.mirror -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 # Ensure named attempts to retransfer the zone due to its expiry. wait_for_transfer initially-unavailable # Ensure the expected messages were logged. -nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" >/dev/null || ret=1 # Query for a record in the expired zone. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Sanity check: the authoritative server should have been queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that clients without cache access cannot retrieve mirror zone data ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "REFUSED" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1 +grep "REFUSED" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that outgoing transfers of mirror zones are disabled by default ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . AXFR > dig.out.ns3.test$n 2>&1 || ret=1 -grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 . AXFR >dig.out.ns3.test$n 2>&1 || ret=1 +grep "; Transfer failed" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that notifies are disabled by default for mirror zones ($n)" ret=0 -grep "initially-unavailable.*sending notifies" ns3/named.run > /dev/null && ret=1 +grep "initially-unavailable.*sending notifies" ns3/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking output of \"rndc zonestatus\" for a mirror zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 zonestatus . > rndc.out.ns3.test$n 2>&1 -grep "type: mirror" rndc.out.ns3.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus . >rndc.out.ns3.test$n 2>&1 +grep "type: mirror" rndc.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -475,26 +475,26 @@ n=$((n + 1)) echo_i "checking that \"rndc reconfig\" properly handles a mirror -> secondary zone type change ($n)" ret=0 # Sanity check before we start. -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Reconfigure the zone so that it is no longer a mirror zone. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { s/type mirror;/type secondary;/ -}' ns3/named.conf > ns3/named.conf.modified +}' ns3/named.conf >ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null rndc_reconfig ns3 10.53.0.3 # Zones whose type was changed should not be reusable, which means the tested # zone should have been reloaded from disk. wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run # Ensure responses sourced from the reconfigured zone have AA=1 and AD=0. -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -502,20 +502,20 @@ n=$((n + 1)) echo_i "checking that \"rndc reconfig\" properly handles a secondary -> mirror zone type change ($n)" ret=0 # Put an incorrectly signed version of the zone in the zone file used by ns3. -nextpart ns3/named.run > /dev/null -cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror +nextpart ns3/named.run >/dev/null +cat ns2/verify-reconfig.db.bad.signed >ns3/verify-reconfig.db.mirror # Reconfigure the zone so that it is a mirror zone again. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { s/type secondary;/type mirror;/ -}' ns3/named.conf > ns3/named.conf.modified +}' ns3/named.conf >ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf rndc_reconfig ns3 10.53.0.3 # The reconfigured zone should fail verification. wait_for_load verify-reconfig ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpart ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-reconfig SOA" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpart ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-reconfig SOA" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -523,19 +523,19 @@ n=$((n + 1)) echo_i "checking that a mirror zone can be added using rndc ($n)" ret=0 # Sanity check: the zone should not exist in the root zone. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 -grep "NXDOMAIN" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Mirror a zone which does not exist in the root zone. -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; primaries { 10.53.0.2; }; };' > rndc.out.ns3.test$n 2>&1 || ret=1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; primaries { 10.53.0.2; }; };' >rndc.out.ns3.test$n 2>&1 || ret=1 wait_for_transfer verify-addzone # Check whether the mirror zone was added and whether it behaves as expected. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -543,14 +543,14 @@ n=$((n + 1)) echo_i "checking that a mirror zone can be deleted using rndc ($n)" ret=0 # Remove the mirror zone added in the previous test. -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 delzone verify-addzone > rndc.out.ns3.test$n 2>&1 || ret=1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 delzone verify-addzone >rndc.out.ns3.test$n 2>&1 || ret=1 wait_for_log 20 "zone verify-addzone/IN: mirror zone is no longer in use; reverting to normal recursion" ns3/named.run || ret=1 # Check whether the mirror zone was removed. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 626e18f..a3f0928 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -19,8 +19,8 @@ zonefile=sub.tld.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null -keyfile_to_initial_ds $keyname > island.conf +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null +keyfile_to_initial_ds $keyname >island.conf cp island.conf ../ns5/island.conf zone=tld @@ -29,7 +29,7 @@ zonefile=tld.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null zone=. zonefile=root.db @@ -37,18 +37,18 @@ zonefile=root.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null # Configure the resolving server with an initializing key. -keyfile_to_initial_ds $keyname > managed.conf +keyfile_to_initial_ds $keyname >managed.conf cp managed.conf ../ns2/managed.conf cp managed.conf ../ns4/managed.conf cp managed.conf ../ns5/managed.conf # Configure broken trust anchor for ns3 # Rotate each nibble in the digest by -1 -$DSFROMKEY $keyname.key | -awk '!/^; /{ +$DSFROMKEY $keyname.key \ + | awk '!/^; /{ printf "trust-anchors {\n" printf "\t\""$1"\" initial-ds " printf $4 " " $5 " " $6 " \"" @@ -76,10 +76,10 @@ awk '!/^; /{ } printf "\";\n" printf "};\n" - }' > ../ns3/broken.conf + }' >../ns3/broken.conf # Configure a static key to be used by delv. -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf # Prepare an unsupported algorithm key. unsupportedkey=Kunknown.+255+00000 @@ -88,6 +88,6 @@ cp unsupported.key "${unsupportedkey}.key" # # Save keyname and keyid for managed key id test. # -echo "$keyname" > managed.key -echo "$zskkeyname" > zone.key -keyfile_to_key_id $keyname > managed.key.id +echo "$keyname" >managed.key +echo "$zskkeyname" >zone.key +keyfile_to_key_id $keyname >managed.key.id diff --git a/bin/tests/system/mkeys/ns2/named.conf.in b/bin/tests/system/mkeys/ns2/named.conf.in index 1c77556..feed923 100644 --- a/bin/tests/system/mkeys/ns2/named.conf.in +++ b/bin/tests/system/mkeys/ns2/named.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in index 374b184..ed3bf46 100644 --- a/bin/tests/system/mkeys/ns3/named.conf.in +++ b/bin/tests/system/mkeys/ns3/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "broken.conf"; diff --git a/bin/tests/system/mkeys/ns4/named.conf.in b/bin/tests/system/mkeys/ns4/named.conf.in index 5c23708..1ad75aa 100644 --- a/bin/tests/system/mkeys/ns4/named.conf.in +++ b/bin/tests/system/mkeys/ns4/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "sub.foo" { diff --git a/bin/tests/system/mkeys/ns4/sign.sh b/bin/tests/system/mkeys/ns4/sign.sh index d364e8e..8fb8519 100644 --- a/bin/tests/system/mkeys/ns4/sign.sh +++ b/bin/tests/system/mkeys/ns4/sign.sh @@ -19,6 +19,6 @@ zonefile=sub.foo.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null -keyfile_to_initial_ds $keyname > private.conf +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null +keyfile_to_initial_ds $keyname >private.conf cp private.conf ../ns5/private.conf diff --git a/bin/tests/system/mkeys/ns5/named.conf.in b/bin/tests/system/mkeys/ns5/named.conf.in index 757d614..8669971 100644 --- a/bin/tests/system/mkeys/ns5/named.conf.in +++ b/bin/tests/system/mkeys/ns5/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "foo" { diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in index 3279859..48afcbe 100644 --- a/bin/tests/system/mkeys/ns6/named.conf.in +++ b/bin/tests/system/mkeys/ns6/named.conf.in @@ -38,7 +38,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "managed.conf"; diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh index fcbd287..2ea7aa4 100644 --- a/bin/tests/system/mkeys/ns6/setup.sh +++ b/bin/tests/system/mkeys/ns6/setup.sh @@ -30,4 +30,4 @@ cp "../ns1/${rootkey}.key" . # Configure the resolving server with an initializing key. # (We use key-format trust anchors here because otherwise the # unsupported algorithm test won't work.) -keyfile_to_initial_keys $unsupportedkey $islandkey $rootkey > managed.conf +keyfile_to_initial_keys $unsupportedkey $islandkey $rootkey >managed.conf diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in index b50246a..7ccf59e 100644 --- a/bin/tests/system/mkeys/ns7/named.conf.in +++ b/bin/tests/system/mkeys/ns7/named.conf.in @@ -39,13 +39,13 @@ controls { view view1 { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; view view2 { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh index d1a30a2..7251e30 100644 --- a/bin/tests/system/mkeys/setup.sh +++ b/bin/tests/system/mkeys/setup.sh @@ -16,8 +16,8 @@ export ALGORITHM_SET="ecc_default" # Ensure the selected algorithm set is okay. if [ "$ALGORITHM_SET" = "error" ]; then - echofail "Algorithm selection failed." >&2 - exit 1 + echofail "Algorithm selection failed." >&2 + exit 1 fi copy_setports ns1/named1.conf.in ns1/named.conf @@ -30,9 +30,9 @@ copy_setports ns7/named.conf.in ns7/named.conf cp ns5/named1.args ns5/named.args -( cd ns1 && $SHELL sign.sh ) -( cd ns4 && $SHELL sign.sh ) -( cd ns6 && $SHELL setup.sh ) +(cd ns1 && $SHELL sign.sh) +(cd ns4 && $SHELL sign.sh) +(cd ns6 && $SHELL setup.sh) cp ns2/managed.conf ns2/managed1.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index ed9dcf6..1d85160 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -18,72 +18,72 @@ export ALGORITHM_SET="ecc_default" . ../conf.sh dig_with_opts() ( - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" ) delv_with_opts() ( - "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" + "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" ) rndccmd() ( - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" ) mkeys_reconfig_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i ) mkeys_reload_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" - wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" + wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 ) mkeys_loadkeys_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 ) mkeys_refresh_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 ) mkeys_sync_on() ( - # No race with mkeys_refresh_on() is possible as even if the latter - # returns immediately after the expected log message is written, the - # managed-keys zone is already locked and the command below calls - # dns_zone_flush(), which also attempts to take that zone's lock - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # dns_zone_flush(), which also attempts to take that zone's lock + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 ) mkeys_status_on() ( - # No race with mkeys_refresh_on() is possible as even if the latter - # returns immediately after the expected log message is written, the - # managed-keys zone is already locked and the command below calls - # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), - # which also attempts to take that zone's lock - nsidx=$1 - rndccmd "10.53.0.${nsidx}" managed-keys status + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), + # which also attempts to take that zone's lock + nsidx=$1 + rndccmd "10.53.0.${nsidx}" managed-keys status ) mkeys_flush_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i ) mkeys_secroots_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i ) original=$(cat ns1/managed.key) @@ -96,50 +96,50 @@ rm -f dig.out.* echo_i "check for signed record ($n)" ret=0 -dig_with_opts +norec example. @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1 -grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n > /dev/null || ret=1 +dig_with_opts +norec example. @10.53.0.1 TXT >dig.out.ns1.test$n || ret=1 +grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check positive validation with valid trust anchor ($n)" ret=0 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) if [ -x "$DELV" ]; then - n=$((n+1)) - ret=0 - echo_i "check positive validation using delv ($n)" - delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1 - grep "; fully validated" delv.out$n > /dev/null || ret=1 # redundant - grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1 - grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + ret=0 + echo_i "check positive validation using delv ($n)" + delv_with_opts @10.53.0.1 txt example >delv.out$n || ret=1 + grep "; fully validated" delv.out$n >/dev/null || ret=1 # redundant + grep "example..*TXT.*This is a test" delv.out$n >/dev/null || ret=1 + grep "example..*.RRSIG..*TXT" delv.out$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check for failed validation due to wrong key in managed-keys ($n)" ret=0 -dig_with_opts +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1 -grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n >/dev/null && ret=1 +grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check new trust anchor can be added ($n)" ret=0 standby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # there should be two keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -153,13 +153,13 @@ count=$(grep -c "trusted since" rndc.out.$n) || true count=$(grep -c "trust pending" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check new trust anchor can't be added with bad initial key ($n)" ret=0 mkeys_refresh_on 3 || ret=1 -mkeys_status_on 3 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 3 >rndc.out.$n 2>&1 || ret=1 # there should be one key listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 @@ -170,14 +170,14 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "no trust" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "remove untrusted standby key, check timer restarts ($n)" ret=0 mkeys_sync_on 2 || ret=1 t1=$(grep "trust pending" ns2/managed-keys.bind) || true -$SETTIME -D now -K ns1 "$standby1" > /dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -191,14 +191,14 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "restore untrusted standby key, revoke original key ($n)" t1=$t2 -$SETTIME -D none -K ns1 "$standby1" > /dev/null -$SETTIME -R now -K ns1 "$original" > /dev/null +$SETTIME -D none -K ns1 "$standby1" >/dev/null +$SETTIME -R now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -207,7 +207,7 @@ mkeys_loadkeys_on 1 || ret=1 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -228,9 +228,9 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "refresh managed-keys, ensure same result ($n)" t1=$t2 @@ -241,7 +241,7 @@ t1=$t2 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -262,15 +262,15 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "restore revoked key, ensure same result ($n)" t1=$t2 -$SETTIME -R none -D now -K ns1 "$original" > /dev/null +$SETTIME -R none -D now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 -$SETTIME -D none -K ns1 "$original" > /dev/null +$SETTIME -D none -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -279,7 +279,7 @@ mkeys_loadkeys_on 1 || ret=1 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -300,36 +300,36 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors, add second key to bind.keys" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* -keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" > ns2/managed.conf -nextpart ns2/named.run > /dev/null +keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" >ns2/managed.conf +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check that no key from bind.keys is marked as an initializing key ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 mkeys_secroots_on 2 || ret=1 -grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1 +grep '; initializing' ns2/named.secroots >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors, revert to one key in bind.keys" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* mv ns2/managed1.conf ns2/managed.conf -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check that standby key is now trusted ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -340,16 +340,16 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke original key, add new standby ($n)" ret=0 standby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) -$SETTIME -R now -K ns1 "$original" > /dev/null +$SETTIME -R now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # three keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -372,48 +372,66 @@ count=$(grep -c "trust pending" rndc.out.$n) || true count=$(grep -c "remove at" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke standby before it is trusted ($n)" ret=0 standby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 # four keys listed count=$(grep -c "keyid: " rndc.out.1.$n) || true -[ "$count" -eq 4 ] || { echo_i "keyid: count ($count) != 4"; ret=1; } +[ "$count" -eq 4 ] || { + echo_i "keyid: count ($count) != 4" + ret=1 +} # one revoked count=$(grep -c "trust revoked" rndc.out.1.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "trust revoked count ($count) != 1" + ret=1 +} # two pending count=$(grep -c "trust pending" rndc.out.1.$n) || true -[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; } -$SETTIME -R now -K ns1 "$standby3" > /dev/null +[ "$count" -eq 2 ] || { + echo_i "trust pending count ($count) != 2" + ret=1 +} +$SETTIME -R now -K ns1 "$standby3" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 # now three keys listed count=$(grep -c "keyid: " rndc.out.2.$n) || true -[ "$count" -eq 3 ] || { echo_i "keyid: count ($count) != 3"; ret=1; } +[ "$count" -eq 3 ] || { + echo_i "keyid: count ($count) != 3" + ret=1 +} # one revoked count=$(grep -c "trust revoked" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "trust revoked count ($count) != 1" + ret=1 +} # one pending count=$(grep -c "trust pending" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; } -$SETTIME -D now -K ns1 "$standby3" > /dev/null +[ "$count" -eq 1 ] || { + echo_i "trust pending count ($count) != 1" + ret=1 +} +$SETTIME -D now -K ns1 "$standby3" >/dev/null mkeys_loadkeys_on 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)" ret=0 sleep 20 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -427,17 +445,17 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke all keys, confirm roll to insecure ($n)" ret=0 -$SETTIME -D now -K ns1 "$original" > /dev/null -$SETTIME -R now -K ns1 "$standby1" > /dev/null -$SETTIME -R now -K ns1 "$standby2" > /dev/null +$SETTIME -D now -K ns1 "$original" >/dev/null +$SETTIME -R now -K ns1 "$standby1" >/dev/null +$SETTIME -R now -K ns1 "$standby2" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -454,51 +472,51 @@ count=$(grep -c "trust revoked" rndc.out.$n) || true count=$(grep -c "remove at" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check for insecure response ($n)" ret=0 mkeys_refresh_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reset the root server ($n)" ret=0 -$SETTIME -D none -R none -K ns1 "$original" > /dev/null -$SETTIME -D now -K ns1 "$standby1" > /dev/null -$SETTIME -D now -K ns1 "$standby2" > /dev/null +$SETTIME -D none -R none -K ns1 "$original" >/dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null +$SETTIME -D now -K ns1 "$standby2" >/dev/null sleep 1 # ensure modification time changes -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null copy_setports ns1/named2.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl mkeys_reconfig_on 1 || ret=1 mkeys_reload_on 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check positive validation ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke key with bad signature, check revocation is ignored ($n)" ret=0 revoked=$($REVOKE -K ns1 "$original") @@ -508,8 +526,8 @@ rm -f ns1/root.db.signed.jnl # failing. Alternatively, we could use -P to disable post-sign verification, # but we actually do want post-sign verification to happen to ensure the zone # is correct before we break it on purpose. -$SETTIME -R none -D none -K ns1 "$standby1" > /dev/null -$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null +$SETTIME -R none -D none -K ns1 "$standby1" >/dev/null +$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db >/dev/null 2>/dev/null cp -f ns1/root.db.signed ns1/root.db.tmp BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" # Less than a second may have passed since ns1 was started. If we call @@ -518,59 +536,74 @@ BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89h # "nanoseconds" field of isc_time_t, due to zone load time being seemingly # equal to master file modification time. sleep 1 -sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed +sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n >ns1/root.db.signed mkeys_reload_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # one key listed count=$(grep -c "keyid: " rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'keyid:' count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'keyid:' count ($count) != 1" + ret=1 +} # it's the original key id count=$(grep -c "keyid: $originalid" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'keyid: $originalid' count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'keyid: $originalid' count ($count) != 1" + ret=1 +} # not revoked count=$(grep -c "REVOKE" rndc.out.$n) || true -[ "$count" -eq 0 ] || { echo_i "'REVOKE' count ($count) != 0"; ret=1; } +[ "$count" -eq 0 ] || { + echo_i "'REVOKE' count ($count) != 0" + ret=1 +} # trust is still current count=$(grep -c "trust" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'trust' count != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'trust' count != 1" + ret=1 +} count=$(grep -c "trusted since" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'trusted since' count != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'trusted since' count != 1" + ret=1 +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check validation fails with bad DNSKEY rrset ($n)" ret=0 mkeys_flush_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "restore DNSKEY rrset, check validation succeeds again ($n)" ret=0 rm -f "${revoked}".key "${revoked}".private rm -f ns1/root.db.signed.jnl -$SETTIME -D none -R none -K ns1 "$original" > /dev/null -$SETTIME -D now -K ns1 "$standby1" > /dev/null +$SETTIME -D none -R none -K ns1 "$original" >/dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null # Less than a second may have passed since ns1 was started. If we call # dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the # subsequent "rndc reload ." call on platforms which do not set the # "nanoseconds" field of isc_time_t, due to zone load time being seemingly # equal to master file modification time. sleep 1 -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null mkeys_reload_on 1 || ret=1 mkeys_flush_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reset the root server with no keys, check for minimal update ($n)" ret=0 # Refresh keys first to prevent previous checks from influencing this one. @@ -580,16 +613,16 @@ ret=0 # (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as # set using -T mkeytimers). mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 t1=$(grep 'next refresh:' rndc.out.1.$n) || true stop_server --use-rndc --port "${CONTROLPORT}" ns1 rm -f ns1/root.db.signed.jnl cp ns1/root.db ns1/root.db.signed -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns1 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 # one key listed count=$(grep -c "keyid: " rndc.out.2.$n) || true [ "$count" -eq 1 ] || ret=1 @@ -607,19 +640,19 @@ count=$(grep -c "trusted since" rndc.out.2.$n) || true t2=$(grep 'next refresh:' rndc.out.2.$n) || true [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reset the root server with no signatures, check for minimal update ($n)" ret=0 # Refresh keys first to prevent previous checks from influencing this one mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 t1=$(grep 'next refresh:' rndc.out.1.$n) || true stop_server --use-rndc --port "${CONTROLPORT}" ns1 rm -f ns1/root.db.signed.jnl -cat ns1/K*.key >> ns1/root.db.signed -nextpart ns1/named.run > /dev/null +cat ns1/K*.key >>ns1/root.db.signed +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns1 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 # Less than a second may have passed since the last time ns2 received a @@ -627,7 +660,7 @@ wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 # timestamp to prevent minimal update from resetting it to the same timestamp. sleep 1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 # one key listed count=$(grep -c "keyid: " rndc.out.2.$n) || true [ "$count" -eq 1 ] || ret=1 @@ -645,53 +678,53 @@ count=$(grep -c "trusted since" rndc.out.2.$n) || true t2=$(grep 'next refresh:' rndc.out.2.$n) || true [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "restore root server, check validation succeeds again ($n)" ret=0 rm -f ns1/root.db.signed.jnl -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null mkeys_reload_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries are received ($n)" ret=0 -grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1 +grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc-managed-keys destroy' ($n)" ret=0 rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 -grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 +grep "no views with managed keys" rndc.out.1.$n >/dev/null || ret=1 mkeys_reconfig_on 2 || ret=1 check_root_trust_anchor_is_present_in_status() { - mkeys_status_on 2 > rndc.out.2.$n 2>&1 || return 1 - grep "name: \." rndc.out.2.$n > /dev/null || return 1 - return 0 + mkeys_status_on 2 >rndc.out.2.$n 2>&1 || return 1 + grep "name: \." rndc.out.2.$n >/dev/null || return 1 + return 0 } retry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)" ret=0 # convert the hexadecimal key from the TAT query into decimal and @@ -701,19 +734,19 @@ tatkey=$($PERL -e 'printf("%d\n", hex(@ARGV[0]));' "$tathex") realkey=$(rndccmd 10.53.0.2 secroots - | sed -n "s#.*${DEFAULT_ALGORITHM}/\([0-9][0-9]*\) ; .*managed.*#\1#p") [ "$tatkey" -eq "$realkey" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check initialization fails if managed-keys can't be created ($n)" ret=0 mkeys_secroots_on 4 || ret=1 -grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1 -grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1 -grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1 +grep '; initializing managed' ns4/named.secroots >/dev/null 2>&1 || ret=1 +grep '; managed' ns4/named.secroots >/dev/null 2>&1 && ret=1 +grep '; trusted' ns4/named.secroots >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)" ret=0 # By the time we get here, ns5 should have attempted refreshing its managed @@ -723,7 +756,7 @@ ret=0 # key refresh failure instead of just a few seconds, in order to prevent races # between the next scheduled key refresh time and startup time of restarted ns5. stop_server --use-rndc --port "${CONTROLPORT}" ns5 -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns5 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 @@ -733,13 +766,13 @@ wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" count=$(grep -c "Creating key fetch" ns5/named.run) || true [ "$count" -lt 2 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" ret=0 mkeys_sync_on 5 -mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 5 >rndc.out.$n 2>&1 || ret=1 # there should be three keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -750,9 +783,9 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check key refreshes are resumed after root servers become available ($n)" ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns5 @@ -761,53 +794,53 @@ rm -f ns5/managed-keys.bind* # named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for # an "hour" until keys are refreshed again after initial failure cp ns5/named2.args ns5/named.args -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns5 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 -grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 +grep '; initializing managed' ns5/named.secroots >/dev/null 2>&1 || ret=1 # ns1 should still REFUSE queries from ns5, so resolving should be impossible -dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1 -grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.5 txt >dig.out.ns5.a.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n >/dev/null && ret=1 +grep "status: SERVFAIL" dig.out.ns5.a.test$n >/dev/null || ret=1 # Allow queries from ns5 to ns1 copy_setports ns1/named3.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null mkeys_reconfig_on 1 || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 -grep '; managed' ns5/named.secroots > /dev/null || ret=1 +grep '; managed' ns5/named.secroots >/dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be # correctly refreshed and resolving should succeed -dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.5 txt >dig.out.ns5.b.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns5.b.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns6 rm -f ns6/managed-keys.bind* -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns6 # log when an unsupported algorithm is encountered during startup wait_for_log 20 "ignoring initial-key for 'unsupported.': algorithm is unsupported" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "ignoring unsupported algorithm in managed-keys ($n)" ret=0 -mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 6 >rndc.out.$n 2>&1 || ret=1 # there should still be only two keys listed (for . and island.) count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -815,26 +848,26 @@ count=$(grep -c "keyid: " rndc.out.$n) || true count=$(grep -c "trust" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" ret=0 cp ns1/root.db ns1/root.db.orig ksk=$(cat ns1/managed.key) zsk=$(cat ns1/zone.key) -cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db -grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db > /dev/null || ret=1 -$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" > /dev/null 2>/dev/null || ret=1 -grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 +cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >>ns1/root.db +grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db >/dev/null || ret=1 +$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" >/dev/null 2>/dev/null || ret=1 +grep "DNSKEY.*257 3 255" ns1/root.db.signed >/dev/null || ret=1 cp ns1/root.db.orig ns1/root.db if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "ignoring unsupported algorithm in rollover ($n)" ret=0 mkeys_reload_on 1 || ret=1 mkeys_refresh_on 6 || ret=1 -mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 6 >rndc.out.$n 2>&1 || ret=1 # there should still be only two keys listed (for . and island.) count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -844,28 +877,28 @@ count=$(grep -c "trust" rndc.out.$n) || true # log when an unsupported algorithm is encountered during rollover wait_for_log 20 "Cannot compute tag for key in zone .: algorithm is unsupported" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and views ($n)" ret=0 -rndccmd 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1 -grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1 -lines=$(wc -l < rndc.out.ns7.view1.test$n) +rndccmd 10.53.0.7 managed-keys refresh in view1 >rndc.out.ns7.view1.test$n || ret=1 +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n >/dev/null || ret=1 +lines=$(wc -l rndc.out.ns7.view2.test$n || ret=1 -lines=$(wc -l < rndc.out.ns7.view2.test$n) -grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 -grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 +rndccmd 10.53.0.7 managed-keys refresh >rndc.out.ns7.view2.test$n || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n >/dev/null || ret=1 [ "$lines" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" ret=0 mkeys_sync_on 5 -mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 5 >rndc.out.$n 2>&1 || ret=1 # there should be three keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -876,7 +909,7 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/names/tests.sh b/bin/tests/system/names/tests.sh index 9546298..f104886 100644 --- a/bin/tests/system/names/tests.sh +++ b/bin/tests/system/names/tests.sh @@ -20,29 +20,32 @@ DIGOPTS="+nosea +stat +noquest +nocomm +nocmd -p ${PORT}" status=0 echo_i "Getting message size with compression enabled" -$DIG $DIGOPTS -b 10.53.0.1 @10.53.0.1 mx example > dig.compen.test -COMPEN=$(grep ';; MSG SIZE' dig.compen.test |sed -e "s/.*: //g") -cat dig.compen.test |grep -v ';;' |sort > dig.compen.sorted.test +$DIG $DIGOPTS -b 10.53.0.1 @10.53.0.1 mx example >dig.compen.test +COMPEN=$(grep ';; MSG SIZE' dig.compen.test | sed -e "s/.*: //g") +cat dig.compen.test | grep -v ';;' | sort >dig.compen.sorted.test echo_i "Getting message size with compression disabled" -$DIG $DIGOPTS -b 10.53.0.2 @10.53.0.1 mx example > dig.compdis.test -COMPDIS=$(grep ';; MSG SIZE' dig.compdis.test |sed -e "s/.*: //g") -cat dig.compdis.test |grep -v ';;' |sort > dig.compdis.sorted.test +$DIG $DIGOPTS -b 10.53.0.2 @10.53.0.1 mx example >dig.compdis.test +COMPDIS=$(grep ';; MSG SIZE' dig.compdis.test | sed -e "s/.*: //g") +cat dig.compdis.test | grep -v ';;' | sort >dig.compdis.sorted.test # the compression disabled message should be at least twice as large as with # compression disabled, but the content should be the same echo_i "Checking if responses are identical other than in message size" -{ diff dig.compdis.sorted.test dig.compen.sorted.test >/dev/null; ret=$?; } || true +{ + diff dig.compdis.sorted.test dig.compen.sorted.test >/dev/null + ret=$? +} || true if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "Checking if message with compression disabled is significantly larger" echo_i "Disabled $COMPDIS vs enabled $COMPEN" -val=$(( (COMPDIS * 3 / 2) / COMPEN)) +val=$(((COMPDIS * 3 / 2) / COMPEN)) if [ $val -le 1 ]; then - echo_i "failed" - status=$((status + 1)) -fi; + echo_i "failed" + status=$((status + 1)) +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/notify/ns2/named.conf.in b/bin/tests/system/notify/ns2/named.conf.in index bc5af9d..203f23c 100644 --- a/bin/tests/system/notify/ns2/named.conf.in +++ b/bin/tests/system/notify/ns2/named.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/notify/ns3/named.conf.in b/bin/tests/system/notify/ns3/named.conf.in index ee21f92..4761622 100644 --- a/bin/tests/system/notify/ns3/named.conf.in +++ b/bin/tests/system/notify/ns3/named.conf.in @@ -26,7 +26,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/notify/ns4/named.conf.in b/bin/tests/system/notify/ns4/named.conf.in index 95a0ff9..2f0b930 100644 --- a/bin/tests/system/notify/ns4/named.conf.in +++ b/bin/tests/system/notify/ns4/named.conf.in @@ -26,7 +26,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "x21" { diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index ba9dfe3..2953e0a 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -17,48 +17,47 @@ set -e . ../conf.sh dig_plus_opts() { - $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" + $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" } status=0 n=0 test_start() { - n=$((n+1)) - echo_i "$* ($n)" - ret=0 + n=$((n + 1)) + echo_i "$* ($n)" + ret=0 } test_end() { - [ $ret = 0 ] || echo_i "failed" - status=$((status + ret)) + [ $ret = 0 ] || echo_i "failed" + status=$((status + ret)) } # # Wait up to 10 seconds for the servers to finish starting before testing. # -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG +tcp -p "${PORT}" example @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 - grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 - grep "flags:.* aa[ ;]" dig.out.ns2.test$n > /dev/null || ret=1 - $DIG +tcp -p "${PORT}" example @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "flags:.* aa[ ;]" dig.out.ns3.test$n > /dev/null || ret=1 - nr=$(grep -c 'x[0-9].*sending notify to' ns2/named.run) - [ "$nr" -eq 20 ] || ret=1 - [ $ret = 0 ] && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG +tcp -p "${PORT}" example @10.53.0.2 soa >dig.out.ns2.test$n || ret=1 + grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 + grep "flags:.* aa[ ;]" dig.out.ns2.test$n >/dev/null || ret=1 + $DIG +tcp -p "${PORT}" example @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "flags:.* aa[ ;]" dig.out.ns3.test$n >/dev/null || ret=1 + nr=$(grep -c 'x[0-9].*sending notify to' ns2/named.run) + [ "$nr" -eq 20 ] || ret=1 + [ $ret = 0 ] && break + sleep 1 done test_start "checking initial status" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.1" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.1" dig.out.ns2.test$n >/dev/null || ret=1 -dig_plus_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "10.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "10.0.0.1" dig.out.ns3.test$n >/dev/null || ret=1 digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 @@ -96,10 +95,10 @@ END { print "average:", average; if (average < 0.180) exit(1); if (count < 20) exit(1); -}' ns2/named.run > awk.out.ns2.test$n || ret=1 +}' ns2/named.run >awk.out.ns2.test$n || ret=1 test_end -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null sleep 1 # make sure filesystem time stamp is newer for reload. rm -f ns2/example.db @@ -109,21 +108,21 @@ kill -HUP "$(cat ns2/named.pid)" wait_for_log_re 45 "transfer of 'example/IN' from 10.53.0.2#.*success" ns3/named.run test_start "checking notify message was logged" -grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 2$' ns3/named.run > /dev/null || ret=1 +grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 2$' ns3/named.run >/dev/null || ret=1 test_end test_start "checking example2 loaded" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.2" dig.out.ns2.test$n >/dev/null || ret=1 test_end test_start "checking example2 contents have been transferred after HUP reload" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.2" dig.out.ns2.test$n >/dev/null || ret=1 -dig_plus_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "10.0.0.2" dig.out.ns3.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "10.0.0.2" dig.out.ns3.test$n >/dev/null || ret=1 digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 @@ -139,45 +138,44 @@ start_server --noclean --restart --port "${PORT}" ns2 wait_for_log_re 45 "transfer of 'example/IN' from 10.53.0.2#.*success" ns3/named.run test_start "checking notify message was logged" -grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 4$' ns3/named.run > /dev/null || ret=1 +grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 4$' ns3/named.run >/dev/null || ret=1 test_end test_start "checking example4 loaded" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.4" dig.out.ns2.test$n >/dev/null || ret=1 test_end test_start "checking example4 contents have been transferred after restart" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.4" dig.out.ns2.test$n >/dev/null || ret=1 -dig_plus_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "10.0.0.4" dig.out.ns3.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "10.0.0.4" dig.out.ns3.test$n >/dev/null || ret=1 digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 test_end test_start "checking notify to alternate port with primary server inheritance" -$NSUPDATE << EOF +$NSUPDATE < "$fn" || ret=1 - grep "test string" "$fn" > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + dig_plus_opts added.x21. @10.53.0.4 txt -p "$EXTRAPORT1" >"$fn" || ret=1 + grep "test string" "$fn" >/dev/null && break + sleep 1 done -grep "test string" "$fn" > /dev/null || ret=1 +grep "test string" "$fn" >/dev/null || ret=1 test_end test_start "checking notify to multiple views using tsig" -$NSUPDATE << EOF +$NSUPDATE < "$fnb" || ret=1 - dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ - txt > "$fnc" || ret=1 - grep "test string" "$fnb" > /dev/null && - grep "test string" "$fnc" > /dev/null && - break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt >"$fnb" || ret=1 + dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ + txt >"$fnc" || ret=1 + grep "test string" "$fnb" >/dev/null \ + && grep "test string" "$fnc" >/dev/null \ + && break + sleep 1 done -grep "test string" "$fnb" > /dev/null || ret=1 -grep "test string" "$fnc" > /dev/null || ret=1 -grep "sending notify to 10.53.0.5#[0-9]* : TSIG (b)" ns5/named.run > /dev/null || ret=1 -grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run > /dev/null || ret=1 +grep "test string" "$fnb" >/dev/null || ret=1 +grep "test string" "$fnc" >/dev/null || ret=1 +grep "sending notify to 10.53.0.5#[0-9]* : TSIG (b)" ns5/named.run >/dev/null || ret=1 +grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run >/dev/null || ret=1 test_end test_start "checking notify-source uses port option correctly" -grep "10.53.0.3#${EXTRAPORT2}: received notify for zone 'notify-source-port-test'" ns2/named.run > /dev/null || ret=1 +grep "10.53.0.3#${EXTRAPORT2}: received notify for zone 'notify-source-port-test'" ns2/named.run >/dev/null || ret=1 test_end # notify messages were sent to unresponsive 10.53.10.53 during the tests diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index 68bc2e4..5ddcfc0 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -17,44 +17,44 @@ echo_i "ns3/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - cp template.db.in "$zonefile" + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in "$zonefile" } for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ - nsec3-to-optout nsec3-from-optout nsec3-dynamic \ - nsec3-dynamic-change nsec3-dynamic-to-inline \ - nsec3-inline-to-dynamic nsec3-dynamic-update-inline -do - setup "${zn}.kasp" + nsec3-to-optout nsec3-from-optout nsec3-dynamic \ + nsec3-dynamic-change nsec3-dynamic-to-inline \ + nsec3-inline-to-dynamic nsec3-dynamic-update-inline; do + setup "${zn}.kasp" done -if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) -then - for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \ - nsec3-to-rsasha1-ds - do - setup "${zn}.kasp" - done - - longago="now-1y" - keytimes="-P ${longago} -A ${longago}" - O="omnipresent" - - zone="rsasha1-to-nsec3-wait.kasp" - CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2> keygen.out.$zone) - echo_i "Created key file $CSK" - $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 - - zone="nsec3-to-rsasha1-ds.kasp" - CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2> keygen.out.$zone) - echo_i "Created key file $CSK" - $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 +if ( + cd .. + $SHELL ../testcrypto.sh -q RSASHA1 +); then + for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \ + nsec3-to-rsasha1-ds; do + setup "${zn}.kasp" + done + + longago="now-1y" + keytimes="-P ${longago} -A ${longago}" + O="omnipresent" + + zone="rsasha1-to-nsec3-wait.kasp" + CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2>keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1 + + zone="nsec3-to-rsasha1-ds.kasp" + CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2>keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1 else - echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported" + echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported" fi cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh index bdd1ae9..3019361 100644 --- a/bin/tests/system/nsec3/setup.sh +++ b/bin/tests/system/nsec3/setup.sh @@ -20,11 +20,11 @@ $SHELL clean.sh copy_setports ns2/named.conf.in ns2/named.conf ( - cd ns2 - $SHELL setup.sh + cd ns2 + $SHELL setup.sh ) copy_setports ns3/named.conf.in ns3/named.conf ( - cd ns3 - $SHELL setup.sh + cd ns3 + $SHELL setup.sh ) diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 117bf63..fc864a4 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -20,206 +20,206 @@ set -e # Log errors and increment $ret. log_error() { - echo_i "error: $1" - ret=$((ret+1)) + echo_i "error: $1" + ret=$((ret + 1)) } # Call dig with default options. dig_with_opts() { - $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } # Call rndc. rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # Set zone name ($1) and policy ($2) for testing nsec3. set_zone_policy() { - ZONE=$1 - POLICY=$2 - NUM_KEYS=$3 - DNSKEY_TTL=$4 + ZONE=$1 + POLICY=$2 + NUM_KEYS=$3 + DNSKEY_TTL=$4 } # Set expected NSEC3 parameters: flags ($1), iterations ($2), and # salt length ($3). set_nsec3param() { - FLAGS=$1 - ITERATIONS=$2 - SALTLEN=$3 - # Reset salt. - SALT="" + FLAGS=$1 + ITERATIONS=$2 + SALTLEN=$3 + # Reset salt. + SALT="" } # Set expected default dnssec-policy keys values. set_key_default_values() { - key_clear $1 - - set_keyrole $1 "csk" - set_keylifetime $1 "0" - set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256" - set_keysigning $1 "yes" - set_zonesigning $1 "yes" - - set_keystate $1 "GOAL" "omnipresent" - set_keystate $1 "STATE_DNSKEY" "rumoured" - set_keystate $1 "STATE_KRRSIG" "rumoured" - set_keystate $1 "STATE_ZRRSIG" "rumoured" - set_keystate $1 "STATE_DS" "hidden" + key_clear $1 + + set_keyrole $1 "csk" + set_keylifetime $1 "0" + set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256" + set_keysigning $1 "yes" + set_zonesigning $1 "yes" + + set_keystate $1 "GOAL" "omnipresent" + set_keystate $1 "STATE_DNSKEY" "rumoured" + set_keystate $1 "STATE_KRRSIG" "rumoured" + set_keystate $1 "STATE_ZRRSIG" "rumoured" + set_keystate $1 "STATE_DS" "hidden" } # Set expected rsasha1 dnssec-policy keys values. set_key_rsasha1_values() { - key_clear $1 - - set_keyrole $1 "csk" - set_keylifetime $1 "0" - set_keyalgorithm $1 "5" "RSASHA1" "2048" - set_keysigning $1 "yes" - set_zonesigning $1 "yes" - - set_keystate $1 "GOAL" "omnipresent" - set_keystate $1 "STATE_DNSKEY" "rumoured" - set_keystate $1 "STATE_KRRSIG" "rumoured" - set_keystate $1 "STATE_ZRRSIG" "rumoured" - set_keystate $1 "STATE_DS" "hidden" + key_clear $1 + + set_keyrole $1 "csk" + set_keylifetime $1 "0" + set_keyalgorithm $1 "5" "RSASHA1" "2048" + set_keysigning $1 "yes" + set_zonesigning $1 "yes" + + set_keystate $1 "GOAL" "omnipresent" + set_keystate $1 "STATE_DNSKEY" "rumoured" + set_keystate $1 "STATE_KRRSIG" "rumoured" + set_keystate $1 "STATE_ZRRSIG" "rumoured" + set_keystate $1 "STATE_DS" "hidden" } # Update the key states. set_key_states() { - set_keystate $1 "GOAL" "$2" - set_keystate $1 "STATE_DNSKEY" "$3" - set_keystate $1 "STATE_KRRSIG" "$4" - set_keystate $1 "STATE_ZRRSIG" "$5" - set_keystate $1 "STATE_DS" "$6" + set_keystate $1 "GOAL" "$2" + set_keystate $1 "STATE_DNSKEY" "$3" + set_keystate $1 "STATE_KRRSIG" "$4" + set_keystate $1 "STATE_ZRRSIG" "$5" + set_keystate $1 "STATE_DS" "$6" } # The apex NSEC3PARAM record indicates that it is signed. _wait_for_nsec3param() { - dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1 - grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1 - grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1 - return 0 + dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1 + grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1 + return 0 } # The apex NSEC record indicates that it is signed. _wait_for_nsec() { - dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1 - grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1 - grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1 - grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1 - return 0 + dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC >"dig.out.test$n.wait" || return 1 + grep "NS SOA" "dig.out.test$n.wait" >/dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1 + grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" >/dev/null && return 1 + return 0 } # Wait for the zone to be signed. wait_for_zone_is_signed() { - n=$((n+1)) - ret=0 - echo_i "wait for ${ZONE} to be signed with $1 ($n)" - - if [ "$1" = "nsec3" ]; then - retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed" - else - retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" - fi - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + n=$((n + 1)) + ret=0 + echo_i "wait for ${ZONE} to be signed with $1 ($n)" + + if [ "$1" = "nsec3" ]; then + retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed" + else + retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Test: check DNSSEC verify _check_dnssec_verify() { - dig_with_opts @$SERVER "${ZONE}" AXFR > "dig.out.test$n.axfr.$ZONE" || return 1 - $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" > "verify.out.test$n.$ZONE" 2>&1 || return 1 - return 0 + dig_with_opts @$SERVER "${ZONE}" AXFR >"dig.out.test$n.axfr.$ZONE" || return 1 + $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" >"verify.out.test$n.$ZONE" 2>&1 || return 1 + return 0 } # Test: check NSEC in answers _check_nsec_nsec3param() { - dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 - grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1 - return 0 + dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1 + grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" >/dev/null && return 1 + return 0 } _check_nsec_nxdomain() { - dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 - grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 - grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1 - return 0 + dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1 + grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1 + grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" >/dev/null && return 1 + return 0 } check_nsec() { - wait_for_zone_is_signed "nsec" - - n=$((n+1)) - echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" - ret=0 - check_keys - retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "verify DNSSEC for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "check NXDOMAIN response for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + wait_for_zone_is_signed "nsec" + + n=$((n + 1)) + echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + check_keys + retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "verify DNSSEC for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "check NXDOMAIN response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Test: check NSEC3 parameters in answers _check_nsec3_nsec3param() { - dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 - grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1 + dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1 + grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1 - if [ -z "$SALT" ]; then - SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE) - fi - return 0 + if [ -z "$SALT" ]; then + SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE) + fi + return 0 } _check_nsec3_nxdomain() { - dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 - grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 - return 0 + dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1 + grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1 + return 0 } check_nsec3() { - wait_for_zone_is_signed "nsec3" - - n=$((n+1)) - echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "verify DNSSEC for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + wait_for_zone_is_signed "nsec3" + + n=$((n + 1)) + echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "verify DNSSEC for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } start_time="$(TZ=UTC date +%s)" @@ -238,37 +238,36 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec -if ($SHELL ../testcrypto.sh -q RSASHA1) -then - # Zone: rsasha1-to-nsec3.kasp. - set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - echo_i "initial check zone ${ZONE}" - check_nsec - - # Zone: rsasha1-to-nsec3-wait.kasp. - set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" - echo_i "initial check zone ${ZONE}" - check_nsec - - # Zone: nsec3-to-rsasha1.kasp. - set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - echo_i "initial check zone ${ZONE}" - check_nsec3 - - # Zone: nsec3-to-rsasha1-ds.kasp. - set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" - echo_i "initial check zone ${ZONE}" - check_nsec3 +if ($SHELL ../testcrypto.sh -q RSASHA1); then + # Zone: rsasha1-to-nsec3.kasp. + set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + echo_i "initial check zone ${ZONE}" + check_nsec + + # Zone: rsasha1-to-nsec3-wait.kasp. + set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + echo_i "initial check zone ${ZONE}" + check_nsec + + # Zone: nsec3-to-rsasha1.kasp. + set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + echo_i "initial check zone ${ZONE}" + check_nsec3 + + # Zone: nsec3-to-rsasha1-ds.kasp. + set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + echo_i "initial check zone ${ZONE}" + check_nsec3 fi # Zone: nsec3.kasp. @@ -355,10 +354,10 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec -n=$((n+1)) +n=$((n + 1)) echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)" ret=0 -$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1 +$NSUPDATE >update.out.$ZONE.test$n 2>&1 < rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" -grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail" +rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" +grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail" check_nsec3 # Test NSEC3 and NSEC3PARAM is the same after restart @@ -523,13 +521,13 @@ ret=0 echo "stop ns3" stop_server --use-rndc --port ${CONTROLPORT} ${DIR} || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo "start ns3" start_server --noclean --restart --port ${PORT} ${DIR} test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) prevsalt="${SALT}" set_zone_policy "nsec3.kasp" "nsec3" 1 3600 diff --git a/bin/tests/system/nslookup/tests.sh b/bin/tests/system/nslookup/tests.sh index e985f19..c68b5cf 100644 --- a/bin/tests/system/nslookup/tests.sh +++ b/bin/tests/system/nslookup/tests.sh @@ -19,83 +19,83 @@ set -e status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "Check that domain names that are too big when applying a search list entry are handled cleanly ($n)" ret=0 l=012345678901234567890123456789012345678901234567890123456789012 t=0123456789012345678901234567890123456789012345678901234567890 d=$l.$l.$l.$t -$NSLOOKUP -port=${PORT} -domain=$d -type=soa example 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} -domain=$d -type=soa example 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "origin = ns1.example" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check A only lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} a-only.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} a-only.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # See [GL #4044] -n=$((n+1)) +n=$((n + 1)) echo_i "Check A only lookup with a delayed stdin input ($n)" ret=0 -(sleep 6 && echo "server 10.53.0.1" && echo "a-only.example.net.") | $NSLOOKUP -port=${PORT} 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +(sleep 6 && echo "server 10.53.0.1" && echo "a-only.example.net.") | $NSLOOKUP -port=${PORT} 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 -grep "timed out" nslookup.out${n} > /dev/null && ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 +grep "timed out" nslookup.out${n} >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check AAAA only lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} aaaa-only.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} aaaa-only.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check dual A + AAAA lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} dual.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} dual.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 -grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to A only lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} cname-a-only.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} cname-a-only.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to AAAA only lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} cname-aaaa-only.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} cname-aaaa-only.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to dual A + AAAA lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} cname-dual.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} cname-dual.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l /dev/null || ret=1 -grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check ANY lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} -type=ANY example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 +$NSLOOKUP -port=${PORT} -type=ANY example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 lines=$(grep -c 'Address:.10\.53\.0\.1#'"${PORT}" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c 'origin = ns1\.example\.net' nslookup.out${n}) @@ -153,7 +153,7 @@ test $lines -eq 1 || ret=1 lines=$(grep -c 'nameserver = ns1\.example\.net.' nslookup.out${n}) test $lines -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/nsupdate/krb/setup.sh b/bin/tests/system/nsupdate/krb/setup.sh index 3d254a8..8b252df 100644 --- a/bin/tests/system/nsupdate/krb/setup.sh +++ b/bin/tests/system/nsupdate/krb/setup.sh @@ -25,7 +25,7 @@ now=$(date +%s) lifetime=$((2147483647 - now)) lifetime=$((lifetime / 3600 / 24 - 30)) -cat << EOF > "${KRB5_CONFIG}" +cat <"${KRB5_CONFIG}" [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = false @@ -56,7 +56,7 @@ rm -rf ${KRB5_KDC_PROFILE} mkdir -p ${KRB5_KDC_PROFILE} chmod 700 ${KRB5_KDC_PROFILE} -cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf +cat <"${KRB5_KDC_PROFILE}"/kdc.conf [kdcdefaults] kdc_ports = 50000 kdc_tcp_ports = 50000 @@ -84,7 +84,6 @@ krb5kdc -n & krb5kdcpid=$! #trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15 - kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns7.example.com@EXAMPLE.COM kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns8.example.com@EXAMPLE.COM kadmin.local addprinc -maxlife ${lifetime}d -randkey host/machine.example.com@EXAMPLE.COM diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh index 519497c..501f9fb 100644 --- a/bin/tests/system/nsupdate/ns3/sign.sh +++ b/bin/tests/system/nsupdate/ns3/sign.sh @@ -22,7 +22,7 @@ keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -3 - -H 1 -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +$SIGNER -P -3 - -H 1 -o $zone -k $keyname1 $zonefile $keyname2 >/dev/null zone=dnskey.test. infile=dnskey.test.db.in @@ -33,7 +33,7 @@ keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +$SIGNER -P -o $zone -k $keyname1 $zonefile $keyname2 >/dev/null zone=delegation.test. infile=delegation.test.db.in @@ -44,7 +44,7 @@ keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +$SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 >/dev/null # Just copy multisigner.db.in because it is signed with dnssec-policy. cp multisigner.test.db.in multisigner.test.db diff --git a/bin/tests/system/nsupdate/prereq.sh b/bin/tests/system/nsupdate/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/nsupdate/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index 7f8c27f..1074495 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -34,11 +34,11 @@ copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf.in.tkey copy_setports ns10/named.conf.in ns10/named.conf.in.tkey if $FEATURETEST --gssapi; then - sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey > ns9/named.conf - sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey > ns10/named.conf + sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey >ns9/named.conf + sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey >ns10/named.conf else - sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey > ns9/named.conf - sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey > ns10/named.conf + sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey >ns9/named.conf + sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey >ns10/named.conf fi rm -f ns9/named.conf.in.tkey rm -f ns10/named.conf.in.tkey @@ -46,10 +46,10 @@ rm -f ns10/named.conf.in.tkey copy_setports verylarge.in verylarge cp -f ns1/example1.db ns1/example.db -sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db -sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db -sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db > ns1/yyyymmddvv.db -sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db +sed 's/example.nil/other.nil/g' ns1/example1.db >ns1/other.db +sed 's/example.nil/unixtime.nil/g' ns1/example1.db >ns1/unixtime.db +sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db >ns1/yyyymmddvv.db +sed 's/example.nil/keytests.nil/g' ns1/example1.db >ns1/keytests.db cp -f ns3/example.db.in ns3/example.db cp -f ns3/too-big.test.db.in ns3/too-big.test.db @@ -70,31 +70,34 @@ ns1.update.nil. A 10.53.0.2 ns2.update.nil. AAAA ::1 EOF -$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key +$TSIGKEYGEN ddns-key.example.nil >ns1/ddns.key if $FEATURETEST --md5; then - $TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key + $TSIGKEYGEN -a hmac-md5 md5-key >ns1/md5.key else - echo -n > ns1/md5.key + echo -n >ns1/md5.key fi -$TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key -$TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key -$TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key -$TSIGKEYGEN -a hmac-sha384 sha384-key > ns1/sha384.key -$TSIGKEYGEN -a hmac-sha512 sha512-key > ns1/sha512.key +$TSIGKEYGEN -a hmac-sha1 sha1-key >ns1/sha1.key +$TSIGKEYGEN -a hmac-sha224 sha224-key >ns1/sha224.key +$TSIGKEYGEN -a hmac-sha256 sha256-key >ns1/sha256.key +$TSIGKEYGEN -a hmac-sha384 sha384-key >ns1/sha384.key +$TSIGKEYGEN -a hmac-sha512 sha512-key >ns1/sha512.key if $FEATURETEST --md5; then - echo 'key "legacy-157" { algorithm "hmac-md5"; secret "mGcDSCx/fF121GOVJlITLg=="; };' > ns1/legacy157.key + echo 'key "legacy-157" { algorithm "hmac-md5"; secret "mGcDSCx/fF121GOVJlITLg=="; };' >ns1/legacy157.key else - echo "/* MD5 NOT SUPPORTED */" > ns1/legacy157.key + echo "/* MD5 NOT SUPPORTED */" >ns1/legacy157.key fi -echo 'key "legacy-161" { algorithm "hmac-sha1"; secret "N80fGvcr8JifzRUJ62R4rQ=="; };' > ns1/legacy161.key -echo 'key "legacy-162" { algorithm "hmac-sha224"; secret "nSIKzFAGS7/tvBs8JteI+Q=="; };' > ns1/legacy162.key -echo 'key "legacy-163" { algorithm "hmac-sha256"; secret "CvaupxnDeES3HnlYhTq53w=="; };' > ns1/legacy163.key -echo 'key "legacy-164" { algorithm "hmac-sha384"; secret "wDldBJwJrYfPoL1Pj4ucOQ=="; };' > ns1/legacy164.key -echo 'key "legacy-165" { algorithm "hmac-sha512"; secret "OgZrTcEa8P76hVY+xyN7Wg=="; };' > ns1/legacy165.key - -(cd ns3; $SHELL -e sign.sh) +echo 'key "legacy-161" { algorithm "hmac-sha1"; secret "N80fGvcr8JifzRUJ62R4rQ=="; };' >ns1/legacy161.key +echo 'key "legacy-162" { algorithm "hmac-sha224"; secret "nSIKzFAGS7/tvBs8JteI+Q=="; };' >ns1/legacy162.key +echo 'key "legacy-163" { algorithm "hmac-sha256"; secret "CvaupxnDeES3HnlYhTq53w=="; };' >ns1/legacy163.key +echo 'key "legacy-164" { algorithm "hmac-sha384"; secret "wDldBJwJrYfPoL1Pj4ucOQ=="; };' >ns1/legacy164.key +echo 'key "legacy-165" { algorithm "hmac-sha512"; secret "OgZrTcEa8P76hVY+xyN7Wg=="; };' >ns1/legacy165.key + +( + cd ns3 + $SHELL -e sign.sh +) cp -f ns1/many.test.db.in ns1/many.test.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 44830d4..b82bae6 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # # Uncomment when creating credential cache files. @@ -41,123 +41,150 @@ nextpartreset ns3/named.run # wait for zone transfer to complete tries=0 while true; do - if [ $tries -eq 10 ] - then - exit 1 - fi - - if grep "example.nil/IN.*Transfer status" ns2/named.run > /dev/null - then - break - else - echo_i "zones are not fully loaded, waiting..." - tries=$((tries + 1)) - sleep 1 - fi + if [ $tries -eq 10 ]; then + exit 1 + fi + + if grep "example.nil/IN.*Transfer status" ns2/named.run >/dev/null; then + break + else + echo_i "zones are not fully loaded, waiting..." + tries=$((tries + 1)) + sleep 1 + fi done has_positive_response() { - zone=$1 - type=$2 - ns=$3 - $DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1 - grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1 - grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1 - return 0 + zone=$1 + type=$2 + ns=$3 + $DIG $DIGOPTS +tcp +norec $zone $type @$ns >dig.out.post.test$n || return 1 + grep "status: NOERROR" dig.out.post.test$n >/dev/null || return 1 + grep "ANSWER: 0," dig.out.post.test$n >/dev/null && return 1 + return 0 } ret=0 echo_i "fetching first copy of zone before update" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "fetching second copy of zone before update" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "comparing pre-update copies to known good data" digcomp knowngood.ns1.before dig.out.ns1 || ret=1 digcomp knowngood.ns1.before dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log" -$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 < /dev/null 2>&1 || ret=1 +grep NOTAUTH nsupdate.out >/dev/null 2>&1 || ret=1 grep ' unconfigured.test: not authoritative' ns1/named.run \ - > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } + >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure a subdomain is mentioned in its NOTAUTH log" -$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 < /dev/null 2>&1 || ret=1 +grep NOTAUTH nsupdate.out >/dev/null 2>&1 || ret=1 grep ' sub.sub.example.nil: not authoritative' ns1/named.run \ - > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } + >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "updating zone" # nsupdate will print a ">" prompt to stdout as it gets each input line. -$NSUPDATE -k ns1/ddns.key < /dev/null || ret=1 +$NSUPDATE -k ns1/ddns.key </dev/null || ret=1 server 10.53.0.1 ${PORT} update add updated.example.nil. 600 A 10.10.10.1 add updated.example.nil. 600 TXT Foo delete t.example.nil. END -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "sleeping 5 seconds for server to incorporate changes" sleep 5 ret=0 echo_i "fetching first copy of zone after update" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "fetching second copy of zone after update" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "comparing post-update copies to known good data" digcomp knowngood.ns1.after dig.out.ns1 || ret=1 digcomp knowngood.ns1.after dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "testing local update policy" pre=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1 [ -z "$pre" ] || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "updating zone" # nsupdate will print a ">" prompt to stdout as it gets each input line. -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null </dev/null < nsupdate.out 2>&1 << END && ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 < /dev/null 2>&1 || ret=1 +grep REFUSED nsupdate.out >/dev/null 2>&1 || ret=1 # ...but should work if an A record is inserted first: -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 < /dev/null 2>&1 && ret=1 +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 # ...or if an AAAA record does: -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 < /dev/null 2>&1 && ret=1 +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 # ...or if the NS and A/AAAA are inserted together: -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 < /dev/null 2>&1 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "sleeping 5 seconds for server to incorporate changes" sleep 5 ret=0 echo_i "checking result of update" -$DIG $DIGOPTS +short @10.53.0.1 ns other.nil > dig.out.ns1 || ret=1 -grep ns3.other.nil dig.out.ns1 > /dev/null 2>&1 && ret=1 -grep ns4.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 -grep ns5.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 -grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +short @10.53.0.1 ns other.nil >dig.out.ns1 || ret=1 +grep ns3.other.nil dig.out.ns1 >/dev/null 2>&1 && ret=1 +grep ns4.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 +grep ns5.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 +grep ns6.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning" -$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 < /dev/null 2>&1 && ret=1 -grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 +grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning" -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 < /dev/null 2>&1 && ret=1 -grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 +grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning" -$NSUPDATE > nsupdate.out 2>&1 << END && ret=1 +$NSUPDATE >nsupdate.out 2>&1 < /dev/null 2>&1 || ret=1 -grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep REFUSED nsupdate.out >/dev/null 2>&1 || ret=1 +grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "check SIG(0) key is accepted" key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY -n ENTITY xxx) -echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +echo "" | $NSUPDATE -k ${key}.private >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check TYPE=0 update is rejected by nsupdate ($n)" -$NSUPDATE < nsupdate.out 2>&1 && ret=1 +$NSUPDATE <nsupdate.out 2>&1 && ret=1 server 10.53.0.1 ${PORT} ttl 300 update add example.nil. in type0 "" send END -grep "unknown class/type" nsupdate.out > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "unknown class/type" nsupdate.out >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check TYPE=0 prerequisite is handled ($n)" -$NSUPDATE -k ns1/ddns.key < nsupdate.out 2>&1 || ret=1 +$NSUPDATE -k ns1/ddns.key <nsupdate.out 2>&1 || ret=1 server 10.53.0.1 ${PORT} prereq nxrrset example.nil. type0 send END -$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that TYPE=0 update is handled ($n)" -echo "a0e4280000010000000100000000060001c00c000000fe000000000000" | -$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 -$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +echo "a0e4280000010000000100000000060001c00c000000fe000000000000" \ + | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that TYPE=0 additional data is handled ($n)" -echo "a0e4280000010000000000010000060001c00c000000fe000000000000" | -$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 -$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +echo "a0e4280000010000000000010000060001c00c000000fe000000000000" \ + | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that update to undefined class is handled ($n)" -echo "a0e4280000010001000000000000060101c00c000000fe000000000000" | -$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 -$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +echo "a0e4280000010001000000000000060101c00c000000fe000000000000" \ + | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that address family mismatch is handled ($n)" -$NSUPDATE < /dev/null 2>&1 && ret=1 +$NSUPDATE </dev/null 2>&1 && ret=1 server ::1 local 127.0.0.1 update add 600 txt.example.nil in txt "test" send END -[ $ret = 0 ] || { echo_i "failed"; status=1; } - +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that unixtime serial number is correctly generated ($n)" -$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.old.test$n || ret=1 +$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 >dig.out.old.test$n || ret=1 oldserial=$(awk '{print $3}' dig.out.old.test$n) || ret=1 start=$($PERL -e 'print time()."\n";') -$NSUPDATE < /dev/null 2>&1 || ret=1 +$NSUPDATE </dev/null 2>&1 || ret=1 server 10.53.0.1 ${PORT} ttl 600 update add new.unixtime.nil in a 1.2.3.4 @@ -333,55 +401,74 @@ $NSUPDATE < /dev/null 2>&1 || ret=1 END now=$($PERL -e 'print time()."\n";') sleep 1 -$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.new.test$n || ret=1 +$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 >dig.out.new.test$n || ret=1 serial=$(awk '{print $3}' dig.out.new.test$n) || ret=1 -[ "$oldserial" = "$serial" ] && { echo_i "oldserial == serial"; ret=1; } +[ "$oldserial" = "$serial" ] && { + echo_i "oldserial == serial" + ret=1 +} if [ "$serial" -lt "$start" ]; then - echo_i "out-of-range serial=$serial < start=$start"; ret=1; + echo_i "out-of-range serial=$serial < start=$start" + ret=1 elif [ "$serial" -gt "$now" ]; then - echo_i "out-of-range serial=$serial > now=$now"; ret=1; + echo_i "out-of-range serial=$serial > now=$now" + ret=1 fi -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} -if $PERL -e 'use Net::DNS;' 2>/dev/null -then +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + n=$((n + 1)) + ret=0 + echo_i "running update.pl test ($n)" + $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. >perl.update_test.out || ret=1 + [ $ret -eq 1 ] && { + echo_i "failed" + status=1 + } + + if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' >/dev/null; then n=$((n + 1)) ret=0 - echo_i "running update.pl test ($n)" - $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. > perl.update_test.out || ret=1 - [ $ret -eq 1 ] && { echo_i "failed"; status=1; } - - if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' > /dev/null - then - n=$((n + 1)) - ret=0 - echo_i "check for too many NSEC3 iterations log ($n)" - grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run > /dev/null || ret=1 - [ $ret -eq 1 ] && { echo_i "failed"; status=1; } - fi + echo_i "check for too many NSEC3 iterations log ($n)" + grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run >/dev/null || ret=1 + [ $ret -eq 1 ] && { + echo_i "failed" + status=1 + } + fi else - echo_i "The second part of this test requires the Net::DNS library." >&2 + echo_i "The second part of this test requires the Net::DNS library." >&2 fi n=$((n + 1)) ret=0 echo_i "fetching first copy of test zone ($n)" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "fetching second copy of test zone ($n)" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "comparing zones ($n)" digcomp dig.out.ns1 dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "SIGKILL and restart server ns1" cd ns1 @@ -390,41 +477,49 @@ rm named.pid cd .. sleep 10 if - start_server --noclean --restart --port ${PORT} ns1 + start_server --noclean --restart --port ${PORT} ns1 then - echo_i "restarted server ns1" + echo_i "restarted server ns1" else - echo_i "could not restart server ns1" - exit 1 + echo_i "could not restart server ns1" + exit 1 fi sleep 10 n=$((n + 1)) ret=0 echo_i "fetching ns1 after hard restart ($n)" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.1 axfr > dig.out.ns1.after || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1.after || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "comparing zones ($n)" digcomp dig.out.ns1 dig.out.ns1.after || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "begin RT #482 regression test" n=$((n + 1)) ret=0 echo_i "update primary ($n)" -$NSUPDATE -k ns1/ddns.key < /dev/null || ret=1 +$NSUPDATE -k ns1/ddns.key </dev/null || ret=1 server 10.53.0.1 ${PORT} update add updated2.example.nil. 600 A 10.10.10.2 update add updated2.example.nil. 600 TXT Bar update delete c.example.nil. send END -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} sleep 5 @@ -436,14 +531,17 @@ sleep 5 n=$((n + 1)) ret=0 echo_i "update primary again ($n)" -$NSUPDATE -k ns1/ddns.key < /dev/null || ret=1 +$NSUPDATE -k ns1/ddns.key </dev/null || ret=1 server 10.53.0.1 ${PORT} update add updated3.example.nil. 600 A 10.10.10.3 update add updated3.example.nil. 600 TXT Zap del d.example.nil. send END -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} sleep 5 @@ -454,10 +552,9 @@ sleep 5 n=$((n + 1)) echo_i "check to 'out of sync' message ($n)" -if grep "out of sync" ns2/named.run -then - echo_i "failed (found 'out of sync')" - status=1 +if grep "out of sync" ns2/named.run; then + echo_i "failed (found 'out of sync')" + status=1 fi echo_i "end RT #482 regression test" @@ -465,29 +562,35 @@ echo_i "end RT #482 regression test" n=$((n + 1)) ret=0 echo_i "remove nonexistent PTR record ($n)" -$NSUPDATE -k ns1/ddns.key -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -k ns1/ddns.key -d <nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} zone example.nil. update delete nonexistent.example.nil. 0 IN PTR foo. send EOF -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "remove nonexistent SRV record ($n)" -$NSUPDATE -k ns1/ddns.key -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -k ns1/ddns.key -d <nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} zone example.nil. update delete nonexistent.example.nil. 0 IN SRV 0 0 0 foo. send EOF -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)" -$NSUPDATE << EOF +$NSUPDATE < dig.out.ns3.$n || ret=1 -grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example. @10.53.0.3 nsec3param >dig.out.ns3.$n || ret=1 +grep "ANSWER: 0," dig.out.ns3.$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "change the NSEC3PARAM ttl via update ($n)" -$NSUPDATE << EOF +$NSUPDATE < dig.out.ns3.$n || ret=1 -grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1 -grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test. @10.53.0.3 nsec3param >dig.out.ns3.$n || ret=1 +grep "ANSWER: 1," dig.out.ns3.$n >/dev/null || ret=1 +grep "3600.*NSEC3PARAM" dig.out.ns3.$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "add a new NSEC3PARAM via update ($n)" -$NSUPDATE << EOF +$NSUPDATE < dig.out.ns3.$n || _ret=1 - if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then - _ret=0 - break - fi - sleep 1 + $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM >dig.out.ns3.$n || _ret=1 + if grep "ANSWER: 2," dig.out.ns3.$n >/dev/null; then + _ret=0 + break + fi + sleep 1 done if [ $_ret -ne 0 ]; then ret=1; fi -grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi +grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((ret + status)) +fi n=$((n + 1)) ret=0 echo_i "add, delete and change the ttl of the NSEC3PARAM rrset via update ($n)" -$NSUPDATE << EOF +$NSUPDATE < dig.out.ns3.$n || _ret=1 - if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then - _ret=0 - break - fi - sleep 1 + $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM >dig.out.ns3.$n || _ret=1 + if grep "ANSWER: 1," dig.out.ns3.$n >/dev/null; then + _ret=0 + break + fi + sleep 1 done if [ $_ret -ne 0 ]; then ret=1; fi -grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 -$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl > jp.out.ns3.$n +grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 +$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl >jp.out.ns3.$n # intermediate TTL changes. -grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -" jp.out.ns3.$n > /dev/null || ret=1 -grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -" jp.out.ns3.$n > /dev/null || ret=1 +grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -" jp.out.ns3.$n >/dev/null || ret=1 +grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -" jp.out.ns3.$n >/dev/null || ret=1 # delayed adds and deletes. -grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500" jp.out.ns3.$n > /dev/null || ret=1 -grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100" jp.out.ns3.$n > /dev/null || ret=1 -grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400" jp.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi - +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500" jp.out.ns3.$n >/dev/null || ret=1 +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100" jp.out.ns3.$n >/dev/null || ret=1 +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400" jp.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((ret + status)) +fi ret=0 echo_i "testing that rndc stop updates the file" -$NSUPDATE -k ns1/ddns.key < /dev/null || ret=1 +$NSUPDATE -k ns1/ddns.key </dev/null || ret=1 server 10.53.0.1 ${PORT} update add updated4.example.nil. 600 A 10.10.10.3 send @@ -591,120 +703,123 @@ sleep 3 rm -f ns1/*jnl start_server --noclean --restart --port ${PORT} ns1 for try in 0 1 2 3 4 5 6 7 8 9; do - iret=0 - $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - updated4.example.nil. @10.53.0.1 a > dig.out.ns1 || iret=1 - digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1 - [ "$iret" -eq 0 ] && break - sleep 1 + iret=0 + $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + updated4.example.nil. @10.53.0.1 a >dig.out.ns1 || iret=1 + digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1 + [ "$iret" -eq 0 ] && break + sleep 1 done [ "$iret" -ne 0 ] && ret=1 -[ "$ret" -eq 0 ] || { echo_i "failed"; status=1; } +[ "$ret" -eq 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "check that 'nsupdate -l' with a missing keyfile reports the missing file" -$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2> nsupdate.out < /dev/null && ret=1 -grep ns1/nonexistent.key nsupdate.out > /dev/null || ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 +$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2>nsupdate.out /dev/null || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy local' works from localhost address ($n)" -$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END || ret=1 +$NSUPDATE -k ns5/session.key >nsupdate.out.$n 2>&1 < /dev/null 2>&1 && ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1 $DIG $DIGOPTS @10.53.0.5 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - fromlocal.local.nil. > dig.out.ns5.$n || ret=1 -grep fromlocal dig.out.ns5.$n > /dev/null 2>&1 || ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + fromlocal.local.nil. >dig.out.ns5.$n || ret=1 +grep fromlocal dig.out.ns5.$n >/dev/null 2>&1 || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy local' fails from non-localhost address ($n)" -grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1 -$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1 +grep 'match on session key not from localhost' ns5/named.run >/dev/null && ret=1 +$NSUPDATE -k ns5/session.key >nsupdate.out.$n 2>&1 < /dev/null 2>&1 || ret=1 -grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 +grep 'match on session key not from localhost' ns5/named.run >/dev/null || ret=1 $DIG $DIGOPTS @10.53.0.5 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - nonlocal.local.nil. > dig.out.ns5.$n || ret=1 -grep nonlocal dig.out.ns5.$n > /dev/null 2>&1 && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + nonlocal.local.nil. >dig.out.ns5.$n || ret=1 +grep nonlocal dig.out.ns5.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy tcp-self' refuses update of records via UDP ($n)" -$NSUPDATE > nsupdate.out.$n 2>&1 << END && ret=1 +$NSUPDATE >nsupdate.out.$n 2>&1 < /dev/null 2>&1 || ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 $DIG $DIGOPTS @10.53.0.6 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - -x 127.0.0.1 > dig.out.ns6.$n -grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 127.0.0.1 >dig.out.ns6.$n +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy tcp-self' permits update of records for the client's own address via TCP ($n)" -$NSUPDATE -v > nsupdate.out.$n 2>&1 << END || ret=1 +$NSUPDATE -v >nsupdate.out.$n 2>&1 < /dev/null 2>&1 && ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1 $DIG $DIGOPTS @10.53.0.6 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - -x 127.0.0.1 > dig.out.ns6.$n || ret=1 -grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 127.0.0.1 >dig.out.ns6.$n || ret=1 +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy tcp-self' refuses update of records for a different address from the client's own address via TCP ($n)" -$NSUPDATE -v > nsupdate.out.$n 2>&1 << END && ret=1 +$NSUPDATE -v >nsupdate.out.$n 2>&1 < /dev/null 2>&1 || ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 $DIG $DIGOPTS @10.53.0.6 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - -x 192.168.0.1 > dig.out.ns6.$n -grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 192.168.0.1 >dig.out.ns6.$n +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) @@ -712,99 +827,111 @@ ret=0 echo_i "check that 'update-policy subdomain' is properly enforced ($n)" # "restricted.example.nil" matches "grant ... subdomain restricted.example.nil" # and thus this UPDATE should succeed. -$NSUPDATE -d < nsupdate.out1-$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out1-$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} key restricted.example.nil 1234abcd8765 update add restricted.example.nil 0 IN TXT everywhere. send END -$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1 -grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT >dig.out.1.test$n || ret=1 +grep "TXT.*everywhere" dig.out.1.test$n >/dev/null || ret=1 # "example.nil" does not match "grant ... subdomain restricted.example.nil" and # thus this UPDATE should fail. -$NSUPDATE -d < nsupdate.out2-$n 2>&1 && ret=1 +$NSUPDATE -d <nsupdate.out2-$n 2>&1 && ret=1 server 10.53.0.1 ${PORT} key restricted.example.nil 1234abcd8765 update add example.nil 0 IN TXT everywhere. send END -$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1 -grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT >dig.out.2.test$n || ret=1 +grep "TXT.*everywhere" dig.out.2.test$n >/dev/null && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that 'update-policy zonesub' is properly enforced ($n)" # grant zonesub-key.example.nil zonesub TXT; # the A record update should be rejected as it is not in the type list -$NSUPDATE -d < nsupdate.out1-$n 2>&1 && ret=1 +$NSUPDATE -d <nsupdate.out1-$n 2>&1 && ret=1 server 10.53.0.1 ${PORT} key zonesub-key.example.nil 1234subk8765 update add zonesub.example.nil 0 IN A 1.2.3.4 send END -$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1 -grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A >dig.out.1.test$n || ret=1 +grep "status: REFUSED" nsupdate.out1-$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.1.test$n >/dev/null || ret=1 # the TXT record update should be accepted as it is in the type list -$NSUPDATE -d < nsupdate.out2-$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out2-$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} key zonesub-key.example.nil 1234subk8765 update add zonesub.example.nil 0 IN TXT everywhere. send END -$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1 -grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 -grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT >dig.out.2.test$n || ret=1 +grep "status: REFUSED" nsupdate.out2-$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.2.test$n >/dev/null || ret=1 +grep "TXT.*everywhere" dig.out.2.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check 'grant' in deny name + grant subdomain ($n)" -$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 key hmac-sha256:subkey 1234abcd8765 server 10.53.0.9 ${PORT} zone denyname.example update add foo.denyname.example 3600 IN TXT added send EOF -$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n -grep "added" dig.out.ns9.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT >dig.out.ns9.test$n +grep "added" dig.out.ns9.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check 'deny' in deny name + grant subdomain ($n)" -$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 key hmac-sha256:subkey 1234abcd8765 server 10.53.0.9 ${PORT} zone denyname.example update add denyname.example 3600 IN TXT added send EOF -$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n -grep "added" dig.out.ns9.test$n > /dev/null && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT >dig.out.ns9.test$n +grep "added" dig.out.ns9.test$n >/dev/null && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)" $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ - @10.53.0.3 dnskey | \ - awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; } + @10.53.0.3 dnskey \ + | awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; } $2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update add", $0 } - END { print "send" }' > update.in.$n + END { print "send" }' >update.in.$n $NSUPDATE update.in.$n $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ - @10.53.0.3 any > dig.out.ns3.$n + @10.53.0.3 any >dig.out.ns3.$n -grep "600.*DNSKEY" dig.out.ns3.$n > /dev/null || ret=1 -grep TYPE65534 dig.out.ns3.$n > /dev/null && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 +grep "600.*DNSKEY" dig.out.ns3.$n >/dev/null || ret=1 +grep TYPE65534 dig.out.ns3.$n >/dev/null && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) @@ -815,51 +942,92 @@ echo_i "check notify with TSIG worked ($n)" # will have been created. [ -f ns2/update.alt.bk ] || ret=1 if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check type list options ($n)" -$NSUPDATE -T > typelist.out.T.${n} || { ret=1; echo_i "nsupdate -T failed"; } -$NSUPDATE -P > typelist.out.P.${n} || { ret=1; echo_i "nsupdate -P failed"; } -$NSUPDATE -TP > typelist.out.TP.${n} || { ret=1; echo_i "nsupdate -TP failed"; } -grep ANY typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-T)"; } -grep ANY typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-P)"; } -grep ANY typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-TP)"; } -grep KEYDATA typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-T)"; } -grep KEYDATA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-P)"; } -grep KEYDATA typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-TP)"; } -grep AAAA typelist.out.T.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-T)"; } -grep AAAA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: AAAA found (-P)"; } -grep AAAA typelist.out.TP.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-TP)"; } +$NSUPDATE -T >typelist.out.T.${n} || { + ret=1 + echo_i "nsupdate -T failed" +} +$NSUPDATE -P >typelist.out.P.${n} || { + ret=1 + echo_i "nsupdate -P failed" +} +$NSUPDATE -TP >typelist.out.TP.${n} || { + ret=1 + echo_i "nsupdate -TP failed" +} +grep ANY typelist.out.T.${n} >/dev/null && { + ret=1 + echo_i "failed: ANY found (-T)" +} +grep ANY typelist.out.P.${n} >/dev/null && { + ret=1 + echo_i "failed: ANY found (-P)" +} +grep ANY typelist.out.TP.${n} >/dev/null && { + ret=1 + echo_i "failed: ANY found (-TP)" +} +grep KEYDATA typelist.out.T.${n} >/dev/null && { + ret=1 + echo_i "failed: KEYDATA found (-T)" +} +grep KEYDATA typelist.out.P.${n} >/dev/null && { + ret=1 + echo_i "failed: KEYDATA found (-P)" +} +grep KEYDATA typelist.out.TP.${n} >/dev/null && { + ret=1 + echo_i "failed: KEYDATA found (-TP)" +} +grep AAAA typelist.out.T.${n} >/dev/null || { + ret=1 + echo_i "failed: AAAA not found (-T)" +} +grep AAAA typelist.out.P.${n} >/dev/null && { + ret=1 + echo_i "failed: AAAA found (-P)" +} +grep AAAA typelist.out.TP.${n} >/dev/null || { + ret=1 + echo_i "failed: AAAA not found (-TP)" +} if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check command list ($n)" ( -while read cmd -do - { echo "$cmd" | $NSUPDATE > /dev/null 2>&1; rc=$?; } || true - if test $rc -gt 1 ; then - echo_i "failed ($cmd)" - ret=1 + while read cmd; do + { + echo "$cmd" | $NSUPDATE >/dev/null 2>&1 + rc=$? + } || true + if test $rc -gt 1; then + echo_i "failed ($cmd)" + ret=1 fi - { echo "$cmd " | $NSUPDATE > /dev/null 2>&1; rc=$?; } || true - if test $rc -gt 1 ; then - echo_i "failed ($cmd)" - ret=1 + { + echo "$cmd " | $NSUPDATE >/dev/null 2>&1 + rc=$? + } || true + if test $rc -gt 1; then + echo_i "failed ($cmd)" + ret=1 fi -done -exit $ret -) < commandlist || ret=1 + done + exit $ret +) nsupdate.alg-$alg.out 2>&1 || ret=1 + $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key <nsupdate.alg-$alg.out 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 send @@ -884,27 +1051,26 @@ END done sleep 2 for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 - grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out > /dev/null || ret=1 + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 >/dev/null 2>&1 || ret=1 + grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out >/dev/null || ret=1 done if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)" -if $FEATURETEST --md5 -then - ALGS="md5 sha1 sha224 sha256 sha384 sha512" +if $FEATURETEST --md5; then + ALGS="md5 sha1 sha224 sha256 sha384 sha512" else - ALGS="sha1 sha224 sha256 sha384 sha512" - echo_i "skipping disabled md5 algorithm" + ALGS="sha1 sha224 sha256 sha384 sha512" + echo_i "skipping disabled md5 algorithm" fi for alg in $ALGS; do - $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 + $NSUPDATE -k ns1/${alg}.key </dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 send @@ -912,19 +1078,19 @@ END done sleep 2 for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 >/dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -y) ($n)" for alg in md5 sha1 sha224 sha256 sha384 sha512; do - secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) - $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" </dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.50 send @@ -932,47 +1098,47 @@ END done sleep 2 for alg in md5 sha1 sha224 sha256 sha384 sha512; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 >/dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that ttl is capped by max-ttl ($n)" -$NSUPDATE < /dev/null || ret=1 +$NSUPDATE </dev/null || ret=1 server 10.53.0.1 ${PORT} update add cap.max-ttl.nil. 600 A 10.10.10.3 update add nocap.max-ttl.nil. 150 A 10.10.10.3 send END sleep 2 -$DIG $DIGOPTS @10.53.0.1 cap.max-ttl.nil | grep "^cap.max-ttl.nil. 300" > /dev/null 2>&1 || ret=1 -$DIG $DIGOPTS @10.53.0.1 nocap.max-ttl.nil | grep "^nocap.max-ttl.nil. 150" > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.1 cap.max-ttl.nil | grep "^cap.max-ttl.nil. 300" >/dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.1 nocap.max-ttl.nil | grep "^nocap.max-ttl.nil. 150" >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "add a record which is truncated when logged. ($n)" $NSUPDATE verylarge || ret=1 -$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil > dig.out.ns1.test$n -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil >dig.out.ns1.test$n +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]" ns1/named.run >/dev/null || ret=1 if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that yyyymmddvv serial number is correctly generated ($n)" oldserial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1 -$NSUPDATE < /dev/null 2>&1 || ret=1 +$NSUPDATE </dev/null 2>&1 || ret=1 server 10.53.0.1 ${PORT} ttl 600 update add new.yyyymmddvv.nil in a 1.2.3.4 @@ -983,38 +1149,41 @@ sleep 1 serial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1 [ "$oldserial" -ne "$serial" ] || ret=1 [ "$serial" -eq "$now" ] || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} # # Refactor to use perl to launch the parallel updates. # -if false -then -n=$((n + 1)) -echo_i "send many simultaneous updates via a update forwarder ($n)" -ret=0 -for i in 0 1 2 3 4 5 6 7 -do -( - for j in 0 1 2 3 4 5 6 7 - do +if false; then + n=$((n + 1)) + echo_i "send many simultaneous updates via a update forwarder ($n)" + ret=0 + for i in 0 1 2 3 4 5 6 7; do ( - $NSUPDATE << EOF + for j in 0 1 2 3 4 5 6 7; do + ( + $NSUPDATE < dig.out.test$n -lines=$(awk '$4 == "A" { l++ } END { print l }' dig.out.test$n) -test ${lines:-0} -eq 64 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } + done + wait + dig axfr many.test @10.53.0.1 >dig.out.test$n + lines=$(awk '$4 == "A" { l++ } END { print l }' dig.out.test$n) + test ${lines:-0} -eq 64 || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } fi n=$((n + 1)) @@ -1022,16 +1191,16 @@ echo_i "check max-journal-size limits ($n)" ret=0 rm -f nsupdate.out1-$n # add one record -$NSUPDATE << EOF >> nsupdate.out1-$n 2>&1 +$NSUPDATE <>nsupdate.out1-$n 2>&1 server 10.53.0.1 ${PORT} zone maxjournal.test update add z.maxjournal.test 300 IN A 10.20.30.40 send EOF for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - # repeatedly add and remove the same set of records to fill up - # the journal file without changing the zone content - $NSUPDATE << EOF >> nsupdate.out1-$n 2>&1 + # repeatedly add and remove the same set of records to fill up + # the journal file without changing the zone content + $NSUPDATE <>nsupdate.out1-$n 2>&1 server 10.53.0.1 ${PORT} zone maxjournal.test update add a.maxjournal.test 300 IN A 1.2.3.4 @@ -1052,279 +1221,336 @@ size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->si sleep 1 $RNDCCMD 10.53.0.1 sync maxjournal.test check_size_lt_5000() ( - size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl) - [ "$size" -lt 5000 ] + size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl) + [ "$size" -lt 5000 ] ) retry_quiet 20 check_size_lt_5000 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) echo_i "check check-names processing ($n)" ret=0 -$NSUPDATE << EOF > nsupdate.out1-$n 2>&1 && ret=1 +$NSUPDATE <nsupdate.out1-$n 2>&1 && ret=1 update add # 0 in a 1.2.3.4 EOF -grep "bad owner" nsupdate.out1-$n > /dev/null || ret=1 +grep "bad owner" nsupdate.out1-$n >/dev/null || ret=1 -$NSUPDATE << EOF > nsupdate.out2-$n 2>&1 || ret=1 +$NSUPDATE <nsupdate.out2-$n 2>&1 || ret=1 check-names off update add # 0 in a 1.2.3.4 EOF -grep "bad owner" nsupdate.out2-$n > /dev/null && ret=1 +grep "bad owner" nsupdate.out2-$n >/dev/null && ret=1 -$NSUPDATE << EOF > nsupdate.out3-$n 2>&1 && ret=1 +$NSUPDATE <nsupdate.out3-$n 2>&1 && ret=1 update add . 0 in mx 0 # EOF -grep "bad name" nsupdate.out3-$n > /dev/null || ret=1 +grep "bad name" nsupdate.out3-$n >/dev/null || ret=1 -$NSUPDATE << EOF > nsupdate.out4-$n 2>&1 || ret=1 +$NSUPDATE <nsupdate.out4-$n 2>&1 || ret=1 check-names off update add . 0 in mx 0 # EOF -grep "bad name" nsupdate.out4-$n > /dev/null && ret=1 +grep "bad name" nsupdate.out4-$n >/dev/null && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) echo_i "check adding of delegating NS records processing ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -v <nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update add child.delegation.test. 3600 NS foo.example.net. update add child.delegation.test. 3600 NS bar.example.net. send EOF -$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test >dig.out.ns1.test$n +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +grep "AUTHORITY: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) echo_i "check deleting of delegating NS records processing ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -v <nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. update del child.delegation.test. 3600 NS bar.example.net. send EOF -$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test >dig.out.ns1.test$n +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) echo_i "check that adding too many records is blocked ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -v <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone too-big.test. update add r1.too-big.test 3600 IN TXT r1.too-big.test send EOF -grep "update failed: SERVFAIL" nsupdate.out.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT > dig.out.ns3.test$n -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "update failed: SERVFAIL" nsupdate.out.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT >dig.out.ns3.test$n +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "records in zone (4) exceeds max-records (3)" ns3/named.run >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (UDP with defaults) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that default timeout value is respected, there should be 4 tries with 3 seconds each. test $elapsed -lt 12 && ret=1 test $elapsed -gt 15 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (UDP with -u udptimeout) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE -u 4 -r 1 < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -u 4 -r 1 <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that given timeout value is respected, there should be 2 tries with 4 seconds each. test $elapsed -lt 8 && ret=1 test $elapsed -gt 12 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (UDP with -t timeout) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE -u 0 -t 8 -r 1 < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -u 0 -t 8 -r 1 <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that given timeout value is respected, there should be 2 tries with 4 seconds each. test $elapsed -lt 8 && ret=1 test $elapsed -gt 12 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (UDP with -u udptimeout -t timeout) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE -u 4 -t 30 -r 1 < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -u 4 -t 30 -r 1 <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that given timeout value is respected, there should be 2 tries with 4 seconds each, as -u takes precedence over -t. test $elapsed -lt 8 && ret=1 test $elapsed -gt 12 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (TCP with -t timeout) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE -t 8 -v < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -t 8 -v <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that given timeout value is respected, there should be 1 try with 8 seconds. test $elapsed -lt 8 && ret=1 test $elapsed -gt 12 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure bad owner name is fatal in non-interactive mode ($n)" -$NSUPDATE < nsupdate.out 2>&1 && ret=1 +$NSUPDATE <nsupdate.out 2>&1 && ret=1 update add emptylabel..nil. 600 A 10.10.10.1 END -grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1 -grep "syntax error" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "invalid owner name: empty label" nsupdate.out >/dev/null || ret=1 +grep "syntax error" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure bad owner name is not fatal in interactive mode ($n)" -$NSUPDATE -i < nsupdate.out 2>&1 || ret=1 +$NSUPDATE -i <nsupdate.out 2>&1 || ret=1 update add emptylabel..nil. 600 A 10.10.10.1 END -grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "invalid owner name: empty label" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure invalid key type is fatal in non-interactive mode ($n)" -$NSUPDATE < nsupdate.out 2>&1 && ret=1 +$NSUPDATE <nsupdate.out 2>&1 && ret=1 key badkeytype:example abcd12345678 END -grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1 -grep "syntax error" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "unknown key type 'badkeytype'" nsupdate.out >/dev/null || ret=1 +grep "syntax error" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure invalid key type is not fatal in interactive mode ($n)" -$NSUPDATE -i < nsupdate.out 2>&1 || ret=1 +$NSUPDATE -i <nsupdate.out 2>&1 || ret=1 key badkeytype:example abcd12345678 END -grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "unknown key type 'badkeytype'" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure unresolvable server name is fatal in non-interactive mode ($n)" -$NSUPDATE < nsupdate.out 2>&1 && ret=1 +$NSUPDATE <nsupdate.out 2>&1 && ret=1 server unresolvable.. END -grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1 -grep "syntax error" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "couldn't get address for 'unresolvable..':" nsupdate.out >/dev/null || ret=1 +grep "syntax error" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure unresolvable server name is not fatal in interactive mode ($n)" -$NSUPDATE -i < nsupdate.out 2>&1 || ret=1 +$NSUPDATE -i <nsupdate.out 2>&1 || ret=1 server unresolvable.. END -grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1 -grep "syntax error" nsupdate.out > /dev/null && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "couldn't get address for 'unresolvable..':" nsupdate.out >/dev/null || ret=1 +grep "syntax error" nsupdate.out >/dev/null && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check nsupdate -4 -6 ($n)" -$NSUPDATE -4 -6 < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -4 -6 <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. update del child.delegation.test. 3600 NS bar.example.net. send END -grep "only one of -4 and -6 allowed" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "only one of -4 and -6 allowed" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check nsupdate -4 with an IPv6 server address ($n)" -$NSUPDATE -4 < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -4 <nsupdate.out.test$n 2>&1 && ret=1 server fd92:7065:b8e:ffff::2 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. update del child.delegation.test. 3600 NS bar.example.net. send END -grep "address family not supported" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "address family not supported" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that TKEY in a update is rejected ($n)" -$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw== send END -grep "UPDATE, status: NOERROR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "UPDATE, status: FORMERR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "UPDATE, status: NOERROR" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "UPDATE, status: FORMERR" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that max records is enforced ($n)" -nextpart ns6/named.run > /dev/null -$NSUPDATE -v > nsupdate.out.$n 2>&1 << END +nextpart ns6/named.run >/dev/null +$NSUPDATE -v >nsupdate.out.$n 2>&1 < dig.out.ns6.$n + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 10.53.0.5 >dig.out.ns6.$n # the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so only the # first PTR record should be added. -grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1 -grep other. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 -nextpart ns6/named.run > nextpart.out.$n -grep "attempt to add more records than permitted by policy" nextpart.out.$n > /dev/null || ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 +grep other. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +nextpart ns6/named.run >nextpart.out.$n +grep "attempt to add more records than permitted by policy" nextpart.out.$n >/dev/null || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that max records for ANY is enforced ($n)" -nextpart ns6/named.run > /dev/null -$NSUPDATE -v > nsupdate.out.$n 2>&1 << END +nextpart ns6/named.run >/dev/null +$NSUPDATE -v >nsupdate.out.$n 2>&1 < dig.out.ns6.test$n -nextpart ns6/named.run > nextpart.out.test$n -grep "attempt to add more records than permitted by policy" nextpart.out.test$n > /dev/null || ret=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + ANY -x 10.53.0.5 >dig.out.ns6.test$n +nextpart ns6/named.run >nextpart.out.test$n +grep "attempt to add more records than permitted by policy" nextpart.out.test$n >/dev/null || ret=1 # the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so all the A # records should have been added as there is no limit and the first 2 # of the AAAA records added as they match ANY(2). @@ -1374,111 +1600,129 @@ c1=$(awk '$4 == "A" { print }' dig.out.ns6.test$n | wc -l) c2=$(awk '$4 == "AAAA" { print }' dig.out.ns6.test$n | wc -l) test "$c1" -eq 3 -a "$c2" -eq 2 || ret=1 grep "::ffff:1.2.3.2" dig.out.ns6.test$n && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that DS to the zone apex is ignored ($n)" -$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -nextpart ns3/named.run > /dev/null +$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +nextpart ns3/named.run >/dev/null # specify zone to override the default of adding to parent zone -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone example update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C send END msg=": attempt to add a DS record at zone apex ignored" -nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 -$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.post.test$n || ret=1 -grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 >dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" -$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C send END msg=": bad CDS RRset" -nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 -$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1 -grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" -$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -nextpart ns3/named.run > /dev/null -$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +nextpart ns3/named.run >/dev/null +$NSUPDATE -d <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== send END msg=": bad CDNSKEY RRset" -nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 -$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1 -grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)" -$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C send END retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)" -$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== send END retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)" -$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone example update add example 0 in NSEC3PARAM 1 0 151 - END grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out.test$n >/dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 @@ -1488,14 +1732,17 @@ echo_i "check nsupdate retries with another server on REFUSED response ($n)" # that's what we're testing for. (failure is still expected, however, # because the address lookup for the primary doesn't use the overridden # resolv.conf file). -$NSUPDATE -D -C resolv.conf -p ${PORT} << EOF > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -D -C resolv.conf -p ${PORT} <nsupdate.out.test$n 2>&1 && ret=1 zone example update add a 3600 IN A 1.2.3.4 send EOF -grep '10.53.0.1.*REFUSED' nsupdate.out.test$n > /dev/null || ret=1 -grep 'Reply from SOA query' nsupdate.out.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep '10.53.0.1.*REFUSED' nsupdate.out.test$n >/dev/null || ret=1 +grep 'Reply from SOA query' nsupdate.out.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 @@ -1507,25 +1754,31 @@ echo_i "check that update is rejected if query is not allowed ($n)" update add reject.other.nil 3600 IN TXT Whatever send END -} > nsupdate.out.test$n 2>&1 -grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +} >nsupdate.out.test$n 2>&1 +grep 'failed: REFUSED' nsupdate.out.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that update is rejected if quota is exceeded ($n)" for loop in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do -{ - $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 </dev/null 2>&1 < nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} zone example.com send EOF - grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } copy_setports ns7/named2.conf.in ns7/named.conf rndc_reload ns7 10.53.0.7 @@ -1551,7 +1807,7 @@ EOF echo_i "check krb5-self match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1559,17 +1815,20 @@ EOF update add machine.example.com 3600 IN A 10.53.0.7 send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-self no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1577,17 +1836,20 @@ EOF update add foo.example.com 3600 IN A 10.53.0.7 send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-subdomain match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1595,17 +1857,20 @@ EOF update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-subdomain no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1613,17 +1878,20 @@ EOF update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs match PTR ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1631,17 +1899,20 @@ EOF update add 4.3.2.1.in-addr.arpa 3600 IN PTR machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 4.3.2.1.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 4.3.2.1.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs no-match PTR ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1649,17 +1920,20 @@ EOF update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 5.3.2.1.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 5.3.2.1.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs match SRV ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1667,17 +1941,20 @@ EOF update add _xxx.self-srv.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv.example.com ANY > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv.example.com ANY >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs no listed types match (SRV & TXT) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1686,18 +1963,21 @@ EOF update add _xxx.self-srv-no-type.example.com 3600 IN TXT a txt record send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv-no-type.example.com ANY > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep '_xxx.self-srv-no-type.example.com.*SRV.*0 0 0 machine.example.com' dig.out.ns7.test$n > /dev/null || ret=1 - grep '_xxx.self-srv-no-type.example.com.*TXT.*"a" "txt" "record"' dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv-no-type.example.com ANY >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep '_xxx.self-srv-no-type.example.com.*SRV.*0 0 0 machine.example.com' dig.out.ns7.test$n >/dev/null || ret=1 + grep '_xxx.self-srv-no-type.example.com.*TXT.*"a" "txt" "record"' dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs no-match RDATA (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1705,17 +1985,20 @@ EOF update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs no-match TYPE (TXT) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1723,20 +2006,23 @@ EOF update add _yyy.self-srv.example.com 3600 IN TXT a-txt-record send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com TXT > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com TXT >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.pre.test$n - grep "status: NOERROR" dig.out.ns7.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.pre.test$n + grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1744,16 +2030,19 @@ EOF update delete single.ptr.self-ptr.in-addr.arpa PTR send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1761,21 +2050,24 @@ EOF update delete many.ptr.self-ptr.in-addr.arpa PTR send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 many.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.pre.test$n - grep "status: NOERROR" dig.out.ns7.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.pre.test$n + grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1783,16 +2075,19 @@ EOF update delete single.any.self-ptr.in-addr.arpa send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1800,21 +2095,24 @@ EOF update delete many.any.self-ptr.in-addr.arpa send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV > dig.out.ns7.pre.test$n - grep "status: NOERROR" dig.out.ns7.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV >dig.out.ns7.pre.test$n + grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1822,16 +2120,19 @@ EOF update delete single.srv.self-srv.example.com SRV send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1839,21 +2140,24 @@ EOF update delete many.srv.self-srv.example.com SRV send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 many.srv.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 many.srv.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV > dig.out.ns7.pre.test$n - grep "status: NOERROR" dig.out.ns7.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV >dig.out.ns7.pre.test$n + grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1861,16 +2165,19 @@ EOF update delete single.any.self-srv.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1878,18 +2185,21 @@ EOF update delete many.any.self-srv.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-selfsub match ($n)" KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.8 ${PORT} @@ -1897,17 +2207,20 @@ EOF update add xxx.machine.example.com 3600 IN A 10.53.0.8 send EOF - $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n - grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1 - grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A >dig.out.ns8.test$n + grep "status: NOERROR" dig.out.ns8.test$n >/dev/null || ret=1 + grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-selfsub no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.8 ${PORT} @@ -1915,17 +2228,20 @@ EOF update add foo.example.com 3600 IN A 10.53.0.8 send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n - grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A >dig.out.ns8.test$n + grep "status: NXDOMAIN" dig.out.ns8.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-self match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1933,17 +2249,20 @@ EOF update add machine.example.com 3600 IN A 10.53.0.9 send EOF - $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n - grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1 - grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A >dig.out.ns9.test$n + grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 + grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-self no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1951,17 +2270,20 @@ EOF update add foo.example.com 3600 IN A 10.53.0.9 send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n - grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A >dig.out.ns9.test$n + grep "status: NXDOMAIN" dig.out.ns9.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-subdomain match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1969,17 +2291,20 @@ EOF update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n - grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1 - grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV >dig.out.ns9.test$n + grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 + grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-subdomain no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1987,17 +2312,20 @@ EOF update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n - grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV >dig.out.ns9.test$n + grep "status: NXDOMAIN" dig.out.ns9.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs match (PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2005,17 +2333,20 @@ EOF update add 4.3.2.1.in-addr.arpa 3600 IN PTR machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 4.3.2.1.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 4.3.2.1.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs no-match (PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2023,17 +2354,20 @@ EOF update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 5.3.2.1.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 5.3.2.1.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs match (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2041,17 +2375,20 @@ EOF update add _xxx.self-srv.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 _xxx.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 _xxx.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs no-match (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2059,20 +2396,23 @@ EOF update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 _yyy.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 _yyy.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV > dig.out.ns10.pre.test$n - grep "status: NOERROR" dig.out.ns10.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV >dig.out.ns10.pre.test$n + grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2080,16 +2420,19 @@ EOF update delete single.srv.self-srv.example.com SRV send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2097,21 +2440,24 @@ EOF update delete many.srv.self-srv.example.com SRV send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 many.srv.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 many.srv.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.pre.test$n - grep "status: NOERROR" dig.out.ns10.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.pre.test$n + grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2119,16 +2465,19 @@ EOF update delete single.ptr.self-ptr.in-addr.arpa PTR send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2136,21 +2485,24 @@ EOF update delete many.ptr.self-ptr.in-addr.arpa PTR send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 many.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.pre.test$n - grep "status: NOERROR" dig.out.ns10.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.pre.test$n + grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2158,16 +2510,19 @@ EOF update delete single.any.self-ptr.in-addr.arpa send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2175,21 +2530,24 @@ EOF update delete many.any.self-ptr.in-addr.arpa send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV > dig.out.ns10.pre.test$n - grep "status: NOERROR" dig.out.ns10.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV >dig.out.ns10.pre.test$n + grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2197,16 +2555,19 @@ EOF update delete single.any.self-srv.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2214,18 +2575,21 @@ EOF update delete many.any.self-srv.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-selfsub match ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2233,17 +2597,20 @@ EOF update add xxx.machine.example.com 3600 IN A 10.53.0.10 send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-selfsub no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2251,10 +2618,13 @@ EOF update add foo.example.com 3600 IN A 10.53.0.10 send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } fi diff --git a/bin/tests/system/nzd2nzf/prereq.sh b/bin/tests/system/nzd2nzf/prereq.sh index 7c9e25d..c3a239b 100644 --- a/bin/tests/system/nzd2nzf/prereq.sh +++ b/bin/tests/system/nzd2nzf/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --with-lmdb || { - echo_i "This test requires LMDB support." >&2 - exit 255 + echo_i "This test requires LMDB support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/nzd2nzf/tests.sh b/bin/tests/system/nzd2nzf/tests.sh index 2cfc58f..e48b79d 100644 --- a/bin/tests/system/nzd2nzf/tests.sh +++ b/bin/tests/system/nzd2nzf/tests.sh @@ -16,51 +16,51 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" -p "${PORT}" "$@" + "$DIG" -p "${PORT}" "$@" } rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" } status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "querying for non-existing zone data ($n)" ret=0 -dig_with_opts @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1 -grep 'status: REFUSED' dig.out.ns1.$n > /dev/null || ret=1 +dig_with_opts @10.53.0.1 a.added.example a >dig.out.ns1.$n || ret=1 +grep 'status: REFUSED' dig.out.ns1.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding a new zone into default NZD using rndc addzone ($n)" rndccmd 10.53.0.1 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns1 /' | cat_i sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "querying for existing zone data ($n)" ret=0 -dig_with_opts @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1 -grep 'status: NOERROR' dig.out.ns1.$n > /dev/null || ret=1 +dig_with_opts @10.53.0.1 a.added.example a >dig.out.ns1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns1.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "stopping ns1" stop_server ns1 -n=$((n+1)) +n=$((n + 1)) echo_i "dumping _default.nzd to _default.nzf ($n)" -$NZD2NZF ns1/_default.nzd > ns1/_default.nzf || ret=1 +$NZD2NZF ns1/_default.nzd >ns1/_default.nzf || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that _default.nzf contains the expected content ($n)" -grep 'zone "added.example" { type primary; file "added.db"; };' ns1/_default.nzf > /dev/null || ret=1 +grep 'zone "added.example" { type primary; file "added.db"; };' ns1/_default.nzf >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "deleting _default.nzd database" rm -f ns1/_default.nzd @@ -68,18 +68,18 @@ rm -f ns1/_default.nzd echo_i "starting ns1 which should migrate the .nzf to .nzd" start_server --noclean --restart --port ${PORT} ns1 -n=$((n+1)) +n=$((n + 1)) echo_i "querying for zone data from migrated zone config ($n)" # retry loop in case the server restart above causes transient failures _do_query() ( - dig_with_opts @10.53.0.1 a.added.example a > dig.out.ns1.$n && - grep 'status: NOERROR' dig.out.ns1.$n > /dev/null + dig_with_opts @10.53.0.1 a.added.example a >dig.out.ns1.$n \ + && grep 'status: NOERROR' dig.out.ns1.$n >/dev/null ) ret=0 retry_quiet "10" _do_query || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" exit $status diff --git a/bin/tests/system/padding/ns2/named.conf.in b/bin/tests/system/padding/ns2/named.conf.in index 10ba86b..6f2a34c 100644 --- a/bin/tests/system/padding/ns2/named.conf.in +++ b/bin/tests/system/padding/ns2/named.conf.in @@ -36,7 +36,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/padding/ns3/named.conf.in b/bin/tests/system/padding/ns3/named.conf.in index a719249..1b44e47 100644 --- a/bin/tests/system/padding/ns3/named.conf.in +++ b/bin/tests/system/padding/ns3/named.conf.in @@ -41,5 +41,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/padding/ns4/named.conf.in b/bin/tests/system/padding/ns4/named.conf.in index 6828f2a..957175c 100644 --- a/bin/tests/system/padding/ns4/named.conf.in +++ b/bin/tests/system/padding/ns4/named.conf.in @@ -41,5 +41,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/padding/tests.sh b/bin/tests/system/padding/tests.sh index c952537..f20ba0b 100644 --- a/bin/tests/system/padding/tests.sh +++ b/bin/tests/system/padding/tests.sh @@ -19,30 +19,30 @@ n=0 status=0 DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" getcookie() { - awk '$2 == "COOKIE:" { + awk '$2 == "COOKIE:" { print $3; - }' < $1 + }' <$1 } echo_i "checking that dig handles padding ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +qr +padding=128 foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null || ret=1 -grep "; QUERY SIZE: 128" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +padding=128 foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null || ret=1 +grep "; QUERY SIZE: 128" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that dig added padding ($n)" ret=0 n=$((n + 1)) -nextpart ns2/named.stats > /dev/null +nextpart ns2/named.stats >/dev/null $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 -nextpart ns2/named.stats | grep "EDNS padding option received" > /dev/null || ret=1 +nextpart ns2/named.stats | grep "EDNS padding option received" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -50,84 +50,90 @@ status=$((status + ret)) echo_i "checking that padding is added for TCP responses ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +padding=128 foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null || ret=1 -grep "rcvd: 128" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +padding=128 foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null || ret=1 +grep "rcvd: 128" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that padding is added to valid cookie responses ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +cookie foo.example @10.53.0.2 > dig.out.testc +$DIG $DIGOPTS +cookie foo.example @10.53.0.2 >dig.out.testc cookie=$(getcookie dig.out.testc) -$DIG $DIGOPTS +cookie=$cookie +padding=128 foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null || ret=1 -grep "rcvd: 128" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$cookie +padding=128 foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null || ret=1 +grep "rcvd: 128" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that padding must be requested (TCP) ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +vc foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that padding must be requested (valid cookie) ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +cookie=$cookie foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +cookie=$cookie foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that padding can be filtered out ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +padding=128 -b 10.53.0.8 foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +vc +padding=128 -b 10.53.0.8 foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that a TCP and padding server config enables padding ($n)" ret=0 n=$((n + 1)) -nextpart ns2/named.stats > /dev/null +nextpart ns2/named.stats >/dev/null $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 opad=$(nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}') -$DIG $DIGOPTS foo.example @10.53.0.3 > dig.out.test$n +$DIG $DIGOPTS foo.example @10.53.0.3 >dig.out.test$n $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 npad=$(nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}') -if [ "$opad" -eq "$npad" ]; then echo_i "error: opad ($opad) == npad ($npad)"; ret=1; fi +if [ "$opad" -eq "$npad" ]; then + echo_i "error: opad ($opad) == npad ($npad)" + ret=1 +fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that a padding server config should enforce TCP ($n)" ret=0 n=$((n + 1)) -nextpart ns2/named.stats > /dev/null +nextpart ns2/named.stats >/dev/null $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 opad=$(nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}') -$DIG $DIGOPTS foo.example @10.53.0.4 > dig.out.test$n +$DIG $DIGOPTS foo.example @10.53.0.4 >dig.out.test$n $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 npad=$(nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}') -if [ "$opad" -ne "$npad" ]; then echo_i "error: opad ($opad) != npad ($npad)"; ret=1; fi +if [ "$opad" -ne "$npad" ]; then + echo_i "error: opad ($opad) != npad ($npad)" + ret=1 +fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that zero-length padding option has no effect ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +qr +ednsopt=12 foo.example @10.53.0.2 > dig.out.test$n.1 -grep "; PAD" dig.out.test$n.1 > /dev/null || ret=1 -$DIG $DIGOPTS +qr +ednsopt=12:00 foo.example @10.53.0.2 > dig.out.test$n.2 -grep "; PAD" dig.out.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS +qr +ednsopt=12 foo.example @10.53.0.2 >dig.out.test$n.1 +grep "; PAD" dig.out.test$n.1 >/dev/null || ret=1 +$DIG $DIGOPTS +qr +ednsopt=12:00 foo.example @10.53.0.2 >dig.out.test$n.2 +grep "; PAD" dig.out.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/parallel.sh b/bin/tests/system/parallel.sh index 11a424f..11895ff 100644 --- a/bin/tests/system/parallel.sh +++ b/bin/tests/system/parallel.sh @@ -27,8 +27,8 @@ echo " exit 1; \\" echo " }" echo echo "test check: $PARALLELS" -for directory in $PARALLELDIRS ; do - echo - echo "test-$(echo "$directory" | tr _ -): check_interfaces" - echo " @${SHELL} ./legacy.run.sh -r $directory 2>&1 | tee test.output.$directory" +for directory in $PARALLELDIRS; do + echo + echo "test-$(echo "$directory" | tr _ -): check_interfaces" + echo " @${SHELL} ./legacy.run.sh -r $directory 2>&1 | tee test.output.$directory" done diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh index cb3662f..c7b99c3 100644 --- a/bin/tests/system/pending/ns1/sign.sh +++ b/bin/tests/system/pending/ns1/sign.sh @@ -17,19 +17,19 @@ zone=. infile=root.db.in zonefile=root.db -(cd ../ns2 && $SHELL -e sign.sh ) +(cd ../ns2 && $SHELL -e sign.sh) cp ../ns2/dsset-example. . cp ../ns2/dsset-example.com. . keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone $zonefile > /dev/null +$SIGNER -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/pending/ns2/named.conf.in b/bin/tests/system/pending/ns2/named.conf.in index 59824df..a403f13 100644 --- a/bin/tests/system/pending/ns2/named.conf.in +++ b/bin/tests/system/pending/ns2/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh index 4965f85..062e989 100644 --- a/bin/tests/system/pending/ns2/sign.sh +++ b/bin/tests/system/pending/ns2/sign.sh @@ -14,20 +14,20 @@ . ../../conf.sh for domain in example example.com; do - zone=${domain}. - infile=${domain}.db.in - zonefile=${domain}.db + zone=${domain}. + infile=${domain}.db.in + zonefile=${domain}.db - keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) - keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) + keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) - cat $infile $keyname1.key $keyname2.key > $zonefile + cat $infile $keyname1.key $keyname2.key >$zonefile - $SIGNER -3 bebe -o $zone $zonefile > /dev/null + $SIGNER -3 bebe -o $zone $zonefile >/dev/null done # remove "removed" record from example.com, causing the server to # send an apparently-invalid NXDOMAIN -sed '/^removed/d' example.com.db.signed > example.com.db.new +sed '/^removed/d' example.com.db.signed >example.com.db.new rm -f example.com.db.signed mv example.com.db.new example.com.db.signed diff --git a/bin/tests/system/pending/ns3/named.conf.in b/bin/tests/system/pending/ns3/named.conf.in index 29afd19..6d69d67 100644 --- a/bin/tests/system/pending/ns3/named.conf.in +++ b/bin/tests/system/pending/ns3/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "mail.example" { diff --git a/bin/tests/system/pending/ns4/named.conf.in b/bin/tests/system/pending/ns4/named.conf.in index dfb5541..0c2e8a8 100644 --- a/bin/tests/system/pending/ns4/named.conf.in +++ b/bin/tests/system/pending/ns4/named.conf.in @@ -27,5 +27,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/pending/tests.sh b/bin/tests/system/pending/tests.sh index 362cef3..29ab3e9 100644 --- a/bin/tests/system/pending/tests.sh +++ b/bin/tests/system/pending/tests.sh @@ -16,32 +16,31 @@ set -e . ../conf.sh # replace_data dname RR old_data new_data -replace_data() -{ - if [ $# -ne 4 ]; then - echo_i "unexpected input for replace_data" - return 1 - fi - - _dname=$1 - _rr=$2 - _olddata=$3 - _newdata=$4 - - _ret=0 - $NSUPDATE -d <> nsupdate.out.test 2>&1 || _ret=1 +replace_data() { + if [ $# -ne 4 ]; then + echo_i "unexpected input for replace_data" + return 1 + fi + + _dname=$1 + _rr=$2 + _olddata=$3 + _newdata=$4 + + _ret=0 + $NSUPDATE -d <>nsupdate.out.test 2>&1 || _ret=1 server 10.53.0.2 ${PORT} update delete ${_dname} 30 ${_rr} ${_olddata} update add ${_dname} 30 ${_rr} ${_newdata} send END - if [ $_ret != 0 ]; then - echo_i "failed to update the test data" - return 1 - fi + if [ $_ret != 0 ]; then + echo_i "failed to update the test data" + return 1 + fi - return 0 + return 0 } status=0 diff --git a/bin/tests/system/pipelined/ns2/named.conf.in b/bin/tests/system/pipelined/ns2/named.conf.in index 3679e97..9802689 100644 --- a/bin/tests/system/pipelined/ns2/named.conf.in +++ b/bin/tests/system/pipelined/ns2/named.conf.in @@ -35,7 +35,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "examplea" { diff --git a/bin/tests/system/pipelined/ns3/named.conf.in b/bin/tests/system/pipelined/ns3/named.conf.in index d8943d5..3fe8f56 100644 --- a/bin/tests/system/pipelined/ns3/named.conf.in +++ b/bin/tests/system/pipelined/ns3/named.conf.in @@ -35,7 +35,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "exampleb" { diff --git a/bin/tests/system/pipelined/ns4/named.conf.in b/bin/tests/system/pipelined/ns4/named.conf.in index 5d4be1c..a233f6c 100644 --- a/bin/tests/system/pipelined/ns4/named.conf.in +++ b/bin/tests/system/pipelined/ns4/named.conf.in @@ -37,5 +37,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh index 26c0d31..7f761de 100644 --- a/bin/tests/system/pipelined/tests.sh +++ b/bin/tests/system/pipelined/tests.sh @@ -16,17 +16,23 @@ set -e . ../conf.sh MDIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 echo_i "check pipelined TCP queries" ret=0 -$PIPEQUERIES -p ${PORT} < input > raw || ret=1 -awk '{ print $1 " " $5 }' < raw > output -sort < output > output-sorted -diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; } -diff ref output > /dev/null && { ret=1 ; echo_i "diff out of order failed"; } +$PIPEQUERIES -p ${PORT} raw || ret=1 +awk '{ print $1 " " $5 }' output +sort output-sorted +diff ref output-sorted || { + ret=1 + echo_i "diff sorted failed" +} +diff ref output >/dev/null && { + ret=1 + echo_i "diff out of order failed" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -34,11 +40,17 @@ echo_i "check pipelined TCP queries using mdig" ret=0 $RNDCCMD 10.53.0.4 flush sleep 1 -$MDIG $MDIGOPTS +noall +answer +vc -f input -b 10.53.0.4 @10.53.0.4 > raw.mdig -awk '{ print $1 " " $5 }' < raw.mdig > output.mdig -sort < output.mdig > output-sorted.mdig -diff ref output-sorted.mdig || { ret=1 ; echo_i "diff sorted failed"; } -diff ref output.mdig > /dev/null && { ret=1 ; echo_i "diff out of order failed"; } +$MDIG $MDIGOPTS +noall +answer +vc -f input -b 10.53.0.4 @10.53.0.4 >raw.mdig +awk '{ print $1 " " $5 }' output.mdig +sort output-sorted.mdig +diff ref output-sorted.mdig || { + ret=1 + echo_i "diff sorted failed" +} +diff ref output.mdig >/dev/null && { + ret=1 + echo_i "diff out of order failed" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -46,8 +58,8 @@ echo_i "check keep-response-order" ret=0 $RNDCCMD 10.53.0.4 flush sleep 1 -$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1 -awk '{ print $1 " " $5 }' < rawb > outputb +$PIPEQUERIES -p ${PORT} ++ rawb || ret=1 +awk '{ print $1 " " $5 }' outputb diff refb outputb || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -56,8 +68,8 @@ echo_i "check keep-response-order using mdig" ret=0 $RNDCCMD 10.53.0.4 flush sleep 1 -$MDIG $MDIGOPTS +noall +answer +vc -f inputb -b 10.53.0.7 @10.53.0.4 > rawb.mdig -awk '{ print $1 " " $5 }' < rawb.mdig > outputb.mdig +$MDIG $MDIGOPTS +noall +answer +vc -f inputb -b 10.53.0.7 @10.53.0.4 >rawb.mdig +awk '{ print $1 " " $5 }' outputb.mdig diff refb outputb.mdig || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -66,15 +78,15 @@ echo_i "check mdig -4 -6" ret=0 $RNDCCMD 10.53.0.4 flush sleep 1 -$MDIG $MDIGOPTS -4 -6 -f input @10.53.0.4 > output46.mdig 2>&1 && ret=1 -grep "only one of -4 and -6 allowed" output46.mdig > /dev/null || ret=1 +$MDIG $MDIGOPTS -4 -6 -f input @10.53.0.4 >output46.mdig 2>&1 && ret=1 +grep "only one of -4 and -6 allowed" output46.mdig >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check mdig -4 with an IPv6 server address" ret=0 -$MDIG $MDIGOPTS -4 -f input @fd92:7065:b8e:ffff::2 > output4.mdig 2>&1 && ret=1 -grep "address family not supported" output4.mdig > /dev/null || ret=1 +$MDIG $MDIGOPTS -4 -f input @fd92:7065:b8e:ffff::2 >output4.mdig 2>&1 && ret=1 +grep "address family not supported" output4.mdig >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/qmin/ns5/named.conf.in b/bin/tests/system/qmin/ns5/named.conf.in index d84d818..fac3538 100644 --- a/bin/tests/system/qmin/ns5/named.conf.in +++ b/bin/tests/system/qmin/ns5/named.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/qmin/ns6/named.conf.in b/bin/tests/system/qmin/ns6/named.conf.in index 828973c..6301fb2 100644 --- a/bin/tests/system/qmin/ns6/named.conf.in +++ b/bin/tests/system/qmin/ns6/named.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/qmin/ns7/named.conf.in b/bin/tests/system/qmin/ns7/named.conf.in index 8ca3275..917e3e7 100644 --- a/bin/tests/system/qmin/ns7/named.conf.in +++ b/bin/tests/system/qmin/ns7/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "fwd." IN { diff --git a/bin/tests/system/qmin/prereq.sh b/bin/tests/system/qmin/prereq.sh new file mode 100644 index 0000000..b6b005f --- /dev/null +++ b/bin/tests/system/qmin/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/qmin/tests.sh b/bin/tests/system/qmin/tests.sh index b8d3128..6c87a16 100755 --- a/bin/tests/system/qmin/tests.sh +++ b/bin/tests/system/qmin/tests.sh @@ -16,112 +16,112 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" CLEANQL="rm -f ans*/query.log" status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "query for .good is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.5 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.5 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.good. ADDR ns3.good. ADDR ns3.good. ADDR a.bit.longer.ns.name.good. ADDR a.bit.longer.ns.name.good. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .bad is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.5 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.5 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.bad. ADDR ns3.bad. ADDR ns3.bad. ADDR a.bit.longer.ns.name.bad. ADDR a.bit.longer.ns.name.bad. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .slow is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.5 > dig.out.test$n +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.5 >dig.out.test$n sleep 5 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.slow. ADDR ns3.slow. ADDR ns3.slow. ADDR a.bit.longer.ns.name.slow. ADDR a.bit.longer.ns.name.slow. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .ugly is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.5 > dig.out.test$n +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.5 >dig.out.test$n sleep 5 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.ugly. ADDR ns3.ugly. ADDR ns3.ugly. ADDR a.bit.longer.ns.name.ugly. ADDR a.bit.longer.ns.name.ugly. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .good is properly minimized when qname-minimization is in strict mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.good. ADDR a.bit.longer.ns.name.good. ADDR ns2.good. @@ -131,31 +131,31 @@ NS boing.good. NS good. NS zoop.boing.good. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 NS zoop.boing.good. NS ptang.zoop.boing.good. NS icky.ptang.zoop.boing.good. __EOF -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 NS icky.ptang.zoop.boing.good. NS icky.icky.ptang.zoop.boing.good. ADDR icky.icky.icky.ptang.zoop.boing.good. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .good is properly minimized when qname-minimization is in relaxed mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.7 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.7 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.good. ADDR a.bit.longer.ns.name.good. ADDR ns2.good. @@ -164,47 +164,47 @@ ADDR ns3.good. NS boing.good. NS zoop.boing.good. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 NS ptang.zoop.boing.good. NS icky.ptang.zoop.boing.good. __EOF -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 NS icky.icky.ptang.zoop.boing.good. ADDR icky.icky.icky.ptang.zoop.boing.good. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .bad fails when qname-minimization is in strict mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.6 > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.6 >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR ns2.bad. NS bad. NS boing.bad. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .bad succeeds when qname-minimization is in relaxed mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.7 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.7 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.bad. ADDR a.bit.longer.ns.name.bad. ADDR icky.icky.icky.ptang.zoop.boing.bad. @@ -213,46 +213,46 @@ ADDR ns3.bad. ADDR ns3.bad. NS boing.bad. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.bad. __EOF -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.bad. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .ugly fails when qname-minimization is in strict mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.6 > dig.out.test$n -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.6 >dig.out.test$n +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR ns2.ugly. NS boing.ugly. NS ugly. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) $RNDCCMD 10.53.0.6 flush -n=$((n+1)) +n=$((n + 1)) echo_i "query for .ugly succeeds when qname-minimization is in relaxed mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.7 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.7 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.ugly. ADDR a.bit.longer.ns.name.ugly. ADDR icky.icky.icky.ptang.zoop.boing.ugly. @@ -261,31 +261,31 @@ ADDR ns3.ugly. ADDR ns3.ugly. NS boing.ugly. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) $RNDCCMD 10.53.0.7 flush -n=$((n+1)) +n=$((n + 1)) echo_i "information that minimization was unsuccessful for .ugly is logged in relaxed mode ($n)" ret=0 -wait_for_log 5 "success resolving 'icky.icky.icky.ptang.zoop.boing.ugly/A' after disabling qname minimization" ns7/named.run > /dev/null || ret=1 +wait_for_log 5 "success resolving 'icky.icky.icky.ptang.zoop.boing.ugly/A' after disabling qname minimization" ns7/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .slow is properly minimized when qname-minimization is on ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.6 > dig.out.test$n +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.6 >dig.out.test$n sleep 5 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.slow. ADDR a.bit.longer.ns.name.slow. ADDR ns2.slow. @@ -295,31 +295,31 @@ NS boing.slow. NS slow. NS zoop.boing.slow. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 NS zoop.boing.slow. NS ptang.zoop.boing.slow. NS icky.ptang.zoop.boing.slow. __EOF -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 NS icky.ptang.zoop.boing.slow. NS icky.icky.ptang.zoop.boing.slow. ADDR icky.icky.icky.ptang.zoop.boing.slow. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .ip6.arpa succeeds and skips on proper boundaries when qname-minimization is on ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS -x 2001:4f8::1 @10.53.0.6 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. 1 IN PTR nee.com." dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -x 2001:4f8::1 @10.53.0.6 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. 1 IN PTR nee.com." dig.out.test$n >/dev/null || ret=1 sleep 1 -grep -v ADDR ans2/query.log > ans2/query.log.trimmed -cat << __EOF | diff ans2/query.log.trimmed - > /dev/null || ret=1 +grep -v ADDR ans2/query.log >ans2/query.log.trimmed +cat <<__EOF | diff ans2/query.log.trimmed - >/dev/null || ret=1 NS 1.0.0.2.ip6.arpa. NS 8.f.4.0.1.0.0.2.ip6.arpa. NS 0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. @@ -329,19 +329,19 @@ PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for multiple label name skips after 7th label ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS more.icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "more.icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.2" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS more.icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "more.icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.2" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.good. ADDR a.bit.longer.ns.name.good. ADDR ns2.good. @@ -351,50 +351,50 @@ NS boing.good. NS good. NS zoop.boing.good. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 NS zoop.boing.good. NS ptang.zoop.boing.good. NS icky.ptang.zoop.boing.good. __EOF # There's no NS icky.icky.icky.ptang.zoop.boing.good. query - we skipped it. -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 NS icky.ptang.zoop.boing.good. NS icky.icky.ptang.zoop.boing.good. ADDR more.icky.icky.icky.ptang.zoop.boing.good. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "qname minimization is disabled when forwarding ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS a.bit.longer.ns.name.fwd. @10.53.0.7 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a.bit.longer.ns.name.fwd. @10.53.0.7 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 grep "a.bit.longer.ns.name.fwd. 1 IN A 10.53.0.4" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.fwd. __EOF for ans in ans2; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "qname minimization resolves unusual ip6.arpa. names ($n)" ret=0 $CLEANQL -$DIG $DIGOPTS test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. txt @10.53.0.7 > dig.out.test$n 2>&1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. txt @10.53.0.7 >dig.out.test$n 2>&1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 # Expected output in dig.out.test$n: # ;; ANSWER SECTION: # test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. 1 IN TXT "long_ip6_name" -grep 'ip6\.arpa.*TXT.*long_ip6_name' dig.out.test$n > /dev/null || ret=1 +grep 'ip6\.arpa.*TXT.*long_ip6_name' dig.out.test$n >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Below are test cases for GL #2665: The QNAME minimization (if enabled) should # also occur on the second query, after the RRsets have expired from cache. @@ -403,135 +403,135 @@ status=$((status+ret)) # We query for the test domain a.b.stale. in all cases (QNAME minimization off, # strict mode, and relaxed mode) and expect it to behave the same the second # time when we have a stale delegation structure in cache. -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n >/dev/null || ret=1 sleep 1 -echo "TXT a.b.stale." | diff ans2/query.log - > /dev/null || ret=1 -echo "TXT a.b.stale." | diff ans3/query.log - > /dev/null || ret=1 -test -f ans4/query.log && ret=1 +echo "TXT a.b.stale." | diff ans2/query.log - >/dev/null || ret=1 +echo "TXT a.b.stale." | diff ans3/query.log - >/dev/null || ret=1 +test -f ans4/query.log && ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is properly minimized when qname-minimization is in strict mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR ns.b.stale. ADDR ns2.stale. NS b.stale. NS stale. __EOF -test -f ans3/query.log && ret=1 -sort ans4/query.log > ans4/query.log.sorted -cat << __EOF | diff ans4/query.log.sorted - > /dev/null || ret=1 +test -f ans3/query.log && ret=1 +sort ans4/query.log >ans4/query.log.sorted +cat <<__EOF | diff ans4/query.log.sorted - >/dev/null || ret=1 ADDR ns.b.stale. NS b.stale. TXT a.b.stale. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is properly minimized when qname-minimization is in relaxed mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR ns.b.stale. ADDR ns2.stale. NS b.stale. __EOF -test -f ans3/query.log && ret=1 -sort ans4/query.log > ans4/query.log.sorted -cat << __EOF | diff ans4/query.log.sorted - > /dev/null || ret=1 +test -f ans3/query.log && ret=1 +sort ans4/query.log >ans4/query.log.sorted +cat <<__EOF | diff ans4/query.log.sorted - >/dev/null || ret=1 ADDR ns.b.stale. TXT a.b.stale. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "sleep 2, allow entries in cache to go stale" sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is not minimized when qname-minimization is off (stale cache) ($n)" ret=0 $CLEANQL -$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n >/dev/null || ret=1 sleep 1 -echo "TXT a.b.stale." | diff ans2/query.log - > /dev/null || ret=1 -echo "TXT a.b.stale." | diff ans3/query.log - > /dev/null || ret=1 -test -f ans4/query.log && ret=1 +echo "TXT a.b.stale." | diff ans2/query.log - >/dev/null || ret=1 +echo "TXT a.b.stale." | diff ans3/query.log - >/dev/null || ret=1 +test -f ans4/query.log && ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is properly minimized when qname-minimization is in strict mode (stale cache) ($n)" ret=0 $CLEANQL -$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 NS b.stale. NS stale. __EOF -test -f ans3/query.log && ret=1 -sort ans4/query.log > ans4/query.log.sorted -cat << __EOF | diff ans4/query.log.sorted - > /dev/null || ret=1 +test -f ans3/query.log && ret=1 +sort ans4/query.log >ans4/query.log.sorted +cat <<__EOF | diff ans4/query.log.sorted - >/dev/null || ret=1 NS b.stale. TXT a.b.stale. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is properly minimized when qname-minimization is in relaxed mode (stale cache) ($n)" ret=0 $CLEANQL -$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 NS b.stale. __EOF -test -f ans3/query.log && ret=1 -sort ans4/query.log > ans4/query.log.sorted -cat << __EOF | diff ans4/query.log.sorted - > /dev/null || ret=1 +test -f ans3/query.log && ret=1 +sort ans4/query.log >ans4/query.log.sorted +cat <<__EOF | diff ans4/query.log.sorted - >/dev/null || ret=1 TXT a.b.stale. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/reclimit/ans7/ans.pl b/bin/tests/system/reclimit/ans7/ans.pl index 41a44a6..52110f1 100644 --- a/bin/tests/system/reclimit/ans7/ans.pl +++ b/bin/tests/system/reclimit/ans7/ans.pl @@ -22,9 +22,14 @@ my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; print $pidf "$$\n" or die "cannot write pid file: $!"; $pidf->close or die "cannot close pid file: $!"; sub rmpid { unlink "ans.pid"; exit 1; }; +sub term { }; $SIG{INT} = \&rmpid; -$SIG{TERM} = \&rmpid; +if ($Net::DNS::VERSION >= 1.42) { + $SIG{TERM} = \&term; +} else { + $SIG{TERM} = \&rmpid; +} my $count = 0; @@ -73,4 +78,11 @@ my $ns = Net::DNS::Nameserver->new( Verbose => $verbose, ); -$ns->main_loop; +if ($Net::DNS::VERSION >= 1.42) { + $ns->start_server(); + select(undef, undef, undef, undef); + $ns->stop_server(); + unlink "ans.pid"; +} else { + $ns->main_loop; +} diff --git a/bin/tests/system/reclimit/prereq.sh b/bin/tests/system/reclimit/prereq.sh new file mode 100644 index 0000000..0d6e2b4 --- /dev/null +++ b/bin/tests/system/reclimit/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS::Nameserver -e ''; then + echo_i "perl Net::DNS::Nameserver module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/reclimit/tests.sh b/bin/tests/system/reclimit/tests.sh index 7e80d22..4212e2d 100644 --- a/bin/tests/system/reclimit/tests.sh +++ b/bin/tests/system/reclimit/tests.sh @@ -21,17 +21,17 @@ status=0 n=0 ns3_reset() { - copy_setports $1 ns3/named.conf - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns3 /' - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush | sed 's/^/I:ns3 /' + copy_setports $1 ns3/named.conf + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns3 /' + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush | sed 's/^/I:ns3 /' } ns3_sends_aaaa_queries() { - if grep "started AAAA fetch" ns3/named.run >/dev/null; then - return 0 - else - return 1 - fi + if grep "started AAAA fetch" ns3/named.run >/dev/null; then + return 0 + else + return 1 + fi } # Check whether the number of queries ans2 received from ns3 (this value is @@ -40,23 +40,23 @@ ns3_sends_aaaa_queries() { # - if ns3 sends AAAA queries, the query count should equal $2, # - if ns3 does not send AAAA queries, the query count should equal $3. check_query_count() { - count1=$(sed 's/[^0-9]//g;' $1) - count2=$(sed 's/[^0-9]//g;' $2) - count=$((count1 + count2)) - #echo_i "count1=$count1 count2=$count2 count=$count" - expected_count_with_aaaa=$3 - expected_count_without_aaaa=$4 - - if ns3_sends_aaaa_queries; then - expected_count=$expected_count_with_aaaa - else - expected_count=$expected_count_without_aaaa - fi - - if [ $count -ne $expected_count ]; then - echo_i "count $count (actual) != $expected_count (expected)" - ret=1 - fi + count1=$(sed 's/[^0-9]//g;' $1) + count2=$(sed 's/[^0-9]//g;' $2) + count=$((count1 + count2)) + #echo_i "count1=$count1 count2=$count2 count=$count" + expected_count_with_aaaa=$3 + expected_count_without_aaaa=$4 + + if ns3_sends_aaaa_queries; then + expected_count=$expected_count_with_aaaa + else + expected_count=$expected_count_without_aaaa + fi + + if [ $count -ne $expected_count ]; then + echo_i "count $count (actual) != $expected_count (expected)" + ret=1 + fi } echo_i "set max-recursion-depth=12" @@ -64,14 +64,14 @@ echo_i "set max-recursion-depth=12" n=$((n + 1)) echo_i "attempt excessive-depth lookup ($n)" ret=0 -echo "1000" > ans2/ans.limit -echo "1000" > ans4/ans.limit -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect1.example.org > dig.out.1.test$n || ret=1 -grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +echo "1000" >ans2/ans.limit +echo "1000" >ans4/ans.limit +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect1.example.org >dig.out.1.test$n || ret=1 +grep "status: SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 check_query_count dig.out.2.test$n dig.out.4.test$n 27 14 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -79,15 +79,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "attempt permissible lookup ($n)" ret=0 -echo "12" > ans2/ans.limit -echo "12" > ans4/ans.limit +echo "12" >ans2/ans.limit +echo "12" >ans4/ans.limit ns3_reset ns3/named1.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect2.example.org > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect2.example.org >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 check_query_count dig.out.2.test$n dig.out.4.test$n 50 26 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -97,14 +97,14 @@ echo_i "set max-recursion-depth=5" n=$((n + 1)) echo_i "attempt excessive-depth lookup ($n)" ret=0 -echo "12" > ans2/ans.limit +echo "12" >ans2/ans.limit ns3_reset ns3/named2.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect3.example.org > dig.out.1.test$n || ret=1 -grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect3.example.org >dig.out.1.test$n || ret=1 +grep "status: SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 check_query_count dig.out.2.test$n dig.out.4.test$n 13 7 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -112,15 +112,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "attempt permissible lookup ($n)" ret=0 -echo "5" > ans2/ans.limit -echo "5" > ans4/ans.limit +echo "5" >ans2/ans.limit +echo "5" >ans4/ans.limit ns3_reset ns3/named2.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect4.example.org > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect4.example.org >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 check_query_count dig.out.2.test$n dig.out.4.test$n 22 12 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -130,33 +130,39 @@ echo_i "set max-recursion-depth=100, max-recursion-queries=50" n=$((n + 1)) echo_i "attempt excessive-queries lookup ($n)" ret=0 -echo "13" > ans2/ans.limit -echo "13" > ans4/ans.limit +echo "13" >ans2/ans.limit +echo "13" >ans4/ans.limit ns3_reset ns3/named3.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect5.example.org > dig.out.1.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect5.example.org >dig.out.1.test$n || ret=1 if ns3_sends_aaaa_queries; then - grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 + grep "status: SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 fi -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 eval count=$(cat dig.out.2.test$n) -[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +[ $count -le 50 ] || { + ret=1 + echo_i "count ($count) !<= 50" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "attempt permissible lookup ($n)" ret=0 -echo "12" > ans2/ans.limit +echo "12" >ans2/ans.limit ns3_reset ns3/named3.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect6.example.org > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect6.example.org >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 eval count=$(cat dig.out.2.test$n) -[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +[ $count -le 50 ] || { + ret=1 + echo_i "count ($count) !<= 50" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -165,30 +171,36 @@ echo_i "set max-recursion-depth=100, max-recursion-queries=40" n=$((n + 1)) echo_i "attempt excessive-queries lookup ($n)" ret=0 -echo "11" > ans2/ans.limit +echo "11" >ans2/ans.limit ns3_reset ns3/named4.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect7.example.org > dig.out.1.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect7.example.org >dig.out.1.test$n || ret=1 if ns3_sends_aaaa_queries; then - grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 + grep "status: SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 fi -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 eval count=$(cat dig.out.2.test$n) -[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; } +[ $count -le 40 ] || { + ret=1 + echo_i "count ($count) !<= 40" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "attempt permissible lookup ($n)" ret=0 -echo "9" > ans2/ans.limit +echo "9" >ans2/ans.limit ns3_reset ns3/named4.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect8.example.org > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect8.example.org >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 eval count=$(cat dig.out.2.test$n) -[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; } +[ $count -le 40 ] || { + ret=1 + echo_i "count ($count) !<= 40" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -196,14 +208,17 @@ n=$((n + 1)) echo_i "attempting NS explosion ($n)" ret=0 ns3_reset ns3/named4.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.3 ns1.1.example.net > dig.out.1.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 ns1.1.example.net >dig.out.1.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 eval count=$(cat dig.out.2.test$n) [ $count -lt 50 ] || ret=1 -$DIG $DIGOPTS +short @10.53.0.7 count txt > dig.out.3.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.7 count txt >dig.out.3.test$n || ret=1 eval count=$(cat dig.out.3.test$n) -[ $count -lt 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +[ $count -lt 50 ] || { + ret=1 + echo_i "count ($count) !<= 50" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/redirect/ns1/sign.sh b/bin/tests/system/redirect/ns1/sign.sh index 974e6ca..4b1b092 100644 --- a/bin/tests/system/redirect/ns1/sign.sh +++ b/bin/tests/system/redirect/ns1/sign.sh @@ -20,9 +20,9 @@ zonefile=signed.db key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null zone=nsec3 infile=example.db @@ -31,6 +31,6 @@ zonefile=nsec3.db key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -g -o $zone $zonefile >/dev/null diff --git a/bin/tests/system/redirect/ns2/named.conf.in b/bin/tests/system/redirect/ns2/named.conf.in index 9b88736..881a81f 100644 --- a/bin/tests/system/redirect/ns2/named.conf.in +++ b/bin/tests/system/redirect/ns2/named.conf.in @@ -42,7 +42,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "." { diff --git a/bin/tests/system/redirect/ns3/sign.sh b/bin/tests/system/redirect/ns3/sign.sh index 974e6ca..4b1b092 100644 --- a/bin/tests/system/redirect/ns3/sign.sh +++ b/bin/tests/system/redirect/ns3/sign.sh @@ -20,9 +20,9 @@ zonefile=signed.db key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null zone=nsec3 infile=example.db @@ -31,6 +31,6 @@ zonefile=nsec3.db key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -g -o $zone $zonefile >/dev/null diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh index ffe4e13..0818d67 100644 --- a/bin/tests/system/redirect/ns5/sign.sh +++ b/bin/tests/system/redirect/ns5/sign.sh @@ -21,12 +21,12 @@ zone=signed. infile=signed.db.in zonefile=signed.db -key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null) -key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null) +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2>/dev/null) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2>/dev/null) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out +$SIGNER -P -g -O full -o $zone $zonefile >sign.ns5.signed.out cp signed.db.signed ../ns6 @@ -35,10 +35,10 @@ zone=. infile=root.db.in zonefile=root.db -key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null) -key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null) +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2>/dev/null) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2>/dev/null) # cat $infile $key1.key $key2.key > $zonefile -cat $infile dsset-signed. $key1.key $key2.key > $zonefile +cat $infile dsset-signed. $key1.key $key2.key >$zonefile -$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out +$SIGNER -P -g -O full -o $zone $zonefile >sign.ns5.root.out diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh index d182469..5022a83 100644 --- a/bin/tests/system/redirect/setup.sh +++ b/bin/tests/system/redirect/setup.sh @@ -22,8 +22,8 @@ copy_setports ns6/named.conf.in ns6/named.conf cp ns2/redirect.db.in ns2/redirect.db cp ns2/example.db.in ns2/example.db -( cd ns1 && $SHELL sign.sh ) +(cd ns1 && $SHELL sign.sh) cp ns4/example.db.in ns4/example.db -( cd ns3 && $SHELL sign.sh ) -( cd ns5 && $SHELL sign.sh ) +(cd ns3 && $SHELL sign.sh) +(cd ns5 && $SHELL sign.sh) diff --git a/bin/tests/system/redirect/tests.sh b/bin/tests/system/redirect/tests.sh index 83b90ad..09d40cf 100644 --- a/bin/tests/system/redirect/tests.sh +++ b/bin/tests/system/redirect/tests.sh @@ -21,33 +21,31 @@ n=1 rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" - -for conf in conf/good*.conf -do - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf; do + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "checking A zone redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -57,7 +55,7 @@ ret=0 rm -f ns2/named.stats 2>/dev/null $RNDCCMD 10.53.0.2 stats || ret=1 PRE=$(sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p" ns2/named.stats) -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 rm -f ns2/named.stats 2>/dev/null $RNDCCMD 10.53.0.2 stats || ret=1 POST=$(sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p" ns2/named.stats) @@ -68,285 +66,285 @@ status=$((status + ret)) echo_i "checking AAAA zone redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 any >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect doesn't work for acl miss ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect doesn't work for acl miss ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect doesn't work for acl miss ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 any > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 any >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 any >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 any >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 any >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect works for nonexist authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect works for nonexist authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect works for nonexist authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 any >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect doesn't work for acl miss authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 a > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 a >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect doesn't work for acl miss authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect doesn't work for acl miss authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 any > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 any >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect works for signed nonexist, DO=0 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect works for signed nonexist, DO=0 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect works for signed nonexist, DO=0 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 any >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect fails for signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect fails for signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect fails for signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 any >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 any >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking zone redirect works (with noerror) when qtype is not found ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -354,19 +352,19 @@ status=$((status + ret)) echo_i "checking that redirect zones reload correctly" ret=0 sleep 1 # ensure file mtime will have changed -cat ns2/example.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' > ns2/example.db -cat ns2/redirect.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' -e 's/\.1$/.2/' > ns2/redirect.db +cat ns2/example.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' >ns2/example.db +cat ns2/redirect.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' -e 's/\.1$/.2/' >ns2/redirect.db rndc_reload ns2 10.53.0.2 for i in 1 2 3 4 5 6 7 8 9; do - tmp=0 - $DIG $DIGOPTS +short @10.53.0.2 soa example.nil > dig.out.ns1.test$n || tmp=1 - set -- $(cat dig.out.ns1.test$n) - [ $3 = 1 ] || tmp=1 - $DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || tmp=1 - grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || tmp=1 - grep "100.100.100.2" dig.out.ns2.test$n > /dev/null || tmp=1 - [ $tmp -eq 0 ] && break - sleep 1 + tmp=0 + $DIG $DIGOPTS +short @10.53.0.2 soa example.nil >dig.out.ns1.test$n || tmp=1 + set -- $(cat dig.out.ns1.test$n) + [ $3 = 1 ] || tmp=1 + $DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || tmp=1 + grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || tmp=1 + grep "100.100.100.2" dig.out.ns2.test$n >/dev/null || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 done [ $tmp -eq 1 ] && ret=1 n=$((n + 1)) @@ -375,9 +373,9 @@ status=$((status + ret)) echo_i "checking A nxdomain-redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "nonexist. .*100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "nonexist. .*100.100.100.1" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -388,9 +386,9 @@ rm -f ns4/named.stats 2>/dev/null $RNDCCMD 10.53.0.4 stats || ret=1 PRE_RED=$(sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p" ns4/named.stats) PRE_SUC=$(sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected and resulted in a successful remote lookup$/\1/p" ns4/named.stats) -$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "nonexist. .*2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 aaaa >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "nonexist. .*2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -409,138 +407,138 @@ status=$((status + ret)) echo_i "checking ANY nxdomain-redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 any >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A nxdomain-redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA nxdomain-redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 aaaa >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY nxdomain-redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 any >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A nxdomain-redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA nxdomain-redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY nxdomain-redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 any >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 any >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking nxdomain-redirect works (with noerror) when qtype is not found ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 txt > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 txt >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking nxdomain-redirect against authoritative zone ($n)" ret=0 -$DIG $DIGOPTS nonexist.example @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.example @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking tld nxdomain-redirect against signed root zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf > dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf >dig.out.ns5.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking tld nxdomain-redirect against unsigned root zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf > dig.out.ns6.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf >dig.out.ns6.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns6.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking extended error is not set on allow-recursion ($n)" ret=0 -$DIG $DIGOPTS example. @10.53.0.1 -b 10.53.0.2 soa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "EDE" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS example. @10.53.0.1 -b 10.53.0.2 soa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "EDE" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh index 2141a30..19a34c7 100644 --- a/bin/tests/system/resolver/ns6/keygen.sh +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -22,8 +22,8 @@ infile="${zonefile}.in" cp $infile $zonefile ksk=$($KEYGEN -q -a rsasha256 -fk $zone) zsk=$($KEYGEN -q -a rsasha256 -b 2048 $zone) -cat $ksk.key $zsk.key >> $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null +cat $ksk.key $zsk.key >>$zonefile +$SIGNER -P -o $zone $zonefile >/dev/null zone=example.net zonefile="${zone}.db" @@ -31,8 +31,8 @@ infile="${zonefile}.in" cp $infile $zonefile ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) -cat $ksk.key $zsk.key dsset-ds.example.net. >> $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null +cat $ksk.key $zsk.key dsset-ds.example.net. >>$zonefile +$SIGNER -P -o $zone $zonefile >/dev/null # Configure a static key to be used by delv -keyfile_to_static_ds $ksk > ../ns5/trusted.conf +keyfile_to_static_ds $ksk >../ns5/trusted.conf diff --git a/bin/tests/system/resolver/prereq.sh b/bin/tests/system/resolver/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/resolver/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index 2232e5b..1ec5f86 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -17,359 +17,376 @@ set -e . ../conf.sh dig_with_opts() { - "${DIG}" -p "${PORT}" "${@}" + "${DIG}" -p "${PORT}" "${@}" } resolve_with_opts() { - "${RESOLVE}" -p "${PORT}" "${@}" + "${RESOLVE}" -p "${PORT}" "${@}" } rndccmd() { - "${RNDC}" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "${@}" + "${RNDC}" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "${@}" } status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "checking non-cachable NXDOMAIN response handling ($n)" ret=0 -dig_with_opts +tcp nxdomain.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp nxdomain.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 nxdomain.example.net 2> resolve.out.ns1.test${n} || ret=1 - grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 nxdomain.example.net 2>resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" - ret=0 - resolve_with_opts -b 10.53.0.8 -t a -s 10.53.0.1 www.example.org 2> resolve.out.ns1.test${n} || ret=1 - grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n+1)) - echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)" - ret=0 - resolve_with_opts -b 10.53.0.1 -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 - grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" + ret=0 + resolve_with_opts -b 10.53.0.8 -t a -s 10.53.0.1 www.example.org 2>resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)" + ret=0 + resolve_with_opts -b 10.53.0.1 -t a -s 10.53.0.1 www.example.org >resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking non-cachable NODATA response handling ($n)" ret=0 -dig_with_opts +tcp nodata.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp nodata.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking non-cachable NODATA response handling using dns_client ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 nodata.example.net 2> resolve.out.ns1.test${n} || ret=1 - grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking non-cachable NODATA response handling using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 nodata.example.net 2>resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking handling of bogus referrals ($n)" # If the server has the "INSIST(!external)" bug, this query will kill it. -dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } - -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking handling of bogus referrals using dns_client ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 www.example.com 2> resolve.out.ns1.test${n} || ret=1 - grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { + echo_i "failed" + status=$((status + 1)) +} + +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking handling of bogus referrals using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.example.com 2>resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check handling of cname + other data / 1 ($n)" -dig_with_opts +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } +dig_with_opts +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { + echo_i "failed" + status=$((status + 1)) +} -n=$((n+1)) +n=$((n + 1)) echo_i "check handling of cname + other data / 2 ($n)" -dig_with_opts +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } +dig_with_opts +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { + echo_i "failed" + status=$((status + 1)) +} -n=$((n+1)) +n=$((n + 1)) echo_i "check that server is still running ($n)" -dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } +dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { + echo_i "failed" + status=$((status + 1)) +} -n=$((n+1)) +n=$((n + 1)) echo_i "checking answer IPv4 address filtering (deny) ($n)" ret=0 -dig_with_opts +tcp www.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking answer IPv6 address filtering (deny) ($n)" ret=0 -dig_with_opts +tcp www.example.net @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.example.net @10.53.0.1 aaaa >dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking answer IPv4 address filtering (accept) ($n)" ret=0 -dig_with_opts +tcp www.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.example.org @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 - grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.example.org >resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking answer IPv6 address filtering (accept) ($n)" ret=0 -dig_with_opts +tcp www.example.org @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.example.org @10.53.0.1 aaaa >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" - ret=0 - resolve_with_opts -t aaaa -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 - grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t aaaa -s 10.53.0.1 www.example.org >resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking CNAME target filtering (deny) ($n)" ret=0 -dig_with_opts +tcp badcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp badcname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking CNAME target filtering (accept) ($n)" ret=0 -dig_with_opts +tcp goodcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp goodcname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking CNAME target filtering using dns_client (accept) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 goodcname.example.net > resolve.out.ns1.test${n} || ret=1 - grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 - grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking CNAME target filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 goodcname.example.net >resolve.out.ns1.test${n} || ret=1 + grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} >/dev/null || ret=1 + grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking CNAME target filtering (accept due to subdomain) ($n)" ret=0 -dig_with_opts +tcp cname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp cname.sub.example.org @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 cname.sub.example.org > resolve.out.ns1.test${n} || ret=1 - grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 - grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 cname.sub.example.org >resolve.out.ns1.test${n} || ret=1 + grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} >/dev/null || ret=1 + grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking DNAME target filtering (deny) ($n)" ret=0 -dig_with_opts +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +dig_with_opts +tcp foo.baddname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking DNAME target filtering (accept) ($n)" ret=0 -dig_with_opts +tcp foo.gooddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp foo.gooddname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking DNAME target filtering using dns_client (accept) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 foo.gooddname.example.net > resolve.out.ns1.test${n} || ret=1 - grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} > /dev/null || ret=1 - grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking DNAME target filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 foo.gooddname.example.net >resolve.out.ns1.test${n} || ret=1 + grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} >/dev/null || ret=1 + grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking DNAME target filtering (accept due to subdomain) ($n)" ret=0 -dig_with_opts +tcp www.dname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.dname.sub.example.org @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 www.dname.sub.example.org > resolve.out.ns1.test${n} || ret=1 - grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 - grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.dname.sub.example.org >resolve.out.ns1.test${n} || ret=1 + grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} >/dev/null || ret=1 + grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check that the resolver accepts a referral response with a non-empty ANSWER section ($n)" ret=0 -dig_with_opts @10.53.0.1 foo.glue-in-answer.example.org. A > dig.ns1.out.${n} || ret=1 -grep "status: NOERROR" dig.ns1.out.${n} > /dev/null || ret=1 -grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.1 foo.glue-in-answer.example.org. A >dig.ns1.out.${n} || ret=1 +grep "status: NOERROR" dig.ns1.out.${n} >/dev/null || ret=1 +grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" # ns5 is the recusor being tested. ns4 holds the sourcens zone containing # names with varying numbers of NS records pointing to non-existent # nameservers in the targetns zone on ns6. ret=0 -rndccmd 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test -count_fetches () { - actual=$(nextpartpeek ns5/named.run | grep -c " fetch: ns.fake${nscount}") - [ "${actual:-0}" -eq "${expected}" ] || return 1 - return 0 +rndccmd 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test +count_fetches() { + actual=$(nextpartpeek ns5/named.run | grep -c " fetch: ns.fake${nscount}") + [ "${actual:-0}" -eq "${expected}" ] || return 1 + return 0 } -for nscount in 1 2 3 4 5 6 7 8 9 10 -do - # Verify number of NS records at source server - dig_with_opts +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} - sourcerecs=$(grep NS dig.ns4.out.${nscount}.${n} | grep -cv ';') - test "${sourcerecs}" -eq "${nscount}" || ret=1 - test "${sourcerecs}" -eq "${nscount}" || echo_i "NS count incorrect for target${nscount}.sourcens" - - # Expected queries = 2 * number of NS records, up to a maximum of 10. - expected=$((nscount*2)) - if [ "$expected" -gt 10 ]; then expected=10; fi - # Count the number of logged fetches - nextpart ns5/named.run > /dev/null - dig_with_opts @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 - retry_quiet 5 count_fetches ns5/named.run $nscount $expected || { - echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"; ret=1; - } +for nscount in 1 2 3 4 5 6 7 8 9 10; do + # Verify number of NS records at source server + dig_with_opts +norecurse @10.53.0.4 target${nscount}.sourcens ns >dig.ns4.out.${nscount}.${n} + sourcerecs=$(grep NS dig.ns4.out.${nscount}.${n} | grep -cv ';') + test "${sourcerecs}" -eq "${nscount}" || ret=1 + test "${sourcerecs}" -eq "${nscount}" || echo_i "NS count incorrect for target${nscount}.sourcens" + + # Expected queries = 2 * number of NS records, up to a maximum of 10. + expected=$((nscount * 2)) + if [ "$expected" -gt 10 ]; then expected=10; fi + # Count the number of logged fetches + nextpart ns5/named.run >/dev/null + dig_with_opts @10.53.0.5 target${nscount}.sourcens A >dig.ns5.out.${nscount}.${n} || ret=1 + retry_quiet 5 count_fetches ns5/named.run $nscount $expected || { + echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" + ret=1 + } done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "RT21594 regression test check setup ($n)" ret=0 # Check that "aa" is not being set by the authoritative server. -dig_with_opts +tcp . @10.53.0.4 soa > dig.ns4.out.${n} || ret=1 -grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp . @10.53.0.4 soa >dig.ns4.out.${n} || ret=1 +grep 'flags: qr rd;' dig.ns4.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "RT21594 regression test positive answers ($n)" ret=0 # Check that resolver accepts the non-authoritative positive answers. -dig_with_opts +tcp . @10.53.0.5 soa > dig.ns5.out.${n} || ret=1 -grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp . @10.53.0.5 soa >dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "RT21594 regression test NODATA answers ($n)" ret=0 # Check that resolver accepts the non-authoritative nodata answers. -dig_with_opts +tcp . @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 -grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp . @10.53.0.5 txt >dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "RT21594 regression test NXDOMAIN answers ($n)" ret=0 # Check that resolver accepts the non-authoritative positive answers. -dig_with_opts +tcp noexistent @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 -grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp noexistent @10.53.0.5 txt >dig.ns5.out.${n} || ret=1 +grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" ret=0 -dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=1 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=1 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=1 if [ $ret = 1 ]; then echo_i "mx priming failed"; fi -$NSUPDATE << EOF +$NSUPDATE < dig.ns7.out.${n} || ret=2 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2 -grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2 +dig_with_opts +tcp a mail.example.net @10.53.0.7 >dig.ns7.out.${n} || ret=2 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=2 +grep "ANSWER: 0" dig.ns7.out.${n} >/dev/null || ret=2 if [ $ret = 2 ]; then echo_i "ncache priming failed"; fi -dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=3 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3 -dig_with_opts +tcp rrsig mail.example.net +norec @10.53.0.7 > dig.ns7.out.${n} || ret=4 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4 -grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +dig_with_opts +tcp mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=3 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=3 +dig_with_opts +tcp rrsig mail.example.net +norec @10.53.0.7 >dig.ns7.out.${n} || ret=4 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=4 +grep "ANSWER: 0" dig.ns7.out.${n} >/dev/null || ret=4 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that update a nameservers address has immediate effects ($n)" ret=0 -dig_with_opts +tcp TXT foo.moves @10.53.0.7 > dig.ns7.foo.${n} || ret=1 -grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 -$NSUPDATE << EOF +dig_with_opts +tcp TXT foo.moves @10.53.0.7 >dig.ns7.foo.${n} || ret=1 +grep "From NS 5" dig.ns7.foo.${n} >/dev/null || ret=1 +$NSUPDATE < dig.ns7.bar.${n} || ret=1 -grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 +dig_with_opts +tcp TXT bar.moves @10.53.0.7 >dig.ns7.bar.${n} || ret=1 +grep "From NS 4" dig.ns7.bar.${n} >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; status=1; fi +if [ $ret != 0 ]; then + echo_i "failed" + status=1 +fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking that update a nameservers glue has immediate effects ($n)" ret=0 -dig_with_opts +tcp TXT foo.child.server @10.53.0.7 > dig.ns7.foo.${n} || ret=1 -grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 -$NSUPDATE << EOF +dig_with_opts +tcp TXT foo.child.server @10.53.0.7 >dig.ns7.foo.${n} || ret=1 +grep "From NS 5" dig.ns7.foo.${n} >/dev/null || ret=1 +$NSUPDATE < dig.ns7.bar.${n} || ret=1 -grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 +dig_with_opts +tcp TXT bar.child.server @10.53.0.7 >dig.ns7.bar.${n} || ret=1 +grep "From NS 4" dig.ns7.bar.${n} >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; status=1; fi +if [ $ret != 0 ]; then + echo_i "failed" + status=1 +fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking empty RFC 1918 reverse zones ($n)" ret=0 # Check that "aa" is being set by the resolver for RFC 1918 zones # except the one that has been deliberately disabled -dig_with_opts @10.53.0.7 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.16.1.1 > dig.ns4.out.3.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 10.1.1.1 >dig.ns4.out.1.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 192.168.1.1 >dig.ns4.out.2.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.16.1.1 >dig.ns4.out.3.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.17.1.1 >dig.ns4.out.4.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.18.1.1 >dig.ns4.out.5.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.19.1.1 >dig.ns4.out.6.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.21.1.1 >dig.ns4.out.7.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.22.1.1 >dig.ns4.out.8.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.23.1.1 >dig.ns4.out.9.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.24.1.1 >dig.ns4.out.11.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.25.1.1 >dig.ns4.out.12.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.26.1.1 >dig.ns4.out.13.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.27.1.1 >dig.ns4.out.14.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.28.1.1 >dig.ns4.out.15.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.29.1.1 >dig.ns4.out.16.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.30.1.1 >dig.ns4.out.17.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.31.1.1 >dig.ns4.out.18.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} >/dev/null || ret=1 # but this one should NOT be authoritative -dig_with_opts @10.53.0.7 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1 -grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; status=1; fi +dig_with_opts @10.53.0.7 -x 172.20.1.1 >dig.ns4.out.19.${n} || ret=1 +grep 'flags: qr rd ra;' dig.ns4.out.19.${n} >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=1 +fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking that removal of a delegation is honoured ($n)" ret=0 -dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n} -grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo_i "priming failed"; } +dig_with_opts @10.53.0.5 www.to-be-removed.tld A >dig.ns5.prime.${n} +grep "status: NOERROR" dig.ns5.prime.${n} >/dev/null || { + ret=1 + echo_i "priming failed" +} cp ns4/tld2.db ns4/tld.db rndc_reload ns4 10.53.0.4 tld old= -for i in 0 1 2 3 4 5 6 7 8 9 -do - foo=0 - dig_with_opts @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null - dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n} - grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1 - [ $foo = 0 ] && break - $NSUPDATE << EOF +for i in 0 1 2 3 4 5 6 7 8 9; do + foo=0 + dig_with_opts @10.53.0.5 ns$i.to-be-removed.tld A >/dev/null + dig_with_opts @10.53.0.5 www.to-be-removed.tld A >dig.ns5.out.${n} + grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || foo=1 + [ $foo = 0 ] && break + $NSUPDATE < dig.out.ns1.test${n} || ret=1 -grep "not subdomain of zone" ns1/named.run > /dev/null || ret=1 +dig_with_opts @10.53.0.1 www.sub.broken aaaa >dig.out.ns1.test${n} || ret=1 +grep "not subdomain of zone" ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) copy_setports ns7/named2.conf.in ns7/named.conf rndccmd 10.53.0.7 reconfig 2>&1 | sed 's/^/ns7 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "check resolution on the listening port ($n)" ret=0 -dig_with_opts +tcp +tries=2 +time=5 mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 -grep "ANSWER: 1" dig.ns7.out.${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +dig_with_opts +tcp +tries=2 +time=5 mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=2 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=1 +grep "ANSWER: 1" dig.ns7.out.${n} >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch (${n})" ret=0 # read prefetch value from config. PREFETCH=$(sed -n "s/[[:space:]]*prefetch \([0-9]\).*/\1/p" ns5/named.conf) -dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.1.${n} || ret=1 ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) interval=$((ttl1 - PREFETCH + 1)) # sleep so we are in prefetch range sleep ${interval:-0} # trigger prefetch -dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.2.${n} || ret=1 +dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.2.${n} || ret=1 ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) sleep 1 # check that prefetch occurred -dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.3.${n} || ret=1 +dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.3.${n} || ret=1 ttl=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) test "${ttl:-0}" -gt "${ttl2:-1}" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch of validated DS's RRSIG TTL is updated (${n})" ret=0 -dig_with_opts +dnssec @10.53.0.5 ds.example.net ds > dig.out.1.${n} || ret=1 +dig_with_opts +dnssec @10.53.0.5 ds.example.net ds >dig.out.1.${n} || ret=1 dsttl1=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.1.${n}) interval=$((dsttl1 - PREFETCH + 1)) # sleep so we are in prefetch range sleep ${interval:-0} # trigger prefetch -dig_with_opts @10.53.0.5 ds.example.net ds > dig.out.2.${n} || ret=1 +dig_with_opts @10.53.0.5 ds.example.net ds >dig.out.2.${n} || ret=1 dsttl2=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.2.${n}) sleep 1 # check that prefetch occurred -dig_with_opts @10.53.0.5 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1 +dig_with_opts @10.53.0.5 ds.example.net ds +dnssec >dig.out.3.${n} || ret=1 dsttl=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.3.${n}) sigttl=$(awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}) test "${dsttl:-0}" -gt "${dsttl2:-1}" || ret=1 @@ -535,485 +569,484 @@ test "${dsttl:-0}" -eq "${sigttl:-1}" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch disabled (${n})" ret=0 -dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.7 fetch.example.net txt >dig.out.1.${n} || ret=1 ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) interval=$((ttl1 - PREFETCH + 1)) # sleep so we are in expire range sleep ${interval:-0} tmp_ttl=$ttl1 no_prefetch() { - # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. - # since prefetch is disabled, updated ttl must be a lower value than - # the previous one. - dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.2.${n} || return 1 - ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) - # check that prefetch has not occurred - if [ "$ttl2" -ge "${tmp_ttl}" ]; then - return 1 - fi - tmp_ttl=$ttl2 + # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. + # since prefetch is disabled, updated ttl must be a lower value than + # the previous one. + dig_with_opts @10.53.0.7 fetch.example.net txt >dig.out.2.${n} || return 1 + ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) + # check that prefetch has not occurred + if [ "$ttl2" -ge "${tmp_ttl}" ]; then + return 1 + fi + tmp_ttl=$ttl2 } retry_quiet 3 no_prefetch || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch qtype * (${n})" ret=0 -dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.1.${n} || ret=1 ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n}) # sleep so we are in prefetch range sleep "${ttl1:-0}" # trigger prefetch -dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.2.${n} || ret=1 +dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.2.${n} || ret=1 ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) sleep 1 # check that prefetch occurred; # note that only one record is prefetched, which is the TXT record in this case, # because of the order of the records in the cache -dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.3.${n} || ret=1 +dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.3.${n} || ret=1 ttl3=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that E was logged on EDNS queries in the query log (${n})" ret=0 -dig_with_opts @10.53.0.5 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1 -grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null || ret=1 -dig_with_opts @10.53.0.5 +noedns noedns.fetchall.tld any > dig.out.2.${n} || ret=1 -grep "query: noedns.fetchall.tld IN ANY" ns5/named.run > /dev/null || ret=1 -grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null && ret=1 +dig_with_opts @10.53.0.5 +edns edns.fetchall.tld any >dig.out.2.${n} || ret=1 +grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run >/dev/null || ret=1 +dig_with_opts @10.53.0.5 +noedns noedns.fetchall.tld any >dig.out.2.${n} || ret=1 +grep "query: noedns.fetchall.tld IN ANY" ns5/named.run >/dev/null || ret=1 +grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that '-t aaaa' in .digrc does not have unexpected side effects ($n)" ret=0 -echo "-t aaaa" > .digrc -(HOME="$(pwd)" dig_with_opts @10.53.0.4 . > dig.out.1.${n}) || ret=1 -(HOME="$(pwd)" dig_with_opts @10.53.0.4 . A > dig.out.2.${n}) || ret=1 -(HOME="$(pwd)" dig_with_opts @10.53.0.4 -x 127.0.0.1 > dig.out.3.${n}) || ret=1 -grep ';\..*IN.*AAAA$' dig.out.1.${n} > /dev/null || ret=1 -grep ';\..*IN.*A$' dig.out.2.${n} > /dev/null || ret=1 -grep 'extra type option' dig.out.2.${n} > /dev/null && ret=1 -grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || ret=1 +echo "-t aaaa" >.digrc +(HOME="$(pwd)" dig_with_opts @10.53.0.4 . >dig.out.1.${n}) || ret=1 +(HOME="$(pwd)" dig_with_opts @10.53.0.4 . A >dig.out.2.${n}) || ret=1 +(HOME="$(pwd)" dig_with_opts @10.53.0.4 -x 127.0.0.1 >dig.out.3.${n}) || ret=1 +grep ';\..*IN.*AAAA$' dig.out.1.${n} >/dev/null || ret=1 +grep ';\..*IN.*A$' dig.out.2.${n} >/dev/null || ret=1 +grep 'extra type option' dig.out.2.${n} >/dev/null && ret=1 +grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) edns=$($FEATURETEST --edns-version) -n=$((n+1)) +n=$((n + 1)) echo_i "check that EDNS version is logged (${n})" ret=0 -dig_with_opts @10.53.0.5 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1 -grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1 +dig_with_opts @10.53.0.5 +edns edns0.fetchall.tld any >dig.out.2.${n} || ret=1 +grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run >/dev/null || ret=1 if test "${edns:-0}" != 0; then - dig_with_opts @10.53.0.5 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1 - grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1 + dig_with_opts @10.53.0.5 +edns=1 edns1.fetchall.tld any >dig.out.2.${n} || ret=1 + grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run >/dev/null || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if test "${edns:-0}" != 0; then - n=$((n+1)) - echo_i "check that edns-version is honoured (${n})" - ret=0 - dig_with_opts @10.53.0.5 +edns no-edns-version.tld > dig.out.1.${n} || ret=1 - grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1 - dig_with_opts @10.53.0.5 +edns edns-version.tld > dig.out.2.${n} || ret=1 - grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + n=$((n + 1)) + echo_i "check that edns-version is honoured (${n})" + ret=0 + dig_with_opts @10.53.0.5 +edns no-edns-version.tld >dig.out.1.${n} || ret=1 + grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run >/dev/null || ret=1 + dig_with_opts @10.53.0.5 +edns edns-version.tld >dig.out.2.${n} || ret=1 + grep "query: edns-version.tld IN A -E(0)" ns7/named.run >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check that CNAME nameserver is logged correctly (${n})" ret=0 -dig_with_opts soa all-cnames @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run > /dev/null || ret=1 +dig_with_opts soa all-cnames @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that unexpected opcodes are handled correctly (${n})" ret=0 -dig_with_opts soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag > dig.out.ns5.test${n} || ret=1 -grep "status: NOTIMP" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 -grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 -grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 -grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 -grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} > /dev/null && ret=1 +dig_with_opts soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag >dig.out.ns5.test${n} || ret=1 +grep "status: NOTIMP" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 +grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 +grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 +grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 +grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that EDNS client subnet with non-zeroed bits is handled correctly (${n})" ret=0 # 0001 (IPv4) 1f (31 significant bits) 00 (0) ffffffff (255.255.255.255) -dig_with_opts soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff > dig.out.ns5.test${n} || ret=1 -grep "status: FORMERR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "; EDNS: version:" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff >dig.out.ns5.test${n} || ret=1 +grep "status: FORMERR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "; EDNS: version:" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that dig +subnet zeros address bits correctly (${n})" ret=0 -dig_with_opts soa . @10.53.0.5 +subnet=255.255.255.255/23 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts soa . @10.53.0.5 +subnet=255.255.255.255/23 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that SOA query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts soa delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NS query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts ns delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that A query returns data for delegation-only A apex (${n})" ret=0 -dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts a delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that CDS query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts cds delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})" ret=0 -dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts a delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that DNSKEY query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts dnskey delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts cdnskey delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})" ret=0 -dig_with_opts a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts a a.delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})" ret=0 -dig_with_opts cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts cds cds.delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})" ret=0 -dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})" ret=0 -dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check zero ttl not returned for learnt non zero ttl records (${n})" ret=0 # use prefetch disabled server -dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.7 non-zero.example.net txt >dig.out.1.${n} || ret=1 ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 2 }' dig.out.1.${n}) # sleep so we are in expire range sleep "${ttl1:-0}" # look for ttl = 1, allow for one miss at getting zero ttl zerotonine="0 1 2 3 4 5 6 7 8 9" zerotonine="$zerotonine $zerotonine $zerotonine" -for i in $zerotonine $zerotonine $zerotonine $zerotonine -do - dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.2.${n} || ret=1 - ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) - test "${ttl2:-1}" -eq 0 && break - test "${ttl2:-1}" -ge "${ttl1:-0}" && break - "${PERL}" -e 'select(undef, undef, undef, 0.05);' +for i in $zerotonine $zerotonine $zerotonine $zerotonine; do + dig_with_opts @10.53.0.7 non-zero.example.net txt >dig.out.2.${n} || ret=1 + ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) + test "${ttl2:-1}" -eq 0 && break + test "${ttl2:-1}" -ge "${ttl1:-0}" && break + "${PERL}" -e 'select(undef, undef, undef, 0.05);' done test "${ttl2:-1}" -eq 0 && ret=1 test "${ttl2:-1}" -ge "${ttl1:-0}" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check zero ttl is returned for learnt zero ttl records (${n})" ret=0 -dig_with_opts @10.53.0.7 zero.example.net txt > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.7 zero.example.net txt >dig.out.1.${n} || ret=1 ttl=$(awk '/"A" "zero" "ttl"/ { print $2 }' dig.out.1.${n}) test "${ttl:-1}" -eq 0 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})" ret=0 -dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec > dig.out.$n -grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec >dig.out.$n +grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})" ret=0 -dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec > dig.out.$n -grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec >dig.out.$n +grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP ($n)" ret=0 -dig_with_opts @10.53.0.5 truncated.no-questions. a +tries=3 +time=4 > dig.ns5.out.${n} || ret=1 -grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null || ret=1 -grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.5 truncated.no-questions. a +tries=3 +time=4 >dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.ns5.out.${n} >/dev/null || ret=1 +grep "1\.2\.3\.4" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that the resolver rejects a reply with empty question section with TC=0 ($n)" ret=0 -dig_with_opts @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=4 > dig.ns5.out.${n} || ret=1 -grep "status: NOERROR" dig.ns5.out.${n} > /dev/null && ret=1 -grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null && ret=1 -grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null && ret=1 +dig_with_opts @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=4 >dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} >/dev/null && ret=1 +grep "ANSWER: 1," dig.ns5.out.${n} >/dev/null && ret=1 +grep "1\.2\.3\.4" dig.ns5.out.${n} >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if ${FEATURETEST} --enable-querytrace; then - n=$((n+1)) - echo_i "check that SERVFAIL is returned for an empty question section via TCP ($n)" - ret=0 - nextpart ns5/named.run > /dev/null - # bind to local address so that addresses in log messages are consistent - # between platforms - dig_with_opts @10.53.0.5 -b 10.53.0.5 tcpalso.no-questions. a +tries=2 +timeout=15 > dig.ns5.out.${n} || ret=1 - grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 - check_namedrun() { - nextpartpeek ns5/named.run > nextpart.out.${n} - grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section, accepting it anyway as TC=1' nextpart.out.${n} > /dev/null || return 1 - grep '(tcpalso.no-questions/A): connecting via TCP' nextpart.out.${n} > /dev/null || return 1 - grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section$' nextpart.out.${n} > /dev/null || return 1 - grep '(tcpalso.no-questions/A): nextitem' nextpart.out.${n} > /dev/null || return 1 + n=$((n + 1)) + echo_i "check that SERVFAIL is returned for an empty question section via TCP ($n)" + ret=0 + nextpart ns5/named.run >/dev/null + # bind to local address so that addresses in log messages are consistent + # between platforms + dig_with_opts @10.53.0.5 -b 10.53.0.5 tcpalso.no-questions. a +tries=2 +timeout=15 >dig.ns5.out.${n} || ret=1 + grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null || ret=1 + check_namedrun() { + nextpartpeek ns5/named.run >nextpart.out.${n} + grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section, accepting it anyway as TC=1' nextpart.out.${n} >/dev/null || return 1 + grep '(tcpalso.no-questions/A): connecting via TCP' nextpart.out.${n} >/dev/null || return 1 + grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section$' nextpart.out.${n} >/dev/null || return 1 + grep '(tcpalso.no-questions/A): nextitem' nextpart.out.${n} >/dev/null || return 1 return 0 - } - retry_quiet 12 check_namedrun || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + } + retry_quiet 12 check_namedrun || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking SERVFAIL is returned when all authoritative servers return FORMERR ($n)" ret=0 -dig_with_opts @10.53.0.5 ns.formerr-to-all. a > dig.ns5.out.${n} || ret=1 -grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.5 ns.formerr-to-all. a >dig.ns5.out.${n} || ret=1 +grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking SERVFAIL is not returned if only some authoritative servers return FORMERR ($n)" ret=0 -dig_with_opts @10.53.0.5 ns.partial-formerr. a > dig.ns5.out.${n} || ret=1 -grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null && ret=1 +dig_with_opts @10.53.0.5 ns.partial-formerr. a >dig.ns5.out.${n} || ret=1 +grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check logged command line ($n)" ret=0 -grep "running as: .* -m record " ns1/named.run > /dev/null || ret=1 +grep "running as: .* -m record " ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)" ret=0 -dig_with_opts @10.53.0.1 id.hostname txt ch > dig.ns1.out.${n} || ret=1 -grep "status: NXDOMAIN" dig.ns1.out.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.1 id.hostname txt ch >dig.ns1.out.${n} || ret=1 +grep "status: NXDOMAIN" dig.ns1.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that the addition section for HTTPS is populated on initial query to a recursive server ($n)" ret=0 -dig_with_opts @10.53.0.7 www.example.net https > dig.out.ns7.${n} || ret=1 -grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 -grep "flags:[^;]* ra[ ;]" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 -grep "http-server\.example\.net\..*A.*10\.53\.0\.6" dig.out.ns7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 www.example.net https >dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 +grep "flags:[^;]* ra[ ;]" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 +grep "http-server\.example\.net\..*A.*10\.53\.0\.6" dig.out.ns7.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check HTTPS loop is handled properly ($n)" ret=0 -dig_with_opts @10.53.0.7 https-loop.example.net https > dig.out.ns7.${n} || ret=1 -grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 https-loop.example.net https >dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check HTTPS -> CNAME loop is handled properly ($n)" ret=0 -dig_with_opts @10.53.0.7 https-cname-loop.example.net https > dig.out.ns7.${n} || ret=1 -grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 https-cname-loop.example.net https >dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check HTTPS cname chains are followed ($n)" ret=0 -dig_with_opts @10.53.0.7 https-cname.example.net https > dig.out.ns7.${n} || ret=1 -grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ADDITIONAL: 4" dig.out.ns7.${n} > /dev/null || ret=1 -grep 'http-server\.example\.net\..*A.10\.53\.0\.6' dig.out.ns7.${n} > /dev/null || ret=1 -grep 'cname-server\.example\.net\..*CNAME.cname-next\.example\.net\.' dig.out.ns7.${n} > /dev/null || ret=1 -grep 'cname-next\.example\.net\..*CNAME.http-server\.example\.net\.' dig.out.ns7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 https-cname.example.net https >dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ADDITIONAL: 4" dig.out.ns7.${n} >/dev/null || ret=1 +grep 'http-server\.example\.net\..*A.10\.53\.0\.6' dig.out.ns7.${n} >/dev/null || ret=1 +grep 'cname-server\.example\.net\..*CNAME.cname-next\.example\.net\.' dig.out.ns7.${n} >/dev/null || ret=1 +grep 'cname-next\.example\.net\..*CNAME.http-server\.example\.net\.' dig.out.ns7.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check ADB find loops are detected ($n)" ret=0 -dig_with_opts +tcp +tries=1 +timeout=5 @10.53.0.1 fake.lame.example.org > dig.out.ns1.${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.${n} > /dev/null || ret=1 +dig_with_opts +tcp +tries=1 +timeout=5 @10.53.0.1 fake.lame.example.org >dig.out.ns1.${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check handling of large referrals to unresponsive name servers ($n)" ret=0 -dig_with_opts +timeout=15 large-referral.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +timeout=15 large-referral.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 # Check the total number of findname() calls triggered by a single query # for large-referral.example.net/A. findname_call_count="$(grep -c "large-referral\.example\.net.*FINDNAME" ns1/named.run || true)" if [ "${findname_call_count}" -gt 1000 ]; then - echo_i "failed: ${findname_call_count} (> 1000) findname() calls detected for large-referral.example.net" - ret=1 + echo_i "failed: ${findname_call_count} (> 1000) findname() calls detected for large-referral.example.net" + ret=1 fi # Check whether the limit of NS RRs processed for any delegation # encountered was not exceeded. if grep -Eq "dns_adb_createfind: started (A|AAAA) fetch for name ns21.fake.redirect.com" ns1/named.run; then - echo_i "failed: unexpected address fetch(es) were triggered for ns21.fake.redirect.com" - ret=1 + echo_i "failed: unexpected address fetch(es) were triggered for ns21.fake.redirect.com" + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking query resolution for a domain with a valid glueless delegation chain ($n)" ret=0 rndccmd 10.53.0.1 flush || ret=1 -dig_with_opts foo.bar.sub.tld1 @10.53.0.1 TXT > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 -grep "IN.*TXT.*baz" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts foo.bar.sub.tld1 @10.53.0.1 TXT >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 +grep "IN.*TXT.*baz" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that correct namespace is chosen for dual-stack-servers ($n)" ret=0 # # The two priming queries are needed until we fix dual-stack-servers fully # -dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A > dig.out.prime1.${n} || ret=1 -dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA > dig.out.prime2.${n} || ret=1 -dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A > dig.out.ns9.${n} || ret=1 -grep "status: NOERROR" dig.out.ns9.${n} > /dev/null || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A >dig.out.prime1.${n} || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA >dig.out.prime2.${n} || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A >dig.out.ns9.${n} || ret=1 +grep "status: NOERROR" dig.out.ns9.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check expired TTLs with qtype * (${n})" ret=0 -dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.1.${n} || ret=1 +dig_with_opts +tcp @10.53.0.5 mixedttl.tld any >dig.out.1.${n} || ret=1 ttl1=$(awk '$1 == "mixedttl.tld." && $4 == "A" { print $2 + 1 }' dig.out.1.${n}) # sleep TTL + 1 so that record has expired sleep "${ttl1:-0}" -dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.2.${n} || ret=1 +dig_with_opts +tcp @10.53.0.5 mixedttl.tld any >dig.out.2.${n} || ret=1 # check preconditions -grep "ANSWER: 3," dig.out.1.${n} > /dev/null || ret=1 +grep "ANSWER: 3," dig.out.1.${n} >/dev/null || ret=1 lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.1.${n} | wc -l) test ${lines:-1} -ne 0 && ret=1 # check behaviour (there may be 1 answer on very slow machines) -grep "ANSWER: [12]," dig.out.2.${n} > /dev/null || ret=1 +grep "ANSWER: [12]," dig.out.2.${n} >/dev/null || ret=1 lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.2.${n} | wc -l) test ${lines:-1} -ne 0 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "check resolver behavior when FORMERR for EDNS options happens (${n})" ret=0 msg="resolving options-formerr/A .* server sent FORMERR with echoed DNS COOKIE" if [ $ret != 0 ]; then echo_i "failed"; fi nextpart ns5/named.run >/dev/null -dig_with_opts +tcp @10.53.0.5 options-formerr A > dig.out.${n} || ret=1 -grep "status: NOERROR" dig.out.${n} > /dev/null || ret=1 -nextpart ns5/named.run | grep "$msg" > /dev/null || ret=1 +dig_with_opts +tcp @10.53.0.5 options-formerr A >dig.out.${n} || ret=1 +grep "status: NOERROR" dig.out.${n} >/dev/null || ret=1 +nextpart ns5/named.run | grep "$msg" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/rndc/ns2/named.conf.in b/bin/tests/system/rndc/ns2/named.conf.in index c3ce3eb..630fa25 100644 --- a/bin/tests/system/rndc/ns2/named.conf.in +++ b/bin/tests/system/rndc/ns2/named.conf.in @@ -38,7 +38,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "nil" { diff --git a/bin/tests/system/rndc/ns3/named.conf.in b/bin/tests/system/rndc/ns3/named.conf.in index ed159b4..e3bf42e 100644 --- a/bin/tests/system/rndc/ns3/named.conf.in +++ b/bin/tests/system/rndc/ns3/named.conf.in @@ -40,7 +40,7 @@ view all { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; diff --git a/bin/tests/system/rndc/ns5/named.conf.in b/bin/tests/system/rndc/ns5/named.conf.in index e32fa49..51aacd3 100644 --- a/bin/tests/system/rndc/ns5/named.conf.in +++ b/bin/tests/system/rndc/ns5/named.conf.in @@ -31,5 +31,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh index 85d6b73..61ee246 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh @@ -28,10 +28,10 @@ cp ns7/include.db.in ns7/include.db # TSAN, to give the test a fighting chance not to time out. size=1000000 if $FEATURETEST --tsan; then - size=250000 + size=250000 fi awk 'END { for (i = 1; i <= '${size}'; i++) - printf "host%d IN A 10.53.0.6\n", i; }' < /dev/null >> ns6/huge.zone.db + printf "host%d IN A 10.53.0.6\n", i; }' >ns6/huge.zone.db copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf @@ -40,11 +40,11 @@ copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf -make_key () { - $RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \ - > ns4/key${1}.conf 2> /dev/null - grep -E -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- | \ - sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf +make_key() { + $RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \ + >ns4/key${1}.conf 2>/dev/null + grep -E -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- \ + | sed 's/allow { 10.53.0.4/allow { any/' >>ns4/named.conf } $FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 @@ -54,7 +54,7 @@ make_key 4 ${EXTRAPORT4} hmac-sha256 make_key 5 ${EXTRAPORT5} hmac-sha384 make_key 6 ${EXTRAPORT6} hmac-sha512 -cat >> ns4/named.conf <<- EOF +cat >>ns4/named.conf <<-EOF controls { inet 10.53.0.4 port ${EXTRAPORT7} diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh index 2afaf8c..701e859 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -18,15 +18,15 @@ set -e DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd" DIGOPTS="" DIGCMD="$DIG $DIGOPTS -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf -s" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf -s" status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "preparing ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 </dev/null 2>&1 < /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 1" ns2/nil.db >/dev/null && break + sleep 1 done -grep "addition 1" ns2/nil.db > /dev/null 2>&1 || ret=1 +grep "addition 1" ns2/nil.db >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking journal file is still present ($n)" ret=0 [ -s ns2/nil.db.jnl ] || { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone not writable ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 </dev/null 2>&1 < dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.2 text2.nil. TXT >dig.out.1.test$n || ret=1 grep 'addition 2' dig.out.1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "rndc thaw" $RNDCCMD 10.53.0.2 thaw | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +wait_for_log 3 "zone_postload: zone nil/IN: done" ns2/named.run + +n=$((n + 1)) echo_i "checking zone now writable ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <nsupdate.out.1.test$n 2>&1 < dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.2 text3.nil. TXT >dig.out.1.test$n || ret=1 grep 'addition 3' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "rndc sync" ret=0 $RNDCCMD 10.53.0.2 sync nil | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone was dumped ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 3" ns2/nil.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 3" ns2/nil.db >/dev/null && break + sleep 1 done -grep "addition 3" ns2/nil.db > /dev/null 2>&1 || ret=1 +grep "addition 3" ns2/nil.db >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking journal file is still present ($n)" ret=0 [ -s ns2/nil.db.jnl ] || { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone is still writable ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <nsupdate.out.1.test$n 2>&1 < dig.out.1.test$n || ret=1 -grep 'addition 4' dig.out.1.test$n > /dev/null || ret=1 +$DIGCMD @10.53.0.2 text4.nil. TXT >dig.out.1.test$n || ret=1 +grep 'addition 4' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "rndc sync -clean" ret=0 $RNDCCMD 10.53.0.2 sync -clean nil | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone was dumped ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 4" ns2/nil.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 4" ns2/nil.db >/dev/null && break + sleep 1 done -grep "addition 4" ns2/nil.db > /dev/null 2>&1 || ret=1 +grep "addition 4" ns2/nil.db >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking journal file is deleted ($n)" ret=0 [ -s ns2/nil.db.jnl ] && { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone is still writable ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 </dev/null 2>&1 < dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.2 text4.nil. TXT >dig.out.1.test$n || ret=1 grep 'addition 4' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking other journal files not removed ($n)" ret=0 [ -s ns2/other.db.jnl ] || { - echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "cleaning all zones ($n)" $RNDCCMD 10.53.0.2 sync -clean | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "checking all journals removed ($n)" ret=0 [ -s ns2/nil.db.jnl ] && { - echo_i "'test -s ns2/nil.db.jnl' succeeded when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' succeeded when it shouldn't have" + ret=1 } [ -s ns2/other.db.jnl ] && { - echo_i "'test -s ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1; + echo_i "'test -s ns2/other.db.jnl' succeeded when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that freezing static zones is not allowed ($n)" ret=0 -$RNDCCMD 10.53.0.2 freeze static > rndc.out.1.test$n 2>&1 && ret=1 -grep 'not dynamic' rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 freeze static >rndc.out.1.test$n 2>&1 && ret=1 +grep 'not dynamic' rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that journal is removed when serial is changed before thaw ($n)" ret=0 sleep 1 -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <nsupdate.out.1.test$n 2>&1 <&1 | sed 's/^/ns2 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 6" ns2/other.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 6" ns2/other.db >/dev/null && break + sleep 1 done serial=$(awk '$3 ~ /serial/ {print $1}' ns2/other.db) newserial=$((serial + 1)) -sed s/$serial/$newserial/ ns2/other.db > ns2/other.db.new -echo 'frozen TXT "frozen addition"' >> ns2/other.db.new +sed s/$serial/$newserial/ ns2/other.db >ns2/other.db.new +echo 'frozen TXT "frozen addition"' >>ns2/other.db.new mv -f ns2/other.db.new ns2/other.db $RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i sleep 1 [ -f ns2/other.db.jnl ] && { - echo_i "'test -f ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1; + echo_i "'test -f ns2/other.db.jnl' succeeded when it shouldn't have" + ret=1 } -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <nsupdate.out.2.test$n 2>&1 < dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.2 text6.other. TXT >dig.out.1.test$n || ret=1 grep 'addition 6' dig.out.1.test$n >/dev/null || ret=1 -$DIGCMD @10.53.0.2 text7.other. TXT > dig.out.2.test$n || ret=1 +$DIGCMD @10.53.0.2 text7.other. TXT >dig.out.2.test$n || ret=1 grep 'addition 7' dig.out.2.test$n >/dev/null || ret=1 -$DIGCMD @10.53.0.2 frozen.other. TXT > dig.out.3.test$n || ret=1 +$DIGCMD @10.53.0.2 frozen.other. TXT >dig.out.3.test$n || ret=1 grep 'frozen addition' dig.out.3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that journal is kept when ixfr-from-differences is in use ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <nsupdate.out.1.test$n 2>&1 <&1 | sed 's/^/ns2 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 6" ns2/nil.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 6" ns2/nil.db >/dev/null && break + sleep 1 done serial=$(awk '$3 ~ /serial/ {print $1}' ns2/nil.db) newserial=$((serial + 1)) -sed s/$serial/$newserial/ ns2/nil.db > ns2/nil.db.new -echo 'frozen TXT "frozen addition"' >> ns2/nil.db.new +sed s/$serial/$newserial/ ns2/nil.db >ns2/nil.db.new +echo 'frozen TXT "frozen addition"' >>ns2/nil.db.new mv -f ns2/nil.db.new ns2/nil.db $RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i sleep 1 [ -s ns2/nil.db.jnl ] || { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <nsupdate.out.2.test$n 2>&1 < dig.out.1.test$n || ret=1 -grep 'addition 6' dig.out.1.test$n > /dev/null || ret=1 -$DIGCMD @10.53.0.2 text7.nil. TXT > dig.out.2.test$n || ret=1 -grep 'addition 7' dig.out.2.test$n > /dev/null || ret=1 -$DIGCMD @10.53.0.2 frozen.nil. TXT > dig.out.3.test$n || ret=1 +$DIGCMD @10.53.0.2 text6.nil. TXT >dig.out.1.test$n || ret=1 +grep 'addition 6' dig.out.1.test$n >/dev/null || ret=1 +$DIGCMD @10.53.0.2 text7.nil. TXT >dig.out.2.test$n || ret=1 +grep 'addition 7' dig.out.2.test$n >/dev/null || ret=1 +$DIGCMD @10.53.0.2 frozen.nil. TXT >dig.out.3.test$n || ret=1 grep 'frozen addition' dig.out.3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # temp test echo_i "dumping stats ($n)" $RNDCCMD 10.53.0.2 stats -n=$((n+1)) +n=$((n + 1)) echo_i "verifying adb records in named.stats ($n)" -grep "ADB stats" ns2/named.stats > /dev/null || ret=1 +grep "ADB stats" ns2/named.stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test using second key ($n)" ret=0 -$RNDC -s 10.53.0.2 -p ${CONTROLPORT} -c ns2/secondkey.conf status > /dev/null || ret=1 +$RNDC -s 10.53.0.2 -p ${CONTROLPORT} -c ns2/secondkey.conf status >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'rndc dumpdb' on a empty cache ($n)" ret=0 rndc_dumpdb ns3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'rndc reload' on a zone with include files ($n)" ret=0 -grep "incl/IN: skipping load" ns2/named.run > /dev/null && ret=1 +grep "incl/IN: skipping load" ns2/named.run >/dev/null && ret=1 loads=$(grep "incl/IN: starting load" ns2/named.run | wc -l) [ "$loads" -eq 1 ] || ret=1 -$RNDCCMD 10.53.0.2 reload > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 -do - tmp=0 - grep "incl/IN: skipping load" ns2/named.run > /dev/null || tmp=1 - [ $tmp -eq 0 ] && break - sleep 1 +$RNDCCMD 10.53.0.2 reload >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9; do + tmp=0 + grep "incl/IN: skipping load" ns2/named.run >/dev/null || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 done [ $tmp -eq 1 ] && ret=1 touch ns2/static.db -$RNDCCMD 10.53.0.2 reload > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 -do - tmp=0 - loads=$(grep "incl/IN: starting load" ns2/named.run | wc -l) - [ "$loads" -eq 2 ] || tmp=1 - [ $tmp -eq 0 ] && break - sleep 1 +$RNDCCMD 10.53.0.2 reload >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9; do + tmp=0 + loads=$(grep "incl/IN: starting load" ns2/named.run | wc -l) + [ "$loads" -eq 2 ] || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 done [ $tmp -eq 1 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) if $FEATURETEST --md5; then - echo_i "testing rndc with hmac-md5 ($n)" - ret=0 - $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 - for i in 2 3 4 5 6 - do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + echo_i "testing rndc with hmac-md5 ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status >/dev/null 2>&1 || ret=1 + for i in 2 3 4 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping rndc with hmac-md5 ($n)" + echo_i "skipping rndc with hmac-md5 ($n)" fi -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha1 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key2.conf status > /dev/null 2>&1 || ret=1 -for i in 1 3 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key2.conf status >/dev/null 2>&1 || ret=1 +for i in 1 3 4 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha224 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key3.conf status > /dev/null 2>&1 || ret=1 -for i in 1 2 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key3.conf status >/dev/null 2>&1 || ret=1 +for i in 1 2 4 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha256 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key4.conf status > /dev/null 2>&1 || ret=1 -for i in 1 2 3 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key4.conf status >/dev/null 2>&1 || ret=1 +for i in 1 2 3 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha384 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key5.conf status > /dev/null 2>&1 || ret=1 -for i in 1 2 3 4 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key5.conf status >/dev/null 2>&1 || ret=1 +for i in 1 2 3 4 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha512 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > /dev/null 2>&1 || ret=1 -for i in 1 2 3 4 5 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status >/dev/null 2>&1 || ret=1 +for i in 1 2 3 4 5; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key${i}.conf status >/dev/null 2>&1 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing single control channel with multiple algorithms ($n)" ret=0 -for i in 1 2 3 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1 +for i in 1 2 3 4 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status >/dev/null 2>&1 || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing automatic zones are reported ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n || ret=1 -grep "number of zones: 201 (198 automatic)" rndc.out.1.test$n > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status >rndc.out.1.test$n || ret=1 +grep "number of zones: 201 (198 automatic)" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with null command ($n)" ret=0 $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with unknown control channel command ($n)" ret=0 $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf obviouslynotacommand >/dev/null 2>&1 && ret=1 # rndc: 'obviouslynotacommand' failed: unknown command if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with querylog command ($n)" ret=0 # first enable it with querylog on option $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog on >/dev/null 2>&1 || ret=1 -grep "query logging is now on" ns4/named.run > /dev/null || ret=1 +grep "query logging is now on" ns4/named.run >/dev/null || ret=1 # query for builtin and check if query was logged (without +subnet) -$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo12345.bind +qr > dig.out.1.test$n 2>&1 || ret=1 -grep "query: foo12345.bind CH TXT.*(.*)$" ns4/named.run > /dev/null || ret=1 +$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo12345.bind +qr >dig.out.1.test$n 2>&1 || ret=1 +grep "query: foo12345.bind CH TXT.*(.*)$" ns4/named.run >/dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=127.0.0.1) -$DIG +subnet=127.0.0.1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12346.bind +qr > dig.out.2.test$n 2>&1 || ret=1 -grep "query: foo12346.bind CH TXT.*\[ECS 127\.0\.0\.1/32/0]" ns4/named.run > /dev/null || ret=1 +$DIG +subnet=127.0.0.1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12346.bind +qr >dig.out.2.test$n 2>&1 || ret=1 +grep "query: foo12346.bind CH TXT.*\[ECS 127\.0\.0\.1/32/0]" ns4/named.run >/dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=127.0.0.1/24) -$DIG +subnet=127.0.0.1/24 @10.53.0.4 -p ${PORT} -c ch -t txt foo12347.bind +qr > dig.out.3.test$n 2>&1 || ret=1 -grep "query: foo12347.bind CH TXT.*\[ECS 127\.0\.0\.0/24/0]" ns4/named.run > /dev/null || ret=1 +$DIG +subnet=127.0.0.1/24 @10.53.0.4 -p ${PORT} -c ch -t txt foo12347.bind +qr >dig.out.3.test$n 2>&1 || ret=1 +grep "query: foo12347.bind CH TXT.*\[ECS 127\.0\.0\.0/24/0]" ns4/named.run >/dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=::1) -$DIG +subnet=::1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12348.bind +qr > dig.out.4.test$n 2>&1 || ret=1 -grep "query: foo12348.bind CH TXT.*\[ECS ::1/128/0]" ns4/named.run > /dev/null || ret=1 +$DIG +subnet=::1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12348.bind +qr >dig.out.4.test$n 2>&1 || ret=1 +grep "query: foo12348.bind CH TXT.*\[ECS ::1/128/0]" ns4/named.run >/dev/null || ret=1 # toggle query logging and check again -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog > /dev/null 2>&1 || ret=1 -grep "query logging is now off" ns4/named.run > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog >/dev/null 2>&1 || ret=1 +grep "query logging is now off" ns4/named.run >/dev/null || ret=1 # query for another builtin zone and check if query was logged (without +subnet) -$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo9876.bind +qr > dig.out.5.test$n 2>&1 || ret=1 -grep "query: foo9876.bind CH TXT.*(.*)$" ns4/named.run > /dev/null && ret=1 +$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo9876.bind +qr >dig.out.5.test$n 2>&1 || ret=1 +grep "query: foo9876.bind CH TXT.*(.*)$" ns4/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) RNDCCMD4="$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf" -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc nta time limits ($n)" ret=0 -$RNDCCMD4 nta -l 2h nta1.example > rndc.out.1.test$n 2>&1 -grep "Negative trust anchor added" rndc.out.1.test$n > /dev/null || ret=1 -$RNDCCMD4 nta -l 1d nta2.example > rndc.out.2.test$n 2>&1 -grep "Negative trust anchor added" rndc.out.2.test$n > /dev/null || ret=1 -$RNDCCMD4 nta -l 1w nta3.example > rndc.out.3.test$n 2>&1 -grep "Negative trust anchor added" rndc.out.3.test$n > /dev/null || ret=1 -$RNDCCMD4 nta -l 8d nta4.example > rndc.out.4.test$n 2>&1 && ret=1 -grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n > /dev/null || ret=1 +$RNDCCMD4 nta -l 2h nta1.example >rndc.out.1.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.1.test$n >/dev/null || ret=1 +$RNDCCMD4 nta -l 1d nta2.example >rndc.out.2.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.2.test$n >/dev/null || ret=1 +$RNDCCMD4 nta -l 1w nta3.example >rndc.out.3.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.3.test$n >/dev/null || ret=1 +$RNDCCMD4 nta -l 8d nta4.example >rndc.out.4.test$n 2>&1 && ret=1 +grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc nta -class option ($n)" ret=0 -nextpart ns4/named.run > /dev/null -$RNDCCMD4 nta -c in nta1.example > rndc.out.1.test$n 2>&1 -nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1 -$RNDCCMD4 nta -c any nta1.example > rndc.out.2.test$n 2>&1 -nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1 -$RNDCCMD4 nta -c ch nta1.example > rndc.out.3.test$n 2>&1 -nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1 -$RNDCCMD4 nta -c fake nta1.example > rndc.out.4.test$n 2>&1 && ret=1 -nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1 -grep 'unknown class' rndc.out.4.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - -for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288 -do - n=$((n+1)) - echo_i "testing rndc buffer size limits (size=${i}) ($n)" - ret=0 - $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf testgen ${i} 2>&1 > rndc.out.$i.test$n || ret=1 - { actual_size=$($GENCHECK rndc.out.$i.test$n); rc=$?; } || true - if [ "$rc" = "0" ]; then - expected_size=$((i+1)) - if [ $actual_size != $expected_size ]; then ret=1; fi - else - ret=1 - fi - - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +nextpart ns4/named.run >/dev/null +$RNDCCMD4 nta -c in nta1.example >rndc.out.1.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" >/dev/null || ret=1 +$RNDCCMD4 nta -c any nta1.example >rndc.out.2.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" >/dev/null || ret=1 +$RNDCCMD4 nta -c ch nta1.example >rndc.out.3.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" >/dev/null && ret=1 +$RNDCCMD4 nta -c fake nta1.example >rndc.out.4.test$n 2>&1 && ret=1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" >/dev/null && ret=1 +grep 'unknown class' rndc.out.4.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288; do + n=$((n + 1)) + echo_i "testing rndc buffer size limits (size=${i}) ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf testgen ${i} 2>&1 >rndc.out.$i.test$n || ret=1 + { + actual_size=$($GENCHECK rndc.out.$i.test$n) + rc=$? + } || true + if [ "$rc" = "0" ]; then + expected_size=$((i + 1)) + if [ $actual_size != $expected_size ]; then ret=1; fi + else + ret=1 + fi + + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc -r (show result) ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r testgen 0 2>&1 > rndc.out.1.test$n || ret=1 -grep "ISC_R_SUCCESS 0" rndc.out.1.test$n > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r testgen 0 2>&1 >rndc.out.1.test$n || ret=1 +grep "ISC_R_SUCCESS 0" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with a token containing a space ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r flush '"view with a space"' 2>&1 > rndc.out.1.test$n || ret=1 -grep "not found" rndc.out.1.test$n > /dev/null && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r flush '"view with a space"' 2>&1 >rndc.out.1.test$n || ret=1 +grep "not found" rndc.out.1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'rndc reconfig' with a broken config ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig >/dev/null || ret=1 sleep 1 mv ns4/named.conf ns4/named.conf.save -echo "error error error" >> ns4/named.conf -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > rndc.out.1.test$n 2>&1 && ret=1 -grep "rndc: 'reconfig' failed: unexpected token" rndc.out.1.test$n > /dev/null || ret=1 +echo "error error error" >>ns4/named.conf +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig >rndc.out.1.test$n 2>&1 && ret=1 +grep "rndc: 'reconfig' failed: unexpected token" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check rndc status reports failure ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n 2>&1 || ret=1 -grep "reload/reconfig failed" rndc.out.1.test$n > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status >rndc.out.1.test$n 2>&1 || ret=1 +grep "reload/reconfig failed" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "restore working config ($n)" ret=0 mv ns4/named.conf.save ns4/named.conf sleep 1 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig >/dev/null || ret=1 sleep 1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc status' 'reload/reconfig failure' is cleared after successful reload/reconfig ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n 2>&1 || ret=1 -grep "reload/reconfig failed" rndc.out.1.test$n > /dev/null && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status >rndc.out.1.test$n 2>&1 || ret=1 +grep "reload/reconfig failed" rndc.out.1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test read-only control channel access ($n)" ret=0 -$RNDCCMD 10.53.0.5 status > rndc.out.1.test$n 2>&1 || ret=1 -$RNDCCMD 10.53.0.5 nta -dump > rndc.out.2.test$n 2>&1 || ret=1 -$RNDCCMD 10.53.0.5 reconfig > rndc.out.3.test$n 2>&1 && ret=1 +$RNDCCMD 10.53.0.5 status >rndc.out.1.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.5 nta -dump >rndc.out.2.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.5 reconfig >rndc.out.3.test$n 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test rndc status shows running on ($n)" ret=0 -$RNDCCMD 10.53.0.5 status > rndc.out.1.test$n 2>&1 || ret=1 -grep "^running on " rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.5 status >rndc.out.1.test$n 2>&1 || ret=1 +grep "^running on " rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'rndc reconfig' with loading of a large zone ($n)" ret=0 -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null cp ns6/named.conf ns6/named.conf.save -echo "zone \"huge.zone\" { type primary; file \"huge.zone.db\"; };" >> ns6/named.conf +echo "zone \"huge.zone\" { type primary; file \"huge.zone.db\"; };" >>ns6/named.conf echo_i "reloading config" -$RNDCCMD 10.53.0.6 reconfig > rndc.out.1.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.6 reconfig >rndc.out.1.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "check if zone load was scheduled ($n)" wait_for_log_peek 20 "scheduled loading new zones" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check if query for the zone returns SERVFAIL ($n)" -$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone > dig.out.1.test$n -grep "SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed (ignored)"; ret=0; fi -status=$((status+ret)) +$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone >dig.out.1.test$n +grep "SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed (ignored)" + ret=0 +fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for the zones to be loaded ($n)" wait_for_log_peek 60 "huge.zone/IN: loaded serial" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check if query for the zone returns NOERROR ($n)" -$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone > dig.out.1.test$n -grep "NOERROR" dig.out.1.test$n > /dev/null || ret=1 +$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone >dig.out.1.test$n +grep "NOERROR" dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify that the full command is logged ($n)" ret=0 -$RNDCCMD 10.53.0.2 null with extra arguments > /dev/null 2>&1 -grep "received control channel command 'null with extra arguments'" ns2/named.run > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 null with extra arguments >/dev/null 2>&1 +grep "received control channel command 'null with extra arguments'" ns2/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) mv ns6/named.conf.save ns6/named.conf sleep 1 -$RNDCCMD 10.53.0.6 reconfig > /dev/null || ret=1 +$RNDCCMD 10.53.0.6 reconfig >/dev/null || ret=1 sleep 1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc \"\"' is handled ($n)" ret=0 -$RNDCCMD 10.53.0.2 "" > rndc.out.1.test$n 2>&1 && ret=1 -grep "rndc: '' failed: failure" rndc.out.1.test$n > /dev/null +$RNDCCMD 10.53.0.2 "" >rndc.out.1.test$n 2>&1 && ret=1 +grep "rndc: '' failed: failure" rndc.out.1.test$n >/dev/null if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check rndc -4 -6 ($n)" ret=0 -$RNDCCMD 10.53.0.2 -4 -6 status > rndc.out.1.test$n 2>&1 && ret=1 -grep "only one of -4 and -6 allowed" rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 -4 -6 status >rndc.out.1.test$n 2>&1 && ret=1 +grep "only one of -4 and -6 allowed" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check rndc -4 with an IPv6 server address ($n)" ret=0 -$RNDCCMD fd92:7065:b8e:ffff::2 -4 status > rndc.out.1.test$n 2>&1 && ret=1 -grep "address family not supported" rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD fd92:7065:b8e:ffff::2 -4 status >rndc.out.1.test$n 2>&1 && ret=1 +grep "address family not supported" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check rndc nta reports adding to multiple views ($n)" ret=0 -$RNDCCMD 10.53.0.3 nta test.com > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 nta test.com >rndc.out.test$n 2>&1 || ret=1 lines=$(cat rndc.out.test$n | wc -l) [ ${lines:-0} -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc retransfer' of primary error message ($n)" ret=0 -$RNDCCMD 10.53.0.2 retransfer nil > rndc.out.test$n 2>&1 && ret=1 -grep "rndc: 'retransfer' failed: failure" rndc.out.test$n > /dev/null || ret=1 -grep "retransfer: inappropriate zone type: primary" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 retransfer nil >rndc.out.test$n 2>&1 && ret=1 +grep "rndc: 'retransfer' failed: failure" rndc.out.test$n >/dev/null || ret=1 +grep "retransfer: inappropriate zone type: primary" rndc.out.test$n >/dev/null || ret=1 lines=$(cat rndc.out.test$n | wc -l) [ ${lines:-0} -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc freeze' with in-view zones works ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf freeze > rndc.out.test$n 2>&1 || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf freeze >rndc.out.test$n 2>&1 || ret=1 test -s rndc.out.test$n && sed 's/^/ns2 /' rndc.out.test$n | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking non in-view zone instance is not writable ($n)" ret=0 -$NSUPDATE -p ${PORT} > /dev/null 2>&1 </dev/null 2>&1 < dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT >dig.out.1.test$n || ret=1 grep 'addition 3' dig.out.1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc thaw' with in-view zones works ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf thaw > rndc.out.test$n 2>&1 || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf thaw >rndc.out.test$n 2>&1 || ret=1 test -s rndc.out.test$n && sed 's/^/ns2 /' rndc.out.test$n | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking non in-view zone instance is now writable ($n)" ret=0 -$NSUPDATE -p ${PORT} > nsupdate.out.test$n 2>&1 <nsupdate.out.test$n 2>&1 < dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT >dig.out.1.test$n || ret=1 grep 'addition 3' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking initial in-view zone file is loaded ($n)" ret=0 TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT >dig.out.1.test$n || ret=1 grep 'include 1' dig.out.1.test$n >/dev/null || ret=1 TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT >dig.out.2.test$n || ret=1 grep 'include 1' dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "update in-view zone ($n)" ret=0 TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$NSUPDATE -p ${PORT} -y "$TSIG" > /dev/null 2>&1 </dev/null 2>&1 < dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text2.test. TXT >dig.out.1.test$n || ret=1 grep 'addition 1' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -nextpart ns7/named.run > /dev/null +nextpart ns7/named.run >/dev/null echo_i "rndc freeze" $RNDCCMD 10.53.0.7 freeze | sed 's/^/ns7 /' | cat_i | cat_i @@ -798,17 +804,26 @@ $RNDCCMD 10.53.0.7 reload | sed 's/^/ns7 /' | cat_i wait_for_log 3 "all zones loaded" ns7/named.run -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone file edits are loaded ($n)" ret=0 TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT >dig.out.1.test$n || ret=1 grep 'include 2' dig.out.1.test$n >/dev/null || ret=1 TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT >dig.out.2.test$n || ret=1 grep 'include 2' dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc nta -dump reports NTAs in multiple views ($n)" +ret=0 +$RNDCCMD 10.53.0.3 nta -dump >rndc.out.test$n 2>&1 || ret=1 +lines=$(cat rndc.out.test$n | wc -l) +[ ${lines:-0} -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rndc/tests_cve-2023-3341.py b/bin/tests/system/rndc/tests_cve-2023-3341.py new file mode 100644 index 0000000..de2991b --- /dev/null +++ b/bin/tests/system/rndc/tests_cve-2023-3341.py @@ -0,0 +1,57 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import socket +import time + +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.query +import dns.rcode + + +def test_cve_2023_3341(named_port, control_port): + depth = 4500 + # Should not be more than isccc_ccmsg_setmaxsize(&conn->ccmsg, 32768) + total_len = 10 + (depth * 7) - 6 + + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + data = b"".join( + [ + total_len.to_bytes(4, "big"), # + b"\x00\x00\x00\x01", # + b"\x01\x41", # + ] + ) + + for i in range(depth, 0, -1): + l = (i - 1) * 7 + t = b"".join( + [ + b"\x02", # ISCCC_CCMSGTYPE_TABLE + l.to_bytes(4, "big"), # + b"\x01\x41", # + ] + ) + data = b"".join([data, t]) + + s.connect(("10.53.0.2", control_port)) + s.sendall(data) + + # Wait for named to (possibly) crash + time.sleep(10) + msg = dns.message.make_query("version.bind", "TXT", "CH") + ans = dns.query.udp(msg, "10.53.0.2", timeout=10, port=named_port) + assert ans.rcode() == dns.rcode.NOERROR diff --git a/bin/tests/system/rootkeysentinel/ns1/sign.sh b/bin/tests/system/rootkeysentinel/ns1/sign.sh index 0f20053..dd33bd9 100644 --- a/bin/tests/system/rootkeysentinel/ns1/sign.sh +++ b/bin/tests/system/rootkeysentinel/ns1/sign.sh @@ -20,16 +20,16 @@ zonefile=root.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyid=$(expr ${keyname} : 'K.+[0-9][0-9][0-9]+\(.*\)') -(cd ../ns2 && $SHELL sign.sh ${keyid:-00000} ) +(cd ../ns2 && $SHELL sign.sh ${keyid:-00000}) cp ../ns2/dsset-example. . -cat $infile $keyname.key > $zonefile +cat $infile $keyname.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/rootkeysentinel/ns2/sign.sh b/bin/tests/system/rootkeysentinel/ns2/sign.sh index 3e48f8a..456c96f 100644 --- a/bin/tests/system/rootkeysentinel/ns2/sign.sh +++ b/bin/tests/system/rootkeysentinel/ns2/sign.sh @@ -26,15 +26,15 @@ keyname1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) keyname2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >> $zonefile -echo root-key-sentinel-not-ta-$oldid A 10.53.0.2 >> $zonefile -echo root-key-sentinel-is-ta-$newid A 10.53.0.3 >> $zonefile -echo root-key-sentinel-not-ta-$newid A 10.53.0.4 >> $zonefile -echo old-is-ta CNAME root-key-sentinel-is-ta-$oldid >> $zonefile -echo old-not-ta CNAME root-key-sentinel-not-ta-$oldid >> $zonefile -echo new-is-ta CNAME root-key-sentinel-is-ta-$newid >> $zonefile -echo new-not-ta CNAME root-key-sentinel-not-ta-$newid >> $zonefile -echo bad-is-ta CNAME root-key-sentinel-is-ta-$badid >> $zonefile -echo bad-not-ta CNAME root-key-sentinel-not-ta-$badid >> $zonefile +echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >>$zonefile +echo root-key-sentinel-not-ta-$oldid A 10.53.0.2 >>$zonefile +echo root-key-sentinel-is-ta-$newid A 10.53.0.3 >>$zonefile +echo root-key-sentinel-not-ta-$newid A 10.53.0.4 >>$zonefile +echo old-is-ta CNAME root-key-sentinel-is-ta-$oldid >>$zonefile +echo old-not-ta CNAME root-key-sentinel-not-ta-$oldid >>$zonefile +echo new-is-ta CNAME root-key-sentinel-is-ta-$newid >>$zonefile +echo new-not-ta CNAME root-key-sentinel-not-ta-$newid >>$zonefile +echo bad-is-ta CNAME root-key-sentinel-is-ta-$badid >>$zonefile +echo bad-not-ta CNAME root-key-sentinel-not-ta-$badid >>$zonefile -$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 >/dev/null diff --git a/bin/tests/system/rootkeysentinel/tests.sh b/bin/tests/system/rootkeysentinel/tests.sh index bfe653c..3e0a487 100644 --- a/bin/tests/system/rootkeysentinel/tests.sh +++ b/bin/tests/system/rootkeysentinel/tests.sh @@ -23,22 +23,22 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" newtest() { - n=$((n + 1)) - case $# in - 1) - echo_i "$1 ($n)" - ;; - 2) - echo_i "$1" - echo_ic "$2 ($n)" - ;; - esac - ret=0 + n=$((n + 1)) + case $# in + 1) + echo_i "$1 ($n)" + ;; + 2) + echo_i "$1" + echo_ic "$2 ($n)" + ;; + esac + ret=0 } newtest "get test ids" -$DIG $DIGOPTS . dnskey +short +rrcomm @10.53.0.1 > dig.out.ns1.test$n || ret=1 -oldid=$(sed -n 's/.*key id = //p' < dig.out.ns1.test$n) +$DIG $DIGOPTS . dnskey +short +rrcomm @10.53.0.1 >dig.out.ns1.test$n || ret=1 +oldid=$(sed -n 's/.*key id = //p' dig.out.ns2.test$n -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 example SOA >dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check test zone resolves with 'root-key-sentinel yes;'" " (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 example SOA > dig.out.ns3.test$n -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 example SOA >dig.out.ns3.test$n +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${oldid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${oldid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with old ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-not-ta-${oldid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${newid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with new ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${newid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${newid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${badid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with bad ta, CD=1 and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${badid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${badid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-72345.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-72345.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-72345.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-72345.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-1234.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-1234.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-1234.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-1234.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 old-is-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 old-is-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 old-not-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 old-not-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 new-is-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 new-is-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 new-not-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 new-not-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 bad-is-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bad-is-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 bad-not-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bad-not-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check test zone resolves with 'root-key-sentinel no;'" " (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 example SOA > dig.out.ns4.test$n -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 example SOA >dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${oldid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${oldid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${newid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${newid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${badid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${badid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-72345.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-72345.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-72345.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-72345.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-1234.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-1234.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-1234.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-1234.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 old-is-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 old-is-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 old-not-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 old-not-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 new-is-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 new-is-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 new-not-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 new-not-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 bad-is-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 bad-is-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 bad-not-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 bad-not-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index 35d6211..07cd667 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -16,16 +16,19 @@ USAGE="$0: [-Px]" DEBUG= while getopts "Px" c; do - case $c in - x) set -x ;; - P) PARTIAL=set ;; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) set -x ;; + P) PARTIAL=set ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # this might be called from setup.sh to partially clean up the files @@ -42,16 +45,16 @@ rm -f */policy2.db rm -f */*.jnl if [ ${PARTIAL:-unset} = unset ]; then - rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp - rm -f ns5/requests ns5/*.perf - rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key - rm -f */*.log */*core */*.pid - rm -f ns*/named.lock - rm -f ns*/named.conf - rm -f ns*/*switch - rm -f dnsrps*.conf - rm -f dnsrpzd.conf - rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid - rm -f ns*/managed-keys.bind* - rm -f tmp + rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp + rm -f ns5/requests ns5/*.perf + rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key + rm -f */*.log */*core */*.pid + rm -f ns*/named.lock + rm -f ns*/named.conf + rm -f ns*/*switch + rm -f dnsrps*.conf + rm -f dnsrpzd.conf + rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid + rm -f ns*/managed-keys.bind* + rm -f tmp fi diff --git a/bin/tests/system/rpz/qperf.sh b/bin/tests/system/rpz/qperf.sh index 146d1e2..1ec64fe 100644 --- a/bin/tests/system/rpz/qperf.sh +++ b/bin/tests/system/rpz/qperf.sh @@ -12,11 +12,11 @@ # information regarding copyright ownership. for QDIR in $(echo "$PATH" | tr : ' ') ../../../../contrib/queryperf; do - QPERF=$QDIR/queryperf - if test -f "$QPERF" -a -x "$QPERF"; then - echo $QPERF - exit 0 - fi + QPERF=$QDIR/queryperf + if test -f "$QPERF" -a -x "$QPERF"; then + echo $QPERF + exit 0 + fi done exit 0 diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 75e4957..b263fda 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -22,26 +22,32 @@ QPERF=$($SHELL qperf.sh) USAGE="$0: [-DNx]" DEBUG= while getopts "DNx" c; do - case $c in - x) set -x; DEBUG=-x ;; - D) TEST_DNSRPS="-D" ;; - N) PARTIAL=-P ;; - *) echo "$USAGE" 1>&2; exit 1 ;; - esac + case $c in + x) + set -x + DEBUG=-x + ;; + D) TEST_DNSRPS="-D" ;; + N) PARTIAL=-P ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi if [ ${NOCLEAN:-unset} = unset ]; then - $SHELL clean.sh $PARTIAL $DEBUG + $SHELL clean.sh $PARTIAL $DEBUG fi for dir in ns*; do - touch $dir/named.run - nextpart $dir/named.run > /dev/null + touch $dir/named.run + nextpart $dir/named.run >/dev/null done copy_setports ns1/named.conf.in ns1/named.conf @@ -70,7 +76,7 @@ test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS= # drop,tcp-only} are used to check policy overrides in named.conf. # NO-OP is an obsolete synonym for PASSHTRU for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do - sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db + sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done # bl zones are dynamically updated. Add one zone that is updated manually. cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db @@ -86,13 +92,13 @@ cp ns5/expire.conf.in ns5/expire.conf # $2=domain name # $3=input zone file # $4=output file -signzone () { - KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2) - cat $1/$3 $1/$KEYNAME.key > $1/tmp - $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null - sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf - DSFILENAME=dsset-${2}. - rm $DSFILENAME $1/tmp +signzone() { + KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2) + cat $1/$3 $1/$KEYNAME.key >$1/tmp + $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null + sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf + DSFILENAME=dsset-${2}. + rm $DSFILENAME $1/tmp } signzone ns2 tld2s base-tld2s.db tld2s.db @@ -140,20 +146,20 @@ ns1.x.rpz-nsdname CNAME . EOF if test -n "$QPERF"; then - # Do not build the full zones if we will not use them. - $PERL -e 'for ($val = 1; $val <= 65535; ++$val) { + # Do not build the full zones if we will not use them. + $PERL -e 'for ($val = 1; $val <= 65535; ++$val) { printf("host-%05d\tA 192.168.%d.%d\n", $val, $val/256, $val%256); }' >>ns5/example.db - echo >>ns5/bl.db - echo "; rewrite some names" >>ns5/bl.db - $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) { + echo >>ns5/bl.db + echo "; rewrite some names" >>ns5/bl.db + $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) { printf("host-%05d.example.tld5\tCNAME\t.\n", $val); }' >>ns5/bl.db - echo >>ns5/bl.db - echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db - $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) { + echo >>ns5/bl.db + echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db + $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) { printf("32.%d.%d.168.192.rpz-ip \tCNAME\t.\n", $val%256, $val/256); }' >>ns5/bl.db @@ -172,8 +178,8 @@ cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db # Run dnsrpzd to get the license and prime the static policy zones if test -n "$TEST_DNSRPS"; then - DNSRPZD="$(../rpz/dnsrps -p)" - cd ns3 - "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \ - -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 + DNSRPZD="$(../rpz/dnsrps -p)" + cd ns3 + "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \ + -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 fi diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 658250e..199e75d 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -21,16 +21,16 @@ set -e . ../conf.sh ns=10.53.0 -ns1=$ns.1 # root, defining the others -ns2=$ns.2 # authoritative server whose records are rewritten -ns3=$ns.3 # main rewriting resolver -ns4=$ns.4 # another authoritative server that is rewritten -ns5=$ns.5 # another rewriting resolver -ns6=$ns.6 # a forwarding server -ns7=$ns.7 # another rewriting resolver -ns8=$ns.8 # another rewriting resolver -ns9=$ns.9 # another rewriting resolver -ns10=$ns.10 # authoritative server +ns1=$ns.1 # root, defining the others +ns2=$ns.2 # authoritative server whose records are rewritten +ns3=$ns.3 # main rewriting resolver +ns4=$ns.4 # another authoritative server that is rewritten +ns5=$ns.5 # another rewriting resolver +ns6=$ns.6 # a forwarding server +ns7=$ns.7 # another rewriting resolver +ns8=$ns.8 # another rewriting resolver +ns9=$ns.9 # another rewriting resolver +ns10=$ns.10 # authoritative server HAVE_CORE= @@ -43,90 +43,100 @@ ARGS= USAGE="$0: [-xS]" while getopts "xS:" c; do - case $c in - x) set -x; DEBUG=-x; ARGS="$ARGS -x";; - S) SAVE_RESULTS=-S; ARGS="$ARGS -S";; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ARGS="$ARGS -x" + ;; + S) + SAVE_RESULTS=-S + ARGS="$ARGS -S" + ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # really quit on control-C trap 'exit 1' 1 2 15 TS='%H:%M:%S ' TS= -comment () { - if test -n "$TS"; then - date "+${TS}$*" | cat_i - fi +comment() { + if test -n "$TS"; then + date "+${TS}$*" | cat_i + fi } DNSRPSCMD=./dnsrps -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" if test -x "$DNSRPSCMD"; then - # speed up the many delays for dnsrpzd by waiting only 0.1 seconds - WAIT_CMD="$DNSRPSCMD -w 0.1" - TEN_SECS=100 + # speed up the many delays for dnsrpzd by waiting only 0.1 seconds + WAIT_CMD="$DNSRPSCMD -w 0.1" + TEN_SECS=100 else - WAIT_CMD="sleep 1" - TEN_SECS=10 + WAIT_CMD="sleep 1" + TEN_SECS=10 fi -digcmd () { - if test "$1" = TCP; then - shift - fi - # Default to +noauth and @$ns3 - # Also default to -bX where X is the @value so that OS X will choose - # the right IP source address. - digcmd_args=$(echo "+nocookie +noadd +time=2 +tries=1 -p ${PORT} $*" | \ - sed -e "/@/!s/.*/& @$ns3/" \ - -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ - -e '/+n?o?auth/!s/.*/+noauth &/') - #echo_i "dig $digcmd_args 1>&2 - $DIG $digcmd_args || return +digcmd() { + if test "$1" = TCP; then + shift + fi + # Default to +noauth and @$ns3 + # Also default to -bX where X is the @value so that OS X will choose + # the right IP source address. + digcmd_args=$(echo "+nocookie +noadd +time=2 +tries=1 -p ${PORT} $*" \ + | sed -e "/@/!s/.*/& @$ns3/" \ + -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ + -e '/+n?o?auth/!s/.*/+noauth &/') + #echo_i "dig $digcmd_args 1>&2 + $DIG $digcmd_args || return } # set DIGNM=file name for dig output GROUP_NM= TEST_NUM=0 -make_dignm () { - TEST_NUM=$((TEST_NUM + 1)) - DIGNM=dig.out$GROUP_NM-$TEST_NUM - while test -f $DIGNM; do - DIGNM="$DIGNM+" - done +make_dignm() { + TEST_NUM=$((TEST_NUM + 1)) + DIGNM=dig.out$GROUP_NM-$TEST_NUM + while test -f $DIGNM; do + DIGNM="$DIGNM+" + done } -setret () { - ret=1 - status=$((status + 1)) - echo_i "$*" +setret() { + ret=1 + status=$((status + 1)) + echo_i "$*" } # set $SN to the SOA serial number of a zone # $1=domain # $2=DNS server and client IP address get_sn() { - SOA=$($DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2") - SN=$(expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*' || true) - test "$SN" != "" && return - echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\` in \"$SOA\"" - exit 1 + SOA=$($DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2") + SN=$(expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*' || true) + test "$SN" != "" && return + echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\` in \"$SOA\"" + exit 1 } -get_sn_fast () { - RSN=$($DNSRPSCMD -n "$1") - #echo "dnsrps serial for $1 is $RSN" - if test -z "$RSN"; then - echo_i "dnsrps failed to get SOA serial number for $1" - exit 1 - fi +get_sn_fast() { + RSN=$($DNSRPSCMD -n "$1") + #echo "dnsrps serial for $1 is $RSN" + if test -z "$RSN"; then + echo_i "dnsrps failed to get SOA serial number for $1" + exit 1 + fi } # check that dnsrpzd has loaded its zones @@ -134,25 +144,25 @@ get_sn_fast () { # $2=DNS server IP address FZONES=$(sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf) dnsrps_loaded() { - test "$mode" = dnsrps || return 0 - n=0 - for V in $FZONES; do - eval "$V" - get_sn $Z $M - while true; do - get_sn_fast "$Z" - if test "$SN" -eq "0$RSN"; then - #echo "$Z @$M serial=$SN" - break - fi - n=$((n + 1)) - if test "$n" -gt $TEN_SECS; then - echo_i "dnsrps serial for $Z is $RSN instead of $SN" - exit 1 - fi - $WAIT_CMD - done + test "$mode" = dnsrps || return 0 + n=0 + for V in $FZONES; do + eval "$V" + get_sn $Z $M + while true; do + get_sn_fast "$Z" + if test "$SN" -eq "0$RSN"; then + #echo "$Z @$M serial=$SN" + break + fi + n=$((n + 1)) + if test "$n" -gt $TEN_SECS; then + echo_i "dnsrps serial for $Z is $RSN instead of $SN" + exit 1 + fi + $WAIT_CMD done + done } # check the serial number in an SOA to ensure that a policy zone has @@ -161,219 +171,219 @@ dnsrps_loaded() { # $2=domain # $3=DNS server ck_soa() { - n=0 - while true; do - if test "$mode" = dnsrps; then - get_sn_fast "$2" - test "$RSN" -eq "$1" && return - else - get_sn "$2" "$3" - test "$SN" -eq "$1" && return - fi - n=$((n + 1)) - if test "$n" -gt $TEN_SECS; then - echo_i "got serial number \"$SN\" instead of \"$1\" from $2 @$3" - return - fi - $WAIT_CMD - done + n=0 + while true; do + if test "$mode" = dnsrps; then + get_sn_fast "$2" + test "$RSN" -eq "$1" && return + else + get_sn "$2" "$3" + test "$SN" -eq "$1" && return + fi + n=$((n + 1)) + if test "$n" -gt $TEN_SECS; then + echo_i "got serial number \"$SN\" instead of \"$1\" from $2 @$3" + return + fi + $WAIT_CMD + done } # (re)load the response policy zones with the rules in the file $TEST_FILE -load_db () { - if test -n "$TEST_FILE"; then - copy_setports $TEST_FILE tmp - if $NSUPDATE -v tmp; then : - $RNDCCMD $ns3 sync - else - echo_i "failed to update policy zone with $TEST_FILE" - $RNDCCMD $ns3 sync - exit 1 - fi - rm -f tmp +load_db() { + if test -n "$TEST_FILE"; then + copy_setports $TEST_FILE tmp + if $NSUPDATE -v tmp; then + : + $RNDCCMD $ns3 sync + else + echo_i "failed to update policy zone with $TEST_FILE" + $RNDCCMD $ns3 sync + exit 1 fi + rm -f tmp + fi } # restart name server # $1 ns number # $2 rebuild bl rpz zones if "rebuild-bl-rpz" -restart () { - # try to ensure that the server really has stopped - # and won't mess with ns$1/name.pid - if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then - $RNDCCMD $ns$1 halt >/dev/null 2>&1 - if test -f ns$1/named.pid; then - sleep 1 - PID=$(cat ns$1/named.pid 2>/dev/null) - if test -n "$PID"; then - echo_i "killing ns$1 server $PID" - kill -9 $PID - fi - fi +restart() { + # try to ensure that the server really has stopped + # and won't mess with ns$1/name.pid + if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then + $RNDCCMD $ns$1 halt >/dev/null 2>&1 + if test -f ns$1/named.pid; then + sleep 1 + PID=$(cat ns$1/named.pid 2>/dev/null) + if test -n "$PID"; then + echo_i "killing ns$1 server $PID" + kill -9 $PID + fi fi - rm -f ns$1/*.jnl - if [ "$2" = "rebuild-bl-rpz" ]; then - if test -f ns$1/base.db; then - for NM in ns$1/bl*.db; do - cp -f ns$1/base.db $NM - done - fi + fi + rm -f ns$1/*.jnl + if [ "$2" = "rebuild-bl-rpz" ]; then + if test -f ns$1/base.db; then + for NM in ns$1/bl*.db; do + cp -f ns$1/base.db $NM + done fi - start_server --noclean --restart --port ${PORT} ns$1 - load_db - dnsrps_loaded - sleep 1 + fi + start_server --noclean --restart --port ${PORT} ns$1 + load_db + dnsrps_loaded + sleep 1 } # $1=server and irrelevant args # $2=error message -ckalive () { - CKALIVE_NS=$(expr "$1" : '.*@ns\([1-9]\).*' || true) - if test -z "$CKALIVE_NS"; then - CKALIVE_NS=3 - fi - eval CKALIVE_IP=\$ns$CKALIVE_NS - $RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0 - HAVE_CORE=yes - setret "$2" - # restart the server to avoid stalling waiting for it to stop - restart $CKALIVE_NS "rebuild-bl-rpz" - return 0 +ckalive() { + CKALIVE_NS=$(expr "$1" : '.*@ns\([1-9]\).*' || true) + if test -z "$CKALIVE_NS"; then + CKALIVE_NS=3 + fi + eval CKALIVE_IP=\$ns$CKALIVE_NS + $RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0 + HAVE_CORE=yes + setret "$2" + # restart the server to avoid stalling waiting for it to stop + restart $CKALIVE_NS "rebuild-bl-rpz" + return 0 } -resetstats () { - NSDIR=$1 - eval "${NSDIR}_CNT=''" +resetstats() { + NSDIR=$1 + eval "${NSDIR}_CNT=''" } -ckstats () { - HOST=$1 - LABEL="$2" - NSDIR="$3" - EXPECTED="$4" - $RNDCCMD $HOST stats - NEW_CNT=$(sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ - $NSDIR/named.stats | tail -1) - eval "OLD_CNT=\$${NSDIR}_CNT" - NEW_CNT=$((NEW_CNT)) - OLD_CNT=$((OLD_CNT)) - GOT=$((NEW_CNT - OLD_CNT)) - if test "$GOT" -ne "$EXPECTED"; then - setret "wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED" - fi - eval "${NSDIR}_CNT=$NEW_CNT" +ckstats() { + HOST=$1 + LABEL="$2" + NSDIR="$3" + EXPECTED="$4" + $RNDCCMD $HOST stats + NEW_CNT=$(sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ + $NSDIR/named.stats | tail -1) + eval "OLD_CNT=\$${NSDIR}_CNT" + NEW_CNT=$((NEW_CNT)) + OLD_CNT=$((OLD_CNT)) + GOT=$((NEW_CNT - OLD_CNT)) + if test "$GOT" -ne "$EXPECTED"; then + setret "wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED" + fi + eval "${NSDIR}_CNT=$NEW_CNT" } -ckstatsrange () { - HOST=$1 - LABEL="$2" - NSDIR="$3" - MIN="$4" - MAX="$5" - $RNDCCMD $HOST stats - NEW_CNT=$(sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ - $NSDIR/named.stats | tail -1) - eval "OLD_CNT=\$${NSDIR}_CNT" - NEW_CNT=$((NEW_CNT)) - OLD_CNT=$((OLD_CNT)) - GOT=$((NEW_CNT - OLD_CNT)) - if test "$GOT" -lt "$MIN" -o "$GOT" -gt "$MAX"; then - setret "wrong $LABEL $NSDIR statistics of $GOT instead of ${MIN}..${MAX}" - fi - eval "${NSDIR}_CNT=$NEW_CNT" +ckstatsrange() { + HOST=$1 + LABEL="$2" + NSDIR="$3" + MIN="$4" + MAX="$5" + $RNDCCMD $HOST stats + NEW_CNT=$(sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ + $NSDIR/named.stats | tail -1) + eval "OLD_CNT=\$${NSDIR}_CNT" + NEW_CNT=$((NEW_CNT)) + OLD_CNT=$((OLD_CNT)) + GOT=$((NEW_CNT - OLD_CNT)) + if test "$GOT" -lt "$MIN" -o "$GOT" -gt "$MAX"; then + setret "wrong $LABEL $NSDIR statistics of $GOT instead of ${MIN}..${MAX}" + fi + eval "${NSDIR}_CNT=$NEW_CNT" } # $1=message # $2=optional test file name -start_group () { - ret=0 - t=$((t + 1)) - test -n "$1" && date "+${TS}checking $1 (${t})" | cat_i - TEST_FILE=$2 - if test -n "$TEST_FILE"; then - GROUP_NM="-$TEST_FILE" - load_db - else - GROUP_NM= - fi - dnsrps_loaded - TEST_NUM=0 +start_group() { + ret=0 + t=$((t + 1)) + test -n "$1" && date "+${TS}checking $1 (${t})" | cat_i + TEST_FILE=$2 + if test -n "$TEST_FILE"; then + GROUP_NM="-$TEST_FILE" + load_db + else + GROUP_NM= + fi + dnsrps_loaded + TEST_NUM=0 } -end_group () { - if test -n "$TEST_FILE"; then - # remove the previous set of test rules - copy_setports $TEST_FILE tmp - sed -e 's/[ ]add[ ]/ delete /' tmp | $NSUPDATE - rm -f tmp - TEST_FILE= - fi - ckalive $ns3 "failed; ns3 server crashed and restarted" - dnsrps_loaded - GROUP_NM= +end_group() { + if test -n "$TEST_FILE"; then + # remove the previous set of test rules + copy_setports $TEST_FILE tmp + sed -e 's/[ ]add[ ]/ delete /' tmp | $NSUPDATE + rm -f tmp + TEST_FILE= + fi + ckalive $ns3 "failed; ns3 server crashed and restarted" + dnsrps_loaded + GROUP_NM= } -clean_result () { - if test -z "$SAVE_RESULTS"; then - rm -f $* - fi +clean_result() { + if test -z "$SAVE_RESULTS"; then + rm -f $* + fi } # $1=dig args # $2=other dig output file -ckresult () { - #ckalive "$1" "server crashed by 'dig $1'" || return 1 - expr "$1" : 'TCP ' > /dev/null && tcp=1 || tcp=0 - digarg=${1#TCP } - - if grep "flags:.* aa .*ad;" $DIGNM; then - setret "'dig $digarg' AA and AD set;" - elif grep "flags:.* aa .*ad;" $DIGNM; then - setret "'dig $digarg' AD set;" - fi +ckresult() { + #ckalive "$1" "server crashed by 'dig $1'" || return 1 + expr "$1" : 'TCP ' >/dev/null && tcp=1 || tcp=0 + digarg=${1#TCP } + + if grep "flags:.* aa .*ad;" $DIGNM; then + setret "'dig $digarg' AA and AD set;" + elif grep "flags:.* aa .*ad;" $DIGNM; then + setret "'dig $digarg' AD set;" + fi - if $PERL ../digcomp.pl $DIGNM $2 >/dev/null; then - grep -q 'Truncated, retrying in TCP' $DIGNM && trunc=1 || trunc=0 - if [ "$tcp" -ne "$trunc" ]; then - setret "'dig $digarg' wrong; no or unexpected truncation in $DIGNM" - else - clean_result ${DIGNM}* - fi - return 0 + if $PERL ../digcomp.pl $DIGNM $2 >/dev/null; then + grep -q 'Truncated, retrying in TCP' $DIGNM && trunc=1 || trunc=0 + if [ "$tcp" -ne "$trunc" ]; then + setret "'dig $digarg' wrong; no or unexpected truncation in $DIGNM" + else + clean_result ${DIGNM}* fi - setret "'dig $digarg' wrong; diff $DIGNM $2" return 0 + fi + setret "'dig $digarg' wrong; diff $DIGNM $2" + return 0 } # check only that the server does not crash # $1=target domain # $2=optional query type -nocrash () { - digcmd $* >/dev/null - ckalive "$*" "server crashed by 'dig $*'" +nocrash() { + digcmd $* >/dev/null + ckalive "$*" "server crashed by 'dig $*'" } - # check rewrite to NXDOMAIN # $1=target domain # $2=optional query type -nxdomain () { - make_dignm - digcmd $* \ - | sed -e 's/^[a-z].* IN CNAME /;xxx &/' \ - -e 's/^[a-z].* IN RRSIG /;xxx &/' \ - >$DIGNM - ckresult "$*" proto.nxdomain +nxdomain() { + make_dignm + digcmd $* \ + | sed -e 's/^[a-z].* IN CNAME /;xxx &/' \ + -e 's/^[a-z].* IN RRSIG /;xxx &/' \ + >$DIGNM + ckresult "$*" proto.nxdomain } # check rewrite to NODATA # $1=target domain # $2=optional query type -nodata () { - make_dignm - digcmd $* \ - | sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM - ckresult "$*" proto.nodata +nodata() { + make_dignm + digcmd $* \ + | sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM + ckresult "$*" proto.nodata } # check rewrite to an address @@ -381,22 +391,22 @@ nodata () { # $1=IPv4 address # $2=digcmd args # $3=optional TTL -addr () { - ADDR=$1 - make_dignm - digcmd $2 >$DIGNM - #ckalive "$2" "server crashed by 'dig $2'" || return 1 - ADDR_ESC=$(echo "$ADDR" | sed -e 's/\./\\./g') - ADDR_TTL=$(sed -n -e "s/^[-.a-z0-9]\{1,\}[ ]*\([0-9]*\) IN AA* ${ADDR_ESC}\$/\1/p" $DIGNM) - if test -z "$ADDR_TTL"; then - setret "'dig $2' wrong; no address $ADDR record in $DIGNM" - return 0 - fi - if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then - setret "'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM" - return 0 - fi - clean_result ${DIGNM}* +addr() { + ADDR=$1 + make_dignm + digcmd $2 >$DIGNM + #ckalive "$2" "server crashed by 'dig $2'" || return 1 + ADDR_ESC=$(echo "$ADDR" | sed -e 's/\./\\./g') + ADDR_TTL=$(sed -n -e "s/^[-.a-z0-9]\{1,\}[ ]*\([0-9]*\) IN AA* ${ADDR_ESC}\$/\1/p" $DIGNM) + if test -z "$ADDR_TTL"; then + setret "'dig $2' wrong; no address $ADDR record in $DIGNM" + return 0 + fi + if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then + setret "'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM" + return 0 + fi + clean_result ${DIGNM}* } # Check that a response is not rewritten @@ -404,43 +414,43 @@ addr () { # spurious differences for `dig +norecurse` # $1=optional "TCP" # remaining args for dig -nochange () { - make_dignm - digcmd $* >$DIGNM - digcmd $* @$ns1 >${DIGNM}_OK - ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK +nochange() { + make_dignm + digcmd $* >$DIGNM + digcmd $* @$ns1 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } -nochange_ns10 () { - make_dignm - digcmd $* >$DIGNM - digcmd $* @$ns10 >${DIGNM}_OK - ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK +nochange_ns10() { + make_dignm + digcmd $* >$DIGNM + digcmd $* @$ns10 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } # check against a 'here document' -here () { - make_dignm - sed -e 's/^[ ]*//' >${DIGNM}_OK - digcmd $* >$DIGNM - ckresult "$*" ${DIGNM}_OK +here() { + make_dignm + sed -e 's/^[ ]*//' >${DIGNM}_OK + digcmd $* >$DIGNM + ckresult "$*" ${DIGNM}_OK } # check dropped response DROPPED='^;; no servers could be reached' -drop () { - make_dignm - digcmd $* >$DIGNM || true - if grep "$DROPPED" $DIGNM >/dev/null; then - clean_result ${DIGNM}* - return 0 - fi - setret "'dig $1' wrong; response in $DIGNM" +drop() { + make_dignm + digcmd $* >$DIGNM || true + if grep "$DROPPED" $DIGNM >/dev/null; then + clean_result ${DIGNM}* return 0 + fi + setret "'dig $1' wrong; response in $DIGNM" + return 0 } nsd() { - $NSUPDATE -p ${PORT} << EOF + $NSUPDATE -p ${PORT} </dev/null; then - echo_i "exit status: 1" - exit 1 - fi - if grep '^#skip' dnsrps.conf > /dev/null; then - echo_i "DNSRPS sub-test skipped" - continue - else - echo_i "running DNSRPS sub-test" - start_server --noclean --restart --port ${PORT} - sleep 3 - fi - ;; + native) + if [ -e dnsrps-only ]; then + echo_i "'dnsrps-only' found: skipping native RPZ sub-test" + continue + else + echo_i "running native RPZ sub-test" + fi + ;; + dnsrps) + if [ -e dnsrps-off ]; then + echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" + continue + fi + echo_i "attempting to configure servers with DNSRPS..." + stop_server --use-rndc --port ${CONTROLPORT} + $SHELL ./setup.sh -N -D $DEBUG + for server in ns*; do + resetstats $server + done + sed -n 's/^## //p' dnsrps.conf | cat_i + if grep '^#fail' dnsrps.conf >/dev/null; then + echo_i "exit status: 1" + exit 1 + fi + if grep '^#skip' dnsrps.conf >/dev/null; then + echo_i "DNSRPS sub-test skipped" + continue + else + echo_i "running DNSRPS sub-test" + start_server --noclean --restart --port ${PORT} + sleep 3 + fi + ;; esac # make prototype files to check against rewritten results @@ -516,104 +526,104 @@ for mode in native dnsrps; do retry_quiet 10 make_proto_nodata start_group "QNAME rewrites" test1 - nochange . # 1 do not crash or rewrite root - nxdomain a0-1.tld2 # 2 - nodata a3-1.tld2 # 3 - nodata a3-2.tld2 # 4 nodata at DNAME itself - nochange sub.a3-2.tld2 # 5 miss where DNAME might work - nxdomain a4-2.tld2 # 6 rewrite based on CNAME target - nxdomain a4-2-cname.tld2 # 7 - nodata a4-3-cname.tld2 # 8 - addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement - addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard - addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME - addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain - addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone - nochange a6-1.tld2 # 14 - addr 127.6.2.1 a6-2.tld2 # 15 - addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME - addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME - addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain - addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain - nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required - nochange a5-3.tld2 +norecurse # 21 - nochange a5-4.tld2 +norecurse # 22 - nochange sub.a5-4.tld2 +norecurse # 23 - nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c - nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures - nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures - nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures - nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain - nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain - nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record - nxdomain a0-1.tld2s srv +nodnssec # 31 - drop a3-8.tld2 any # 32 drop - nochange TCP a3-9.tld2 # 33 tcp-only - here x.servfail <<'EOF' # 34 qname-wait-recurse yes + nochange . # 1 do not crash or rewrite root + nxdomain a0-1.tld2 # 2 + nodata a3-1.tld2 # 3 + nodata a3-2.tld2 # 4 nodata at DNAME itself + nochange sub.a3-2.tld2 # 5 miss where DNAME might work + nxdomain a4-2.tld2 # 6 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 # 7 + nodata a4-3-cname.tld2 # 8 + addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement + addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard + addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME + addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain + addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone + nochange a6-1.tld2 # 14 + addr 127.6.2.1 a6-2.tld2 # 15 + addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME + addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME + addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain + addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain + nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required + nochange a5-3.tld2 +norecurse # 21 + nochange a5-4.tld2 +norecurse # 22 + nochange sub.a5-4.tld2 +norecurse # 23 + nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures + nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures + nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures + nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain + nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain + nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record + nxdomain a0-1.tld2s srv +nodnssec # 31 + drop a3-8.tld2 any # 32 drop + nochange TCP a3-9.tld2 # 33 tcp-only + here x.servfail <<'EOF' # 34 qname-wait-recurse yes ;; status: SERVFAIL, x EOF - addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no + addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no end_group ckstats $ns3 test1 ns3 22 ckstats $ns5 test1 ns5 1 ckstats $ns6 test1 ns6 0 start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 - nxdomain a0-1.tld2 @$ns6 # 1 - nodata a3-1.tld2 @$ns6 # 2 - nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself - nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target - nxdomain a4-2-cname.tld2 @$ns6 # 5 - nodata a4-3-cname.tld2 @$ns6 # 6 - addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement - addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard - addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone - addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME - addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain - addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 - addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME - addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME - addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain - addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain - nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c - nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs - nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 - drop a3-8.tld2 any @$ns6 # 20 drop + nxdomain a0-1.tld2 @$ns6 # 1 + nodata a3-1.tld2 @$ns6 # 2 + nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself + nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 @$ns6 # 5 + nodata a4-3-cname.tld2 @$ns6 # 6 + addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement + addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard + addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone + addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME + addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain + addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 + addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME + addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME + addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain + addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain + nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs + nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 + drop a3-8.tld2 any @$ns6 # 20 drop end_group ckstatsrange $ns3 test1 ns3 22 30 ckstats $ns5 test1 ns5 0 ckstats $ns6 test1 ns6 0 start_group "IP rewrites" test2 - nodata a3-1.tld2 # 1 NODATA - nochange a3-2.tld2 # 2 no policy record so no change - nochange a4-1.tld2 # 3 obsolete PASSTHRU record style - nxdomain a4-2.tld2 # 4 - nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite - nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite - nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite - nodata a4-3.tld2 # 8 - nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy - nochange a4-1-aaaa.tld2 -taaaa # 10 - addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address - addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone - nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 - addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP - nochange a4-4.tld2 # 15 PASSTHRU - nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c - addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger - nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450) + nodata a3-1.tld2 # 1 NODATA + nochange a3-2.tld2 # 2 no policy record so no change + nochange a4-1.tld2 # 3 obsolete PASSTHRU record style + nxdomain a4-2.tld2 # 4 + nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite + nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite + nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite + nodata a4-3.tld2 # 8 + nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy + nochange a4-1-aaaa.tld2 -taaaa # 10 + addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address + addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone + nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 + addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP + nochange a4-4.tld2 # 15 PASSTHRU + nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c + addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger + nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450) # updating an response zone policy cp ns2/blv2.tld2.db.in ns2/bl.tld2.db rndc_reload ns2 $ns2 bl.tld2 ck_soa 2 bl.tld2 $ns3 - nochange a7-1.tld2 # 19 PASSTHRU + nochange a7-1.tld2 # 19 PASSTHRU # ensure that a clock tick has occurred so that named will do the reload sleep 1 cp ns2/blv3.tld2.db.in ns2/bl.tld2.db rndc_reload ns2 $ns2 bl.tld2 ck_soa 3 bl.tld2 $ns3 - nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450) + nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450) end_group ckstats $ns3 test2 ns3 12 @@ -635,29 +645,29 @@ EOF # these tests assume "min-ns-dots 0" start_group "NSDNAME rewrites" test3 - nextpart ns3/named.run > /dev/null - nochange a3-1.tld2 # 1 - nochange a3-1.tld2 +dnssec # 2 this once caused problems - nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME - nxdomain a3-1.subsub.sub1.tld2 # 4 - nxdomain a3-1.subsub.sub1.tld2 -tany # 5 - addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 - nochange a3-2.tld2. # 7 exempt rewrite by name - nochange a0-1.tld2. # 8 exempt rewrite by address block - addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME - addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME - addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 - nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash - - nxdomain a3-1.stub # 13 - nxdomain a3-1.static-stub # 14 - nochange_ns10 a3-1.stub-nomatch # 15 - nochange_ns10 a3-1.static-stub-nomatch # 16 + nextpart ns3/named.run >/dev/null + nochange a3-1.tld2 # 1 + nochange a3-1.tld2 +dnssec # 2 this once caused problems + nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME + nxdomain a3-1.subsub.sub1.tld2 # 4 + nxdomain a3-1.subsub.sub1.tld2 -tany # 5 + addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 + nochange a3-2.tld2. # 7 exempt rewrite by name + nochange a0-1.tld2. # 8 exempt rewrite by address block + addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME + addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME + addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 + nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash + + nxdomain a3-1.stub # 13 + nxdomain a3-1.static-stub # 14 + nochange_ns10 a3-1.stub-nomatch # 15 + nochange_ns10 a3-1.static-stub-nomatch # 16 if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns + addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns fi - nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && - setret "seen: unrecognized NS rpz_rrset_find() failed: glue" + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \ + && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group if [ "$mode" = dnsrps ]; then ckstats $ns3 test3 ns3 10 @@ -667,26 +677,26 @@ EOF # these tests assume "min-ns-dots 0" start_group "NSIP rewrites" test4 - nextpart ns3/named.run > /dev/null - nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 - nochange a3-2.tld2. # 2 exempt rewrite by name - nochange a0-1.tld2. # 3 exempt rewrite by address block - nochange a3-1.tld4 # 4 different NS IP address - nxdomain a4-1.stub # 5 - nxdomain a4-1.static-stub # 6 - nochange_ns10 a4-1.stub-nomatch # 7 - nochange_ns10 a4-1.static-stub-nomatch # 8 + nextpart ns3/named.run >/dev/null + nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 + nochange a3-2.tld2. # 2 exempt rewrite by name + nochange a0-1.tld2. # 3 exempt rewrite by address block + nochange a3-1.tld4 # 4 different NS IP address + nxdomain a4-1.stub # 5 + nxdomain a4-1.static-stub # 6 + nochange_ns10 a4-1.stub-nomatch # 7 + nochange_ns10 a4-1.static-stub-nomatch # 8 if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns + addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns fi - nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && - setret "seen: unrecognized NS rpz_rrset_find() failed: glue" + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \ + && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group start_group "walled garden NSIP rewrites" test4a - addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 - addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 - here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 + addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 + addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 + here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 ;; status: NOERROR, x a3-1.tld2. x IN TXT "NSIP walled garden" EOF @@ -700,29 +710,29 @@ EOF # policies in ./test5 overridden by response-policy{} in ns3/named.conf # and in ns5/named.conf start_group "policy overrides" test5 - addr 127.0.0.1 a3-1.tld2 # 1 bl-given - nochange a3-2.tld2 # 2 bl-passthru - nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru) - nochange a3-4.tld2 # 4 bl-disabled - nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no - nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no - nodata a3-5.tld2 # 7 bl-nodata not needed - nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no - nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec - nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec - nxdomain a3-6.tld2 # 11 bl-nxdomain - here a3-7.tld2 -tany <<'EOF' # 12 + addr 127.0.0.1 a3-1.tld2 # 1 bl-given + nochange a3-2.tld2 # 2 bl-passthru + nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru) + nochange a3-4.tld2 # 4 bl-disabled + nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no + nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no + nodata a3-5.tld2 # 7 bl-nodata not needed + nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no + nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec + nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec + nxdomain a3-6.tld2 # 11 bl-nxdomain + here a3-7.tld2 -tany <<'EOF' # 12 ;; status: NOERROR, x a3-7.tld2. x IN CNAME txt-only.tld2. txt-only.tld2. x IN TXT "txt-only-tld2" EOF - addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname - addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname - addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 - addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 - addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 - drop a3-18.tld2 any # 18 bl-drop - nxdomain TCP a3-19.tld2 # 19 bl-tcp-only + addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname + addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname + addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 + addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 + addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 + drop a3-18.tld2 any # 18 bl-drop + nxdomain TCP a3-19.tld2 # 19 bl-tcp-only end_group ckstats $ns3 test5 ns3 12 ckstats $ns5 test5 ns5 4 @@ -747,25 +757,25 @@ EOF # superficial test for major performance bugs QPERF=$(sh qperf.sh) if test -n "$QPERF"; then - perf () { - date "+${TS}checking performance $1" | cat_i - # Dry run to prime everything - comment "before dry run $1" - $RNDCCMD $ns5 notrace - $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null - comment "before real test $1" - PFILE="ns5/$2.perf" - $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE - comment "after test $1" - X=$(sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ - | tr '\n' ' ') - if test "$X" != "$3"; then - setret "wrong results '$X' in $PFILE" - fi - ckalive $ns5 "failed; server #5 crashed" + perf() { + date "+${TS}checking performance $1" | cat_i + # Dry run to prime everything + comment "before dry run $1" + $RNDCCMD $ns5 notrace + $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null + comment "before real test $1" + PFILE="ns5/$2.perf" + $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE + comment "after test $1" + X=$(sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ + | tr '\n' ' ') + if test "$X" != "$3"; then + setret "wrong results '$X' in $PFILE" + fi + ckalive $ns5 "failed; server #5 crashed" } - trim () { - sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf + trim() { + sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf } # get qps with rpz @@ -777,16 +787,16 @@ EOF perf 'without RPZ' norpz 'NOERROR:3000 ' NORPZ=$(trim norpz) - PERCENT=$(( (RPZ * 100 + (NORPZ / 2)) / NORPZ)) + PERCENT=$(((RPZ * 100 + (NORPZ / 2)) / NORPZ)) echo_i "$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ" MIN_PERCENT=30 if test "$PERCENT" -lt $MIN_PERCENT; then - echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps" + echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps" fi if test "$PERCENT" -ge 100; then - echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" + echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" fi ckstats $ns5 performance ns5 200 @@ -801,18 +811,18 @@ EOF kill "$OLD_PID" n=0 while true; do - NEW_PID=$(cat dnsrpzd.pid 2>/dev/null) - if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then - #echo "OLD_PID=$OLD_PID NEW_PID=$NEW_PID" - break; - fi - $DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null - n=$((n + 1)) - if test "$n" -gt $TEN_SECS; then - setret "dnsrpzd did not restart" - break - fi - $WAIT_CMD + NEW_PID=$(cat dnsrpzd.pid 2>/dev/null) + if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then + #echo "OLD_PID=$OLD_PID NEW_PID=$NEW_PID" + break + fi + $DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null + n=$((n + 1)) + if test "$n" -gt $TEN_SECS; then + setret "dnsrpzd did not restart" + break + fi + $WAIT_CMD done fi @@ -822,7 +832,7 @@ EOF # reconfigure the ns5 primary server without the fast-expire zone, so # it can't be refreshed on ns3, and will expire in 5 seconds. - cat /dev/null > ns5/expire.conf + cat /dev/null >ns5/expire.conf rndc_reconfig ns5 10.53.0.5 # restart the main test RPZ server to see if that creates a core file @@ -838,8 +848,8 @@ EOF EMSGS=$(nextpart $runfile | grep -E -l 'invalid rpz|rpz.*failed' || true) if test -n "$EMSGS"; then setret "error messages in $runfile starting with:" - grep -E 'invalid rpz|rpz.*failed' ns*/named.run | \ - sed -e '10,$d' -e 's/^//' | cat_i + grep -E 'invalid rpz|rpz.*failed' ns*/named.run \ + | sed -e '10,$d' -e 's/^//' | cat_i fi done @@ -856,10 +866,10 @@ EOF t=$((t + 1)) echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})" - sed -e "s/^#BAD//" < ns3/named.conf.in > ns3/named.conf.tmp + sed -e "s/^#BAD//" ns3/named.conf.tmp copy_setports ns3/named.conf.tmp ns3/named.conf rm ns3/named.conf.tmp - $RNDCCMD $ns3 reconfig > /dev/null 2>&1 && setret "failed" + $RNDCCMD $ns3 reconfig >/dev/null 2>&1 && setret "failed" sleep 1 copy_setports ns3/named.conf.in ns3/named.conf $RNDCCMD $ns3 reconfig || setret "failed" @@ -867,37 +877,37 @@ EOF # reload a RPZ zone that is now deliberately broken. t=$((t + 1)) echo_i "checking rpz failed update will keep previous rpz rules (${t})" - $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.before - grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before > /dev/null || setret "failed" + $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.before + grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before >/dev/null || setret "failed" cp ns3/broken.db.in ns3/manual-update-rpz.db rndc_reload ns3 $ns3 manual-update-rpz sleep 1 # ensure previous RPZ rules still apply. - $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.after - grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after > /dev/null || setret "failed" + $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after + grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed" t=$((t + 1)) echo_i "checking reload of a mixed-case RPZ zone (${t})" # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should # cause a6-2.tld2 NOERROR answers to be rewritten to NXDOMAIN answers. - $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t.before + $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.before grep "status: NXDOMAIN" dig.out.$t.before >/dev/null || setret "failed" # Add a sibling name (a6-1.tld2.mixed-case-rpz, with "tld2" in lowercase # rather than uppercase) before A6-2.TLD.mixed-case-rpz. - nextpart ns3/named.run > /dev/null + nextpart ns3/named.run >/dev/null cp ns3/mixed-case-rpz-2.db.in ns3/mixed-case-rpz.db rndc_reload ns3 $ns3 mixed-case-rpz wait_for_log 20 "rpz: mixed-case-rpz: reload done" ns3/named.run # a6-2.tld2 NOERROR answers should still be rewritten to NXDOMAIN answers. # (The bug we try to trigger here caused a6-2.tld2.mixed-case-rpz to be # erroneously removed from the summary RPZ database after reload.) - $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t.after + $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.after grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed" fi t=$((t + 1)) echo_i "checking that ttl values are not zeroed when qtype is '*' (${t})" - $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 > dig.out.$t + $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 >dig.out.$t ttl=$(awk '/a3-2 tld2 text/ {print $2}' dig.out.$t) if test ${ttl:=0} -eq 0; then setret "failed"; fi @@ -919,37 +929,37 @@ EOF nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. sleep 1 rndc_reload ns7 $ns7 policy2 - $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} - grep NXDOMAIN dig.out.${t} > /dev/null || setret "failed" + $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} + grep NXDOMAIN dig.out.${t} >/dev/null || setret "failed" t=$((t + 1)) echo_i "checking that "add-soa no" at rpz zone level works (${t})" - $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} - grep SOA dig.out.${t} > /dev/null && setret "failed" + $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} + grep SOA dig.out.${t} >/dev/null && setret "failed" if [ native = "$mode" ]; then t=$((t + 1)) echo_i "checking that "add-soa yes" at response-policy level works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t} - grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" fi if [ native = "$mode" ]; then t=$((t + 1)) echo_i "reconfiguring server with 'add-soa no' (${t})" cp ns3/named.conf ns3/named.conf.tmp - sed -e "s/add-soa yes/add-soa no/g" < ns3/named.conf.tmp > ns3/named.conf + sed -e "s/add-soa yes/add-soa no/g" ns3/named.conf rndc_reconfig ns3 $ns3 echo_i "checking that 'add-soa no' at response-policy level works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t} - grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null && setret "failed" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null && setret "failed" fi if [ native = "$mode" ]; then t=$((t + 1)) echo_i "checking that 'add-soa unset' works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 > dig.out.${t} - grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 >dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" fi # dnsrps does not allow NS RRs in policy zones, so this check @@ -957,38 +967,36 @@ EOF if [ native = "$mode" ]; then t=$((t + 1)) echo_i "checking rpz with delegation fails correctly (${t})" - $DIG -p ${PORT} @$ns3 ns example.com > dig.out.$t - grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed" + $DIG -p ${PORT} @$ns3 ns example.com >dig.out.$t + grep "status: SERVFAIL" dig.out.$t >/dev/null || setret "failed" t=$((t + 1)) echo_i "checking policies from expired zone are no longer in effect ($t)" - $DIG -p ${PORT} @$ns3 a expired > dig.out.$t - grep "expired.*10.0.0.10" dig.out.$t > /dev/null && setret "failed" - grep "fast-expire/IN: response-policy zone expired" ns3/named.run > /dev/null || setret "failed" + $DIG -p ${PORT} @$ns3 a expired >dig.out.$t + grep "expired.*10.0.0.10" dig.out.$t >/dev/null && setret "failed" + grep "fast-expire/IN: response-policy zone expired" ns3/named.run >/dev/null || setret "failed" fi # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios. - for label in a-only no-a-no-aaaa a-plus-aaaa - do - for type in AAAA A - do + for label in a-only no-a-no-aaaa a-plus-aaaa; do + for type in AAAA A; do t=$((t + 1)) case $label in - a-only) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})" - ;; - no-a-no-aaaa) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})" - ;; - a-plus-aaaa) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})" - ;; + a-only) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})" + ;; + no-a-no-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})" + ;; + a-plus-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})" + ;; esac ret=0 - $DIG ${label}.example -p ${PORT} $type @10.53.0.9 > dig.out.${t} - grep "status: NOERROR" dig.out.$t > /dev/null || ret=1 - grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t > /dev/null || ret=1 - grep "^rpz" dig.out.$t > /dev/null || ret=1 + $DIG ${label}.example -p ${PORT} $type @10.53.0.9 >dig.out.${t} + grep "status: NOERROR" dig.out.$t >/dev/null || ret=1 + grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t >/dev/null || ret=1 + grep "^rpz" dig.out.$t >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) done @@ -999,20 +1007,22 @@ EOF echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})" $RNDCCMD $ns3 flush $RNDCCMD $ns6 flush - $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd > dig.out.${t} - grep -w "1.1.1.1" dig.out.${t} > /dev/null || setret "failed" + $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd >dig.out.${t} + grep -w "1.1.1.1" dig.out.${t} >/dev/null || setret "failed" fi [ $status -ne 0 ] && pf=fail || pf=pass case $mode in - native) - native=$status - echo_i "status (native RPZ sub-test): $status ($pf)";; - - dnsrps) - dnsrps=$status - echo_i "status (DNSRPS sub-test): $status ($pf)";; - *) echo_i "invalid test mode";; + native) + native=$status + echo_i "status (native RPZ sub-test): $status ($pf)" + ;; + + dnsrps) + dnsrps=$status + echo_i "status (DNSRPS sub-test): $status ($pf)" + ;; + *) echo_i "invalid test mode" ;; esac done status=$((native + dnsrps)) diff --git a/bin/tests/system/rpzextra/ns3/named.args b/bin/tests/system/rpzextra/ns3/named.args index 970fc22..8ec9731 100644 --- a/bin/tests/system/rpzextra/ns3/named.args +++ b/bin/tests/system/rpzextra/ns3/named.args @@ -1 +1 @@ - -m record -c named.conf -d 99 -D rpzextra-ns1 -X named.lock -U 4 -T maxcachesize=2097152 + -m record -c named.conf -d 99 -f -D rpzextra-ns3 -X named.lock -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/rpzrecurse/ns3/named1.conf.in b/bin/tests/system/rpzrecurse/ns3/named1.conf.in index f838535..6a1bd11 100644 --- a/bin/tests/system/rpzrecurse/ns3/named1.conf.in +++ b/bin/tests/system/rpzrecurse/ns3/named1.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/rpzrecurse/ns3/named2.conf.in b/bin/tests/system/rpzrecurse/ns3/named2.conf.in index 40f6b49..06b2536 100644 --- a/bin/tests/system/rpzrecurse/ns3/named2.conf.in +++ b/bin/tests/system/rpzrecurse/ns3/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/rpzrecurse/ns3/named3.conf.in b/bin/tests/system/rpzrecurse/ns3/named3.conf.in index 3926bf9..ac2e19c 100644 --- a/bin/tests/system/rpzrecurse/ns3/named3.conf.in +++ b/bin/tests/system/rpzrecurse/ns3/named3.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/rpzrecurse/prereq.sh b/bin/tests/system/rpzrecurse/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/rpzrecurse/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/rpzrecurse/setup.sh b/bin/tests/system/rpzrecurse/setup.sh index 4dcd5ed..8a8ebe9 100644 --- a/bin/tests/system/rpzrecurse/setup.sh +++ b/bin/tests/system/rpzrecurse/setup.sh @@ -20,17 +20,23 @@ set -e USAGE="$0: [-DNx]" DEBUG= while getopts "DNx" c; do - case $c in - x) set -x; DEBUG=-x;; - D) TEST_DNSRPS="-D";; - N) NOCLEAN=set;; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ;; + D) TEST_DNSRPS="-D" ;; + N) NOCLEAN=set ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi [ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG @@ -48,20 +54,18 @@ copy_setports ns4/named.conf.in ns4/named.conf # setup policy zones for a 64-zone test i=1 -while test $i -le 64 -do - echo "\$TTL 60" > ns2/db.max$i.local - echo "@ IN SOA root.ns ns 1996072700 3600 1800 86400 60" >> ns2/db.max$i.local - echo " NS ns" >> ns2/db.max$i.local - echo "ns A 127.0.0.1" >> ns2/db.max$i.local - - j=1 - while test $j -le $i - do - echo "name$j A 10.53.0.$i" >> ns2/db.max$i.local - j=$((j + 1)) - done - i=$((i + 1)) +while test $i -le 64; do + echo "\$TTL 60" >ns2/db.max$i.local + echo "@ IN SOA root.ns ns 1996072700 3600 1800 86400 60" >>ns2/db.max$i.local + echo " NS ns" >>ns2/db.max$i.local + echo "ns A 127.0.0.1" >>ns2/db.max$i.local + + j=1 + while test $j -le $i; do + echo "name$j A 10.53.0.$i" >>ns2/db.max$i.local + j=$((j + 1)) + done + i=$((i + 1)) done # decide whether to test DNSRPS @@ -74,14 +78,14 @@ PID-FILE $CWD/dnsrpzd.pid; include $CWD/dnsrpzd-license-cur.conf -zone "policy" { type primary; file "`pwd`/ns3/policy.db"; }; +zone "policy" { type primary; file "$(pwd)/ns3/policy.db"; }; EOF sed -n -e 's/^ *//' -e "/zone.*.*primary/s@file \"@&$CWD/ns2/@p" ns2/*.conf \ - >>dnsrpzd.conf + >>dnsrpzd.conf # Run dnsrpzd to get the license and prime the static policy zones if test -n "$TEST_DNSRPS"; then - DNSRPZD="$(../rpz/dnsrps -p)" - "$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \ - -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 + DNSRPZD="$(../rpz/dnsrps -p)" + "$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \ + -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 fi diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh index eed53e8..afc1a2b 100644 --- a/bin/tests/system/rpzrecurse/tests.sh +++ b/bin/tests/system/rpzrecurse/tests.sh @@ -27,86 +27,95 @@ ARGS= USAGE="$0: [-xS]" while getopts "xS:" c; do - case $c in - x) set -x; DEBUG=-x; ARGS="$ARGS -x";; - S) SAVE_RESULTS=-S; ARGS="$ARGS -S";; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ARGS="$ARGS -x" + ;; + S) + SAVE_RESULTS=-S + ARGS="$ARGS -S" + ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # really quit on control-C trap 'exit 1' 1 2 15 DNSRPSCMD=../rpz/dnsrps -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # $1 = test name (such as 1a, 1b, etc. for which named.$1.conf exists) run_server() { - TESTNAME=$1 + TESTNAME=$1 - echo_i "stopping resolver" - stop_server --use-rndc --port ${CONTROLPORT} ns2 + echo_i "stopping resolver" + stop_server --use-rndc --port ${CONTROLPORT} ns2 - sleep 1 + sleep 1 - echo_i "starting resolver using named.$TESTNAME.conf" - cp -f ns2/named.$TESTNAME.conf ns2/named.conf - start_server --noclean --restart --port ${PORT} ns2 - sleep 3 + echo_i "starting resolver using named.$TESTNAME.conf" + cp -f ns2/named.$TESTNAME.conf ns2/named.conf + start_server --noclean --restart --port ${PORT} ns2 + sleep 3 } run_query() { - TESTNAME=$1 - LINE=$2 + TESTNAME=$1 + LINE=$2 - NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) - $DIG $DIGOPTS $NAME a @10.53.0.2 -p ${PORT} -b 127.0.0.1 > dig.out.${t} - grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 && return 1 - return 0 + NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) + $DIG $DIGOPTS $NAME a @10.53.0.2 -p ${PORT} -b 127.0.0.1 >dig.out.${t} + grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 && return 1 + return 0 } # $1 = test name (such as 1a, 1b, etc. for which $1.queries exists) # $2 = line number in query file to test (the name to query is taken from this line) expect_norecurse() { - TESTNAME=$1 - LINE=$2 + TESTNAME=$1 + LINE=$2 - NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) - t=$((t + 1)) - echo_i "testing $NAME doesn't recurse (${t})" - add_test_marker 10.53.0.2 - run_query $TESTNAME $LINE || { - echo_i "test ${t} failed" - status=1 - } + NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) + t=$((t + 1)) + echo_i "testing $NAME doesn't recurse (${t})" + add_test_marker 10.53.0.2 + run_query $TESTNAME $LINE || { + echo_i "test ${t} failed" + status=1 + } } # $1 = test name (such as 1a, 1b, etc. for which $1.queries exists) # $2 = line number in query file to test (the name to query is taken from this line) expect_recurse() { - TESTNAME=$1 - LINE=$2 + TESTNAME=$1 + LINE=$2 - NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) - t=$((t + 1)) - echo_i "testing $NAME recurses (${t})" - add_test_marker 10.53.0.2 - run_query $TESTNAME $LINE && { - echo_i "test ${t} failed" - status=1 - } - return 0 + NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) + t=$((t + 1)) + echo_i "testing $NAME recurses (${t})" + add_test_marker 10.53.0.2 + run_query $TESTNAME $LINE && { + echo_i "test ${t} failed" + status=1 + } + return 0 } add_test_marker() { - for ns in $@ - do - $RNDCCMD $ns null ---- test ${t} ---- - done + for ns in $@; do + $RNDCCMD $ns null ---- test ${t} ---- + done } native=0 @@ -114,36 +123,36 @@ dnsrps=0 for mode in native dnsrps; do status=0 case $mode in - native) - if [ -e dnsrps-only ] ; then - echo_i "'dnsrps-only' found: skipping native RPZ sub-test" - continue - else - echo_i "running native RPZ sub-test" - fi - ;; - dnsrps) - if [ -e dnsrps-off ] ; then - echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" - continue - fi - echo_i "attempting to configure servers with DNSRPS..." - stop_server --use-rndc --port ${CONTROLPORT} - $SHELL ./setup.sh -N -D $DEBUG - sed -n 's/^## //p' dnsrps.conf | cat_i - if grep '^#fail' dnsrps.conf >/dev/null; then - echo_i "exit status: 1" - exit 1 - fi - if grep '^#skip' dnsrps.conf > /dev/null; then - echo_i "DNSRPS sub-test skipped" - continue - else - echo_i "running DNSRPS sub-test" - start_server --noclean --restart --port ${PORT} - sleep 3 - fi - ;; + native) + if [ -e dnsrps-only ]; then + echo_i "'dnsrps-only' found: skipping native RPZ sub-test" + continue + else + echo_i "running native RPZ sub-test" + fi + ;; + dnsrps) + if [ -e dnsrps-off ]; then + echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" + continue + fi + echo_i "attempting to configure servers with DNSRPS..." + stop_server --use-rndc --port ${CONTROLPORT} + $SHELL ./setup.sh -N -D $DEBUG + sed -n 's/^## //p' dnsrps.conf | cat_i + if grep '^#fail' dnsrps.conf >/dev/null; then + echo_i "exit status: 1" + exit 1 + fi + if grep '^#skip' dnsrps.conf >/dev/null; then + echo_i "DNSRPS sub-test skipped" + continue + else + echo_i "running DNSRPS sub-test" + start_server --noclean --restart --port ${PORT} + sleep 3 + fi + ;; esac # show whether and why DNSRPS is enabled or disabled @@ -152,8 +161,8 @@ for mode in native dnsrps; do t=$((t + 1)) echo_i "testing that l1.l0 exists without RPZ (${t})" add_test_marker 10.53.0.2 - $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} - grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t} + grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { echo_i "test ${t} failed" status=1 } @@ -161,8 +170,8 @@ for mode in native dnsrps; do t=$((t + 1)) echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})" add_test_marker 10.53.0.2 - $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} - grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t} + grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || { echo_i "test ${t} failed" status=1 } @@ -179,8 +188,7 @@ for mode in native dnsrps; do # Group 2 run_server 2a for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ - 21 22 23 24 25 26 27 28 29 30 31 32 - do + 21 22 23 24 25 26 27 28 29 30 31 32; do expect_norecurse 2a $n done expect_recurse 2a 33 @@ -221,8 +229,7 @@ for mode in native dnsrps; do add_test_marker 10.53.0.2 c=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \ - 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 - do + 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do run_query 4$n $i || c=$((c + 1)) done skipped=$((33 - c)) @@ -249,7 +256,7 @@ for mode in native dnsrps; do t=$((t + 1)) echo_i "running dig to cache CNAME record (${t})" add_test_marker 10.53.0.1 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t} sleep 1 echo_i "suspending authority server" PID=$(cat ns1/named.pid) @@ -257,30 +264,29 @@ for mode in native dnsrps; do echo_i "adding an NSDNAME policy" cp ns2/db.6a.00.policy.local ns2/saved.policy.local cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true sleep 1 t=$((t + 1)) echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" add_test_marker 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} & + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} & sleep 1 echo_i "removing the NSDNAME policy" cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true sleep 1 echo_i "resuming authority server" PID=$(cat ns1/named.pid) kill -CONT $PID add_test_marker 10.53.0.1 - for n in 1 2 3 4 5 6 7 8 9 - do + for n in 1 2 3 4 5 6 7 8 9; do sleep 1 [ -s dig.out.${t} ] || continue - grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break + grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break done - grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { echo_i "test ${t} failed" status=1 } @@ -292,20 +298,20 @@ for mode in native dnsrps; do t=$((t + 1)) echo_i "running dig to cache CNAME record (${t})" add_test_marker 10.53.0.1 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t} sleep 1 echo_i "suspending authority server" PID=$(cat ns1/named.pid) kill -STOP $PID echo_i "adding an NSDNAME policy" cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true sleep 1 t=$((t + 1)) echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" add_test_marker 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} & + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} & sleep 1 echo_i "removing the policy zone" cp ns2/named.default.conf ns2/named.conf @@ -319,9 +325,9 @@ for mode in native dnsrps; do for n in 1 2 3 4 5 6 7 8 9; do sleep 1 [ -s dig.out.${t} ] || continue - grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break + grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break done - grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { echo_i "test ${t} failed" status=1 } @@ -332,14 +338,13 @@ for mode in native dnsrps; do add_test_marker 10.53.0.2 run_server max i=1 - while test $i -le 64 - do - $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.${i} - grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} > /dev/null 2>&1 || { - echo_i "test $t failed: didn't get expected answer from policy zone $i" - status=1 - } - i=$((i + 1)) + while test $i -le 64; do + $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i} + grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer from policy zone $i" + status=1 + } + i=$((i + 1)) done # Check CLIENT-IP behavior @@ -347,12 +352,12 @@ for mode in native dnsrps; do echo_i "testing CLIENT-IP behavior (${t})" add_test_marker 10.53.0.2 run_server clientip - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t} - grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t} + grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } - grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} > /dev/null 2>&1 || { + grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed: didn't get expected answer" status=1 } @@ -362,27 +367,27 @@ for mode in native dnsrps; do echo_i "testing CLIENT-IP behavior #2 (${t})" add_test_marker 10.53.0.2 run_server clientip2 - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.1 - grep "status: SERVFAIL" dig.out.${t}.1 > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1 + grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 > dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 > dig.out.${t}.3 - grep "status: NOERROR" dig.out.${t}.3 > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3 + grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } - grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 > /dev/null 2>&1 || { + grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || { echo_i "test $t failed: didn't get expected answer" status=1 } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t}.4 - grep "status: SERVFAIL" dig.out.${t}.4 > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4 + grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } @@ -393,18 +398,18 @@ for mode in native dnsrps; do add_test_marker 10.53.0.2 run_server log cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run) - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t} - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >> dig.out.${t} - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >> dig.out.${t} - sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" > /dev/null && { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t} + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t} + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t} + sed -n "$cur,"'$p' /dev/null && { echo_ic "failed: unexpected rewrite message for policy zone log1 was logged" status=1 } - sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" > /dev/null || { + sed -n "$cur,"'$p' /dev/null || { echo_ic "failed: expected rewrite message for policy zone log2 was not logged" status=1 } - sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" > /dev/null || { + sed -n "$cur,"'$p' /dev/null || { echo_ic "failed: expected rewrite message for policy zone log3 was not logged" status=1 } @@ -415,13 +420,13 @@ for mode in native dnsrps; do echo_i "testing wildcard behavior with 1 RPZ zone (${t})" add_test_marker 10.53.0.2 run_server wildcard1 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { echo_i "test ${t} failed" status=1 } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || { echo_i "test ${t} failed" status=1 } @@ -430,13 +435,13 @@ for mode in native dnsrps; do echo_i "testing wildcard behavior with 2 RPZ zones (${t})" add_test_marker 10.53.0.2 run_server wildcard2 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { echo_i "test ${t} failed" status=1 } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || { echo_i "test ${t} failed" status=1 } @@ -445,13 +450,13 @@ for mode in native dnsrps; do echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})" add_test_marker 10.53.0.2 run_server wildcard3 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { echo_i "test ${t} failed" status=1 } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 - grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 + grep "status: NOERROR" dig.out.${t}.2 >/dev/null || { echo_i "test ${t} failed" status=1 } @@ -460,13 +465,13 @@ for mode in native dnsrps; do echo_i "testing wildcard passthru before explicit drop (${t})" add_test_marker 10.53.0.2 run_server wildcard4 - $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 - grep "status: NOERROR" dig.out.${t}.1 > /dev/null || { + $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 + grep "status: NOERROR" dig.out.${t}.1 >/dev/null || { echo_i "test ${t} failed" status=1 } - $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 - grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { + $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 + grep "status: NOERROR" dig.out.${t}.2 >/dev/null || { echo_i "test ${t} failed" status=1 } @@ -477,7 +482,7 @@ for mode in native dnsrps; do echo_i "testing for invalid prefix length error (${t})" add_test_marker 10.53.0.2 run_server invalidprefixlength - grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run > /dev/null || { + grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || { echo_ic "failed: expected that invalid prefix length error would be logged" status=1 } @@ -489,20 +494,20 @@ for mode in native dnsrps; do echo_i "timing 'nsip-wait-recurse yes' (default)" ret=0 t1=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t t2=$($PERL -e 'print time()."\n";') p1=$((t2 - t1)) echo_i "elapsed time $p1 seconds" - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush copy_setports ns3/named2.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 echo_i "timing 'nsip-wait-recurse no'" t3=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t t4=$($PERL -e 'print time()."\n";') p2=$((t4 - t3)) echo_i "elapsed time $p2 seconds" @@ -511,11 +516,11 @@ for mode in native dnsrps; do if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush # restore original named.conf copy_setports ns3/named1.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 t=$((t + 1)) @@ -524,20 +529,20 @@ for mode in native dnsrps; do echo_i "timing 'nsdname-wait-recurse yes' (default)" ret=0 t1=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t t2=$($PERL -e 'print time()."\n";') p1=$((t2 - t1)) echo_i "elapsed time $p1 seconds" - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush copy_setports ns3/named3.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 echo_i "timing 'nsdname-wait-recurse no'" t3=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t t4=$($PERL -e 'print time()."\n";') p2=$((t4 - t3)) echo_i "elapsed time $p2 seconds" @@ -546,16 +551,17 @@ for mode in native dnsrps; do if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) - [ $status -ne 0 ] && pf=fail || pf=pass case $mode in - native) - native=$status - echo_i "status (native RPZ sub-test): $status ($pf)";; - dnsrps) - dnsrps=$status - echo_i "status (DNSRPS sub-test): $status ($pf)";; - *) echo_i "invalid test mode";; + native) + native=$status + echo_i "status (native RPZ sub-test): $status ($pf)" + ;; + dnsrps) + dnsrps=$status + echo_i "status (DNSRPS sub-test): $status ($pf)" + ;; + *) echo_i "invalid test mode" ;; esac done status=$((native + dnsrps)) diff --git a/bin/tests/system/rrchecker/tests.sh b/bin/tests/system/rrchecker/tests.sh index 65e9d43..0edf303 100644 --- a/bin/tests/system/rrchecker/tests.sh +++ b/bin/tests/system/rrchecker/tests.sh @@ -20,21 +20,30 @@ n=0 n=$((n + 1)) echo_i "class list ($n)" -$RRCHECKER -C > classlist.out -diff classlist.out classlist.good || { echo_i "failed"; status=$((status + 1)); } +$RRCHECKER -C >classlist.out +diff classlist.out classlist.good || { + echo_i "failed" + status=$((status + 1)) +} n=$((n + 1)) echo_i "type list ($n)" -$RRCHECKER -T > typelist.out -diff typelist.out typelist.good || { echo_i "failed"; status=$((status + 1)); } +$RRCHECKER -T >typelist.out +diff typelist.out typelist.good || { + echo_i "failed" + status=$((status + 1)) +} n=$((n + 1)) echo_i "private type list ($n)" -$RRCHECKER -P > privatelist.out -diff privatelist.out privatelist.good || { echo_i "failed"; status=$((status + 1)); } +$RRCHECKER -P >privatelist.out +diff privatelist.out privatelist.good || { + echo_i "failed" + status=$((status + 1)) +} myecho() { -cat << EOF + cat < tempzone -$CHECKZONE -Dq . tempzone | sed '/^;/d' > checkzone.out$n -while read -r name tt cl ty rest -do - myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || { - ret=1 - echo_i "'$cl $ty $rest' not handled." - } - read -r cl0 ty0 rest0 < checker.out - test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || { - ret=1 - echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'" - } -done < checkzone.out$n -test $ret -eq 0 || { echo_i "failed"; status=$((status + 1)); } +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 0 >tempzone +$CHECKZONE -Dq . tempzone | sed '/^;/d' >checkzone.out$n +while read -r name tt cl ty rest; do + myecho "$cl $ty $rest" | $RRCHECKER -p >checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not handled." + } + read -r cl0 ty0 rest0 checkzone.out$n -while read -r name tt cl ty rest -do - myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || { - ret=1 - echo_i "'$cl $ty $rest' not converted to unknown record format" - } - read -r clu tyu restu < checker.out - myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || { - ret=1 - echo_i "'$cl $ty $rest' not converted back to canonical format" - } - read -r cl0 ty0 rest0 < checker.out - test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || { - ret=1 - echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'" - } -done < checkzone.out$n -test $ret -eq 0 || { echo_i "failed"; status=$((status + 1)); } +$CHECKZONE -Dq . tempzone | sed '/^;/d' >checkzone.out$n +while read -r name tt cl ty rest; do + myecho "$cl $ty $rest" | $RRCHECKER -u >checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not converted to unknown record format" + } + read -r clu tyu restu checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not converted back to canonical format" + } + read -r cl0 ty0 rest0 &2; exit 1;; - esac + case $c in + x) set -x ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # really quit on control-C trap 'exit 1' 1 2 15 - ret=0 -setret () { - ret=1 - echo_i "$*" +setret() { + ret=1 + echo_i "$*" } - # Wait until soon after the start of a second to make results consistent. # The start of a second credits a rate limit. # This would be far easier in C or by assuming a modern version of perl. -sec_start () { - START=$(date) - while true; do - NOW=$(date) - if test "$START" != "$NOW"; then - return - fi - $PERL -e 'select(undef, undef, undef, 0.05)' || true - done +sec_start() { + START=$(date) + while true; do + NOW=$(date) + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done } - # turn off ${HOME}/.digrc -HOME=/dev/null; export HOME +HOME=/dev/null +export HOME # $1=number of tests $2=target domain $3=dig options QNUM=1 -burst () { - BURST_LIMIT=$1; shift - BURST_DOM_BASE="$1"; shift - - XCNT=$CNT - CNT='XXX' - eval FILENAME="mdig.out-$BURST_DOM_BASE" - CNT=$XCNT - - DOMS="" - CNTS=$($PERL -e 'for ( $i = 0; $i < '$BURST_LIMIT'; $i++) { printf "%03d\n", '$QNUM' + $i; }') - for CNT in $CNTS - do - eval BURST_DOM="$BURST_DOM_BASE" - DOMS="$DOMS $BURST_DOM" - done - ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS" - $MDIG $ARGS 2>&1 | \ - tee -a full-$FILENAME | \ - sed -n -e '/^;; AUTHORITY/,/^$/d' \ - -e '/^;; ADDITIONAL/,/^$/d' \ - -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ - -e 's/;; flags.* tc .*/TC/p' \ - -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ - -e 's/;; .* status: NOERROR.*/NOERROR/p' \ - -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ - -e 's/response failed with timed out.*/drop/p' \ - -e 's/;; communications error to.*/drop/p' >> $FILENAME & - QNUM=$((QNUM + BURST_LIMIT)) +burst() { + BURST_LIMIT=$1 + shift + BURST_DOM_BASE="$1" + shift + + XCNT=$CNT + CNT='XXX' + eval FILENAME="mdig.out-$BURST_DOM_BASE" + CNT=$XCNT + + DOMS="" + CNTS=$($PERL -e 'for ( $i = 0; $i < '$BURST_LIMIT'; $i++) { printf "%03d\n", '$QNUM' + $i; }') + for CNT in $CNTS; do + eval BURST_DOM="$BURST_DOM_BASE" + DOMS="$DOMS $BURST_DOM" + done + ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS" + $MDIG $ARGS 2>&1 \ + | tee -a full-$FILENAME \ + | sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: NOERROR.*/NOERROR/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/response failed with timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' >>$FILENAME & + QNUM=$((QNUM + BURST_LIMIT)) } # compare integers $1 and $2; ensure the difference is no more than $3 -range () { - $PERL -e 'if (abs(int($ARGV[0]) - int($ARGV[1])) > int($ARGV[2])) { exit(1) }' $1 $2 $3 +range() { + $PERL -e 'if (abs(int($ARGV[0]) - int($ARGV[1])) > int($ARGV[2])) { exit(1) }' $1 $2 $3 } # $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop # $6=NXDOMAIN $7=SERVFAIL or other errors ck_result() { - # wait to the background mdig calls to complete. - wait - BAD=no - ADDRS=$(grep -E "^$2$" mdig.out-$1 2>/dev/null | wc -l) - # count simple truncated and truncated NXDOMAIN as TC - TC=$(grep -E "^TC|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) - DROP=$(grep -E "^drop$" mdig.out-$1 2>/dev/null | wc -l) - # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN - NXDOMAIN=$(grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) - SERVFAIL=$(grep -E "^SERVFAIL$" mdig.out-$1 2>/dev/null | wc -l) - NOERROR=$(grep -E "^NOERROR$" mdig.out-$1 2>/dev/null | wc -l) - - range $ADDRS "$3" 1 || - setret "$ADDRS instead of $3 '$2' responses for $1" && - BAD=yes - - range $TC "$4" 1 || - setret "$TC instead of $4 truncation responses for $1" && - BAD=yes - - range $DROP "$5" 1 || - setret "$DROP instead of $5 dropped responses for $1" && - BAD=yes - - range $NXDOMAIN "$6" 1 || - setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" && - BAD=yes - - range $SERVFAIL "$7" 1 || - setret "$SERVFAIL instead of $7 error responses for $1" && - BAD=yes - - range $NOERROR "$8" 1 || - setret "$NOERROR instead of $8 NOERROR responses for $1" && - BAD=yes - - if test -z "$BAD"; then - rm -f mdig.out-$1 - fi + # wait to the background mdig calls to complete. + wait + BAD=no + ADDRS=$(grep -E "^$2$" mdig.out-$1 2>/dev/null | wc -l) + # count simple truncated and truncated NXDOMAIN as TC + TC=$(grep -E "^TC|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) + DROP=$(grep -E "^drop$" mdig.out-$1 2>/dev/null | wc -l) + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=$(grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) + SERVFAIL=$(grep -E "^SERVFAIL$" mdig.out-$1 2>/dev/null | wc -l) + NOERROR=$(grep -E "^NOERROR$" mdig.out-$1 2>/dev/null | wc -l) + + range $ADDRS "$3" 1 \ + || setret "$ADDRS instead of $3 '$2' responses for $1" \ + && BAD=yes + + range $TC "$4" 1 \ + || setret "$TC instead of $4 truncation responses for $1" \ + && BAD=yes + + range $DROP "$5" 1 \ + || setret "$DROP instead of $5 dropped responses for $1" \ + && BAD=yes + + range $NXDOMAIN "$6" 1 \ + || setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" \ + && BAD=yes + + range $SERVFAIL "$7" 1 \ + || setret "$SERVFAIL instead of $7 error responses for $1" \ + && BAD=yes + + range $NOERROR "$8" 1 \ + || setret "$NOERROR instead of $8 NOERROR responses for $1" \ + && BAD=yes + + if test -z "$BAD"; then + rm -f mdig.out-$1 + fi } - -ckstats () { - LABEL="$1"; shift - TYPE="$1"; shift - EXPECTED="$1"; shift - C=$(cat ns2/named.stats | - sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" | - tail -1) - C=$((C)) - - range "$C" $EXPECTED 1 || - setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" +ckstats() { + LABEL="$1" + shift + TYPE="$1" + shift + EXPECTED="$1" + shift + C=$(cat ns2/named.stats \ + | sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \ + | tail -1) + C=$((C)) + + range "$C" $EXPECTED 1 \ + || setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" } - ######### sec_start @@ -180,13 +183,13 @@ burst 30 'y.x$CNT.a2.tld2' # IP TC drop NXDOMAIN SERVFAIL NOERROR # referrals to "." -ck_result a1.tld3 x 0 1 2 0 0 2 +ck_result a1.tld3 x 0 1 2 0 0 2 # check 13 results including 1 second delay that allows an additional response -ck_result a1.tld2 192.0.2.1 3 4 6 0 0 8 +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 8 # Check the wildcard answers. # The zone origin name of the 30 requests is counted. -ck_result 'y.x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12 +ck_result 'y.x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12 ######### sec_start @@ -196,21 +199,20 @@ burst 10 'y$CNT.a3.tld3' burst 10 'z$CNT.a4.tld2' # 10 identical recursive responses are limited -ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 5 +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 5 # 10 different recursive responses are not limited -ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 10 +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 10 # 10 different NXDOMAIN responses are limited based on the parent name. # We count 13 responses because we count truncated NXDOMAIN responses # as both truncated and NXDOMAIN. -ck_result 'z*.a4.tld2' x 0 3 5 5 0 0 +ck_result 'z*.a4.tld2' x 0 3 5 5 0 0 $RNDCCMD $ns2 stats ckstats first dropped 36 ckstats first truncated 21 - ######### sec_start @@ -223,22 +225,21 @@ burst 2 a8.tld2 -t SPF # IP TC drop NXDOMAIN SERVFAIL NOERROR # TCP responses are not rate limited -ck_result a5.tld2 192.0.2.5 10 0 0 0 0 10 +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 10 # whitelisted client is not rate limited -ck_result a6.tld2 192.0.2.6 10 0 0 0 0 10 +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 10 # Errors such as SERVFAIL are rate limited. -ck_result a7.tld4 x 0 0 8 0 2 0 +ck_result a7.tld4 x 0 0 8 0 2 0 # NODATA responses are counted as the same regardless of qtype. -ck_result a8.tld2 x 0 2 2 0 0 4 +ck_result a8.tld2 x 0 2 2 0 0 4 $RNDCCMD $ns2 stats ckstats second dropped 46 ckstats second truncated 23 - ######### sec_start @@ -248,7 +249,7 @@ sec_start QNUM=101 burst 60 'all$CNT.a9.tld2' -ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 50 +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 50 $RNDCCMD $ns2 stats ckstats final dropped 56 @@ -258,32 +259,32 @@ ckstats final truncated 23 sec_start DIGOPTS="+nocookie +nosearch +time=1 +tries=1 +ignore -p ${PORT}" -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 # regression test for GL #2839 DIGOPTS="+bufsize=4096 +ignore -p ${PORT}" -$DIG $DIGOPTS @$ns4 TXT big.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 TXT big.tld4 >/dev/null 2>&1 -grep "would limit" ns4/named.run >/dev/null 2>&1 || -setret "\"would limit\" not found in log file." +grep "would limit" ns4/named.run >/dev/null 2>&1 \ + || setret "\"would limit\" not found in log file." -$NAMED -D rrl-ns5 -gc broken.conf > broken.out 2>&1 & +$NAMED -D rrl-ns5 -gc broken.conf >broken.out 2>&1 & sleep 2 -grep "min-table-size 1" broken.out > /dev/null || setret "min-table-size 0 was not changed to 1" +grep "min-table-size 1" broken.out >/dev/null || setret "min-table-size 0 was not changed to 1" if [ -f named.pid ]; then - kill $(cat named.pid) - setret "named should not have started, but did" + kill $(cat named.pid) + setret "named should not have started, but did" fi echo_i "exit status: $ret" diff --git a/bin/tests/system/rrsetorder/ns3/named.conf.in b/bin/tests/system/rrsetorder/ns3/named.conf.in index a5850ca..807fa37 100644 --- a/bin/tests/system/rrsetorder/ns3/named.conf.in +++ b/bin/tests/system/rrsetorder/ns3/named.conf.in @@ -34,5 +34,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/rrsetorder/ns4/named.conf.in b/bin/tests/system/rrsetorder/ns4/named.conf.in index d12f50f..d5fc527 100644 --- a/bin/tests/system/rrsetorder/ns4/named.conf.in +++ b/bin/tests/system/rrsetorder/ns4/named.conf.in @@ -30,5 +30,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/rrsetorder/ns5/named.conf.in b/bin/tests/system/rrsetorder/ns5/named.conf.in index d1a4cfa..c0836d3 100644 --- a/bin/tests/system/rrsetorder/ns5/named.conf.in +++ b/bin/tests/system/rrsetorder/ns5/named.conf.in @@ -26,5 +26,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/rrsetorder/tests.sh b/bin/tests/system/rrsetorder/tests.sh index cf8bbd1..844fefe 100644 --- a/bin/tests/system/rrsetorder/tests.sh +++ b/bin/tests/system/rrsetorder/tests.sh @@ -18,8 +18,8 @@ set -e DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short +nocookie" dig_cmd() { - # shellcheck disable=SC2086 - "$DIG" $DIGOPTS -p "${PORT}" "$@" | grep -v '^;' + # shellcheck disable=SC2086 + "$DIG" $DIGOPTS -p "${PORT}" "$@" | grep -v '^;' } status=0 @@ -27,49 +27,47 @@ status=0 GOOD_RANDOM="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24" GOOD_RANDOM_NO=24 -if grep "^#define DNS_RDATASET_FIXED" "$TOP_BUILDDIR/config.h" > /dev/null 2>&1 ; then - test_fixed=true +if grep "^#define DNS_RDATASET_FIXED" "$TOP_BUILDDIR/config.h" >/dev/null 2>&1; then + test_fixed=true else - echo_i "Order 'fixed' disabled at compile time" - test_fixed=false + echo_i "Order 'fixed' disabled at compile time" + test_fixed=false fi # # # if $test_fixed; then - echo_i "Checking order fixed (primary)" - ret=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 - do - dig_cmd @10.53.0.1 fixed.example > dig.out.fixed || ret=1 + echo_i "Checking order fixed (primary)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do + dig_cmd @10.53.0.1 fixed.example >dig.out.fixed || ret=1 diff dig.out.fixed reference.dig.out.fixed.good >/dev/null || ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "Checking order fixed behaves as cyclic when disabled (primary)" - ret=0 - matches=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 - do - j=$((i % 4)) - dig_cmd @10.53.0.1 fixed.example > dig.out.fixed || ret=1 - if [ $i -le 4 ]; then - cp dig.out.fixed dig.out.$j - else - diff dig.out.fixed dig.out.$j >/dev/null && matches=$((matches + 1)) - fi - done - diff dig.out.0 dig.out.1 >/dev/null && ret=1 - diff dig.out.0 dig.out.2 >/dev/null && ret=1 - diff dig.out.0 dig.out.3 >/dev/null && ret=1 - diff dig.out.1 dig.out.2 >/dev/null && ret=1 - diff dig.out.1 dig.out.3 >/dev/null && ret=1 - diff dig.out.2 dig.out.3 >/dev/null && ret=1 - if [ $matches -ne 16 ]; then ret=1; fi - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "Checking order fixed behaves as cyclic when disabled (primary)" + ret=0 + matches=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.1 fixed.example >dig.out.fixed || ret=1 + if [ $i -le 4 ]; then + cp dig.out.fixed dig.out.$j + else + diff dig.out.fixed dig.out.$j >/dev/null && matches=$((matches + 1)) + fi + done + diff dig.out.0 dig.out.1 >/dev/null && ret=1 + diff dig.out.0 dig.out.2 >/dev/null && ret=1 + diff dig.out.0 dig.out.3 >/dev/null && ret=1 + diff dig.out.1 dig.out.2 >/dev/null && ret=1 + diff dig.out.1 dig.out.3 >/dev/null && ret=1 + diff dig.out.2 dig.out.3 >/dev/null && ret=1 + if [ $matches -ne 16 ]; then ret=1; fi + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # @@ -78,15 +76,14 @@ fi echo_i "Checking order cyclic (primary + additional)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.1 cyclic.example > dig.out.cyclic || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j - else - diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.1 cyclic.example >dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -104,15 +101,14 @@ status=$((status + ret)) echo_i "Checking order cyclic (primary)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.1 cyclic2.example > dig.out.cyclic2 || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j - else - diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.1 cyclic2.example >dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -125,25 +121,21 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "Checking order random (primary)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.1 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.1 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -153,14 +145,14 @@ status=$((status + ret)) echo_i "Checking order none (primary)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.1 none.example > dig.out.none || ret=1 +dig_cmd @10.53.0.1 none.example >dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.1 none.example > dig.out.test$i || ret=1 - diff dig.out.none dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.1 none.example >dig.out.test$i || ret=1 + diff dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -169,15 +161,14 @@ status=$((status + ret)) # # if $test_fixed; then - echo_i "Checking order fixed (secondary)" - ret=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 - do - dig_cmd @10.53.0.2 fixed.example > dig.out.fixed || ret=1 + echo_i "Checking order fixed (secondary)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do + dig_cmd @10.53.0.2 fixed.example >dig.out.fixed || ret=1 diff dig.out.fixed reference.dig.out.fixed.good || ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # @@ -186,15 +177,14 @@ fi echo_i "Checking order cyclic (secondary + additional)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j - else - diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.2 cyclic.example >dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -212,15 +202,14 @@ status=$((status + ret)) echo_i "Checking order cyclic (secondary)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j - else - diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.2 cyclic2.example >dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -234,25 +223,21 @@ status=$((status + ret)) echo_i "Checking order random (secondary)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.2 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.2 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -262,14 +247,14 @@ status=$((status + ret)) echo_i "Checking order none (secondary)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.2 none.example > dig.out.none || ret=1 +dig_cmd @10.53.0.2 none.example >dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.2 none.example > dig.out.test$i || ret=1 - diff dig.out.none dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.2 none.example >dig.out.test$i || ret=1 + diff dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -280,10 +265,9 @@ stop_server ns2 echo_i "Checking for secondary's on disk copy of zone" -if [ ! -f ns2/root.bk ] -then - echo_i "failed"; - status=$((status + 1)) +if [ ! -f ns2/root.bk ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "Re-starting secondary" @@ -294,15 +278,14 @@ start_server --noclean --restart --port ${PORT} ns2 # # if $test_fixed; then - echo_i "Checking order fixed (secondary loaded from disk)" - ret=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 - do - dig_cmd @10.53.0.2 fixed.example > dig.out.fixed || ret=1 + echo_i "Checking order fixed (secondary loaded from disk)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do + dig_cmd @10.53.0.2 fixed.example >dig.out.fixed || ret=1 diff dig.out.fixed reference.dig.out.fixed.good || ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # @@ -311,15 +294,14 @@ fi echo_i "Checking order cyclic (secondary + additional, loaded from disk)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j - else - diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.2 cyclic.example >dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -337,15 +319,14 @@ status=$((status + ret)) echo_i "Checking order cyclic (secondary loaded from disk)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j - else - diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.2 cyclic2.example >dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -359,25 +340,21 @@ status=$((status + ret)) echo_i "Checking order random (secondary loaded from disk)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.2 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.2 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -387,14 +364,14 @@ status=$((status + ret)) echo_i "Checking order none (secondary loaded from disk)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.2 none.example > dig.out.none || ret=1 +dig_cmd @10.53.0.2 none.example >dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.2 none.example > dig.out.test$i || ret=1 - diff dig.out.none dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.2 none.example >dig.out.test$i || ret=1 + diff dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -403,15 +380,14 @@ status=$((status + ret)) # # if $test_fixed; then - echo_i "Checking order fixed (cache)" - ret=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 - do - dig_cmd @10.53.0.3 fixed.example > dig.out.fixed || ret=1 + echo_i "Checking order fixed (cache)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do + dig_cmd @10.53.0.3 fixed.example >dig.out.fixed || ret=1 diff dig.out.fixed reference.dig.out.fixed.good || ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # @@ -420,17 +396,16 @@ fi echo_i "Checking order cyclic (cache + additional)" ret=0 # prime acache -dig_cmd @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1 +dig_cmd @10.53.0.3 cyclic.example >dig.out.cyclic || ret=1 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j - else - diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.3 cyclic.example >dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -448,17 +423,16 @@ status=$((status + ret)) echo_i "Checking order cyclic (cache)" ret=0 # prime acache -dig_cmd @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1 +dig_cmd @10.53.0.3 cyclic2.example >dig.out.cyclic2 || ret=1 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j - else - diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.3 cyclic2.example >dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -472,25 +446,21 @@ status=$((status + ret)) echo_i "Checking order random (cache)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.3 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.3 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -500,39 +470,35 @@ status=$((status + ret)) echo_i "Checking order none (cache)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.3 none.example > dig.out.none || ret=1 +dig_cmd @10.53.0.3 none.example >dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.3 none.example > dig.out.test$i || ret=1 - diff dig.out.none dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.3 none.example >dig.out.test$i || ret=1 + diff dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "Checking default order (cache)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.5 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.5 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Default selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -542,14 +508,14 @@ status=$((status + ret)) echo_i "Checking default order no match in rrset-order (cache)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.4 nomatch.example > dig.out.nomatch || ret=1 +dig_cmd @10.53.0.4 nomatch.example >dig.out.nomatch || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.nomatch || ret=1 + grep -F -q 1.2.3.$i dig.out.nomatch || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.4 nomatch.example > dig.out.test$i || ret=1 - diff dig.out.nomatch dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.4 nomatch.example >dig.out.test$i || ret=1 + diff dig.out.nomatch dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh index 8a2f6b9..a4242a3 100755 --- a/bin/tests/system/rsabigexponent/ns1/sign.sh +++ b/bin/tests/system/rsabigexponent/ns1/sign.sh @@ -21,12 +21,12 @@ cp ../ns2/dsset-example.in dsset-example. keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) -cat $infile $keyname.key > $zonefile +cat $infile $keyname.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf diff --git a/bin/tests/system/rsabigexponent/ns2/named.conf.in b/bin/tests/system/rsabigexponent/ns2/named.conf.in index c81b3f6..267daa6 100644 --- a/bin/tests/system/rsabigexponent/ns2/named.conf.in +++ b/bin/tests/system/rsabigexponent/ns2/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh index 53e2257..9ecf6c3 100755 --- a/bin/tests/system/rsabigexponent/ns2/sign.sh +++ b/bin/tests/system/rsabigexponent/ns2/sign.sh @@ -18,11 +18,10 @@ infile=example.db.in outfile=example.db.bad for i in Xexample.+008+51650.key Xexample.+008+51650.private \ - Xexample.+008+52810.key Xexample.+008+52810.private -do - cp $i $(echo $i | sed s/X/K/) + Xexample.+008+52810.key Xexample.+008+52810.private; do + cp $i $(echo $i | sed s/X/K/) done $SIGNER -g -s 20000101000000 -e 20361231235959 -o $zone \ - $infile Kexample.+008+52810.key \ - > /dev/null 2> signer.err || true + $infile Kexample.+008+52810.key \ + >/dev/null 2>signer.err || true diff --git a/bin/tests/system/rsabigexponent/ns3/named.conf.in b/bin/tests/system/rsabigexponent/ns3/named.conf.in index bc63656..6504886 100644 --- a/bin/tests/system/rsabigexponent/ns3/named.conf.in +++ b/bin/tests/system/rsabigexponent/ns3/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh index 39ebd8a..5914695 100644 --- a/bin/tests/system/rsabigexponent/tests.sh +++ b/bin/tests/system/rsabigexponent/tests.sh @@ -21,36 +21,34 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" -for f in conf/good*.conf -do - echo_i "checking '$f'" - ret=0 - $CHECKCONF $f > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for f in conf/good*.conf; do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for f in conf/bad*.conf -do - echo_i "checking '$f'" - ret=0 - $CHECKCONF $f > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for f in conf/bad*.conf; do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "checking that RSA big exponent keys can't be loaded" ret=0 -grep "out of range" ns2/signer.err > /dev/null || ret=1 +grep "out of range" ns2/signer.err >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that RSA big exponent signature can't validate" ret=0 -$DIG $DIGOPTS a.example @10.53.0.2 > dig.out.ns2 || ret=1 -$DIG $DIGOPTS a.example @10.53.0.3 > dig.out.ns3 || ret=1 -grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 -grep "status: SERVFAIL" dig.out.ns3 > /dev/null || ret=1 +$DIG $DIGOPTS a.example @10.53.0.2 >dig.out.ns2 || ret=1 +$DIG $DIGOPTS a.example @10.53.0.3 >dig.out.ns3 || ret=1 +grep "status: NOERROR" dig.out.ns2 >/dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns3 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/run.sh b/bin/tests/system/run.sh index 8e87c0f..c6d0485 100755 --- a/bin/tests/system/run.sh +++ b/bin/tests/system/run.sh @@ -17,11 +17,14 @@ # if [ -z "$1" ] || [ ! -d "$1" ]; then - echo "Usage: $0 system_test_dir [pytest_args]" - exit 2 + echo "Usage: $0 system_test_dir [pytest_args]" + exit 2 fi system_test_dir="$1" shift -(cd "$system_test_dir" || exit 2 ; /usr/bin/env python3 -m pytest "$@") +( + cd "$system_test_dir" || exit 2 + /usr/bin/env python3 -m pytest "$@" +) diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh index bbd072e..e4049d4 100755 --- a/bin/tests/system/runall.sh +++ b/bin/tests/system/runall.sh @@ -36,30 +36,30 @@ SYSTEMTEST_NO_CLEAN=${SYSTEMTEST_NO_CLEAN:-0} # Handle command line switches if present. while getopts "cn-" flag; do - case "$flag" in - c) SYSTEMTEST_FORCE_COLOR=1 ;; - n) SYSTEMTEST_NO_CLEAN=1 ;; - -) break;; - *) exit 1;; - esac + case "$flag" in + c) SYSTEMTEST_FORCE_COLOR=1 ;; + n) SYSTEMTEST_NO_CLEAN=1 ;; + -) break ;; + *) exit 1 ;; + esac done export NOCLEAN -shift $((OPTIND-1)) +shift $((OPTIND - 1)) # Obtain number of processes to use. if [ $# -eq 0 ]; then - numproc=1 + numproc=1 elif [ $# -eq 1 ]; then - if [ "$1" -ne "$1" ] 2>&1; then - # Value passed is not numeric - echo "$usage" >&2 - exit 1 - fi - numproc=$1 -else + if [ "$1" -ne "$1" ] 2>&1; then + # Value passed is not numeric echo "$usage" >&2 exit 1 + fi + numproc=$1 +else + echo "$usage" >&2 + exit 1 fi # Run the tests. @@ -70,30 +70,30 @@ export SYSTEMTEST_NO_CLEAN status=0 if [ "$NOPARALLEL" = "" ]; then - # use "make" to run tests in parallel. - make -j "$numproc" check - status=$? + # use "make" to run tests in parallel. + make -j "$numproc" check + status=$? else - # the NOPARALLEL environment variable indicates that tests must be - # run sequentially. - $PERL testsock.pl || { - cat <<-EOF + # the NOPARALLEL environment variable indicates that tests must be + # run sequentially. + $PERL testsock.pl || { + cat <<-EOF I:NOTE: System tests were skipped because they require the I: test IP addresses 10.53.0.* to be configured as alias I: addresses on the loopback interface. Please run I: "bin/tests/system/ifconfig.sh up" as root to configure them. EOF - exit 1 - } - ( - status=0 - for testdir in $SUBDIRS; do - $SHELL legacy.run.sh -r "$testdir" || status=1 - done - echo "$status" > systests.status - ) 2>&1 | tee "systests.output" - read -r status < systests.status - rm systests.status + exit 1 + } + ( + status=0 + for testdir in $SUBDIRS; do + $SHELL legacy.run.sh -r "$testdir" || status=1 + done + echo "$status" >systests.status + ) 2>&1 | tee "systests.output" + read -r status &1 | tee "test.output.$d" +for d in $SEQUENTIALDIRS; do + $SHELL legacy.run.sh "${@}" "$d" 2>&1 | tee "test.output.$d" done diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh index 6fd428e..ca2299b 100644 --- a/bin/tests/system/runtime/tests.sh +++ b/bin/tests/system/runtime/tests.sh @@ -16,198 +16,199 @@ set -e # shellcheck source=conf.sh . ../conf.sh -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" NAMED_DEFAULT_ARGS="-m record -d 99 -g -U 4" kill_named() { - pidfile="${1}" - if [ ! -r "${pidfile}" ]; then - return 1 - fi - - pid=$(cat "${pidfile}" 2>/dev/null) - if [ "${pid:+set}" = "set" ]; then - kill -15 "${pid}" >/dev/null 2>&1 - retries=10 - while [ "$retries" -gt 0 ]; do - if ! kill -0 "${pid}" >/dev/null 2>&1; then - break - fi - sleep 1 - retries=$((retries-1)) - done - # Timed-out - if [ "$retries" -eq 0 ]; then - echo_i "failed to kill named ($pidfile)" - return 1 - fi - fi - rm -f "${pidfile}" - return 0 + pidfile="${1}" + if [ ! -r "${pidfile}" ]; then + return 1 + fi + + pid=$(cat "${pidfile}" 2>/dev/null) + if [ "${pid:+set}" = "set" ]; then + kill -15 "${pid}" >/dev/null 2>&1 + retries=10 + while [ "$retries" -gt 0 ]; do + if ! kill -0 "${pid}" >/dev/null 2>&1; then + break + fi + sleep 1 + retries=$((retries - 1)) + done + # Timed-out + if [ "$retries" -eq 0 ]; then + echo_i "failed to kill named ($pidfile)" + return 1 + fi + fi + rm -f "${pidfile}" + return 0 } check_named_log() { - grep "$@" >/dev/null 2>&1 + grep "$@" >/dev/null 2>&1 } run_named() ( - dir="$1" - shift - run="$1" - shift - if cd "$dir" > /dev/null 2>&1 - then - "${NAMED}" "$@" ${NAMED_DEFAULT_ARGS} >> "$run" 2>&1 & - echo $! - fi + dir="$1" + shift + run="$1" + shift + if cd "$dir" >/dev/null 2>&1; then + "${NAMED}" "$@" ${NAMED_DEFAULT_ARGS} >>"$run" 2>&1 & + echo $! + fi ) check_pid() ( - return $(! kill -0 "${1}" >/dev/null 2>&1) + return $(! kill -0 "${1}" >/dev/null 2>&1) ) status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "verifying that named started normally ($n)" ret=0 [ -s ns2/named.pid ] || ret=1 -grep "unable to listen on any configured interface" ns2/named.run > /dev/null && ret=1 -grep "another named process" ns2/named.run > /dev/null && ret=1 +grep "unable to listen on any configured interface" ns2/named.run >/dev/null && ret=1 +grep "another named process" ns2/named.run >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verifying that named checks for conflicting named processes ($n)" ret=0 +test -f ns2/named.lock || ret=1 testpid=$(run_named ns2 named$n.run -c named-alt2.conf -D runtime-ns2-extra-2 -X named.lock) test -n "$testpid" || ret=1 retry_quiet 10 check_named_log "another named process" ns2/named$n.run || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 -test -n "$testpid" && kill -15 $testpid > kill$n.out 2>&1 && ret=1 +test -n "$testpid" && kill -15 $testpid >kill$n.out 2>&1 && ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +test -f ns2/named.lock || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verifying that 'lock-file none' disables process check ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt3.conf -D runtime-ns2-extra-3) test -n "$testpid" || ret=1 retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 -grep "another named process" ns2/named$n.run > /dev/null && ret=1 +grep "another named process" ns2/named$n.run >/dev/null && ret=1 kill_named ns2/named-alt3.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to reconfigure if working directory is not writable ($n)" ret=0 copy_setports ns2/named-alt4.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 -grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 reconfig >rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n >/dev/null 2>&1 || ret=1 sleep 1 -grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +grep "[^-]directory './nope' is not writable" ns2/named.run >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)" ret=0 copy_setports ns2/named-alt5.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 -grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 reconfig >rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n >/dev/null 2>&1 || ret=1 sleep 1 -grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +grep "managed-keys-directory './nope' is not writable" ns2/named.run >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to reconfigure if new-zones-directory is not writable ($n)" ret=0 copy_setports ns2/named-alt6.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 -grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 reconfig >rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n >/dev/null 2>&1 || ret=1 sleep 1 -grep "new-zones-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +grep "new-zones-directory './nope' is not writable" ns2/named.run >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named recovers when configuration file is valid again ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 reconfig >rndc.out.$n 2>&1 || ret=1 [ -s ns2/named.pid ] || ret=1 kill_named ns2/named.pid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to start if working directory is not writable ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt4.conf -D runtime-ns2-extra-4) test -n "$testpid" || ret=1 retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 -grep "[^-]directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +grep "[^-]directory './nope' is not writable" ns2/named$n.run >/dev/null 2>&1 || ret=1 kill_named ns2/named.pid && ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to start if managed-keys-directory is not writable ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt5.conf -D runtime-ns2-extra-5) test -n "$testpid" || ret=1 retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 -grep "managed-keys-directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +grep "managed-keys-directory './nope' is not writable" ns2/named$n.run >/dev/null 2>&1 || ret=1 kill_named named.pid && ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to start if new-zones-directory is not writable ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt6.conf -D runtime-ns2-extra-6) test -n "$testpid" || ret=1 retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 -grep "new-zones-directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +grep "new-zones-directory './nope' is not writable" ns2/named$n.run >/dev/null 2>&1 || ret=1 kill_named ns2/named.pid && ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named logs control characters in octal notation ($n)" ret=0 INSTANCE_NAME="runtime-ns2-extra-7-$(cat ctrl-chars)" testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") test -n "$testpid" || ret=1 retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 -grep 'running as.*\\177\\033' ns2/named$n.run > /dev/null || ret=1 +grep 'running as.*\\177\\033' ns2/named$n.run >/dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named escapes special characters in the logs ($n)" ret=0 INSTANCE_NAME="runtime-ns2-extra-8-$;" testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") test -n "$testpid" || ret=1 retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 -grep 'running as.*\\$\\;' ns2/named$n.run > /dev/null || ret=1 +grep 'running as.*\\$\\;' ns2/named$n.run >/dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named logs an ellipsis when the command line is larger than 8k bytes ($n)" ret=0 LONG_CMD_LINE=$(cat long-cmd-line) @@ -215,37 +216,40 @@ LONG_CMD_LINE=$(cat long-cmd-line) testpid=$(run_named ns2 named$n.run $LONG_CMD_LINE -c "named-alt7.conf") test -n "$testpid" || ret=1 retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 -grep "running as.*\.\.\.$" ns2/named$n.run > /dev/null || ret=1 +grep "running as.*\.\.\.$" ns2/named$n.run >/dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verifying that named switches UID ($n)" if [ "$(id -u)" -eq 0 ]; then - ret=0 - { TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX"); rc=$?; } || true - if [ "$rc" -eq 0 ]; then - copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf" - chown -R nobody: "${TEMP_NAMED_DIR}" - chmod 0700 "${TEMP_NAMED_DIR}" - testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf) - test -n "$testpid" || ret=1 - retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 - [ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1 - grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" > /dev/null && ret=1 - kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1 - test -n "$testpid" || ret=1 - test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 - else - echo_i "mktemp failed" - ret=1 - fi - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + ret=0 + { + TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX") + rc=$? + } || true + if [ "$rc" -eq 0 ]; then + copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf" + chown -R nobody: "${TEMP_NAMED_DIR}" + chmod 0700 "${TEMP_NAMED_DIR}" + testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf) + test -n "$testpid" || ret=1 + retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 + [ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1 + grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" >/dev/null && ret=1 + kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1 + test -n "$testpid" || ret=1 + test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 + else + echo_i "mktemp failed" + ret=1 + fi + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipped, not running as root or running on Windows" + echo_i "skipped, not running as root or running on Windows" fi echo_i "exit status: $status" diff --git a/bin/tests/system/serve-stale/ns1/root.db b/bin/tests/system/serve-stale/ns1/root.db index aef8e31..e36f2b0 100644 --- a/bin/tests/system/serve-stale/ns1/root.db +++ b/bin/tests/system/serve-stale/ns1/root.db @@ -16,3 +16,5 @@ example. 300 NS ns.example. ns.example. 300 A 10.53.0.2 slow. 300 NS ns.slow. ns.slow. 300 A 10.53.0.2 +stale. 300 NS ns.stale. +ns.stale. 300 A 10.53.0.6 diff --git a/bin/tests/system/serve-stale/ns3/named.conf.in b/bin/tests/system/serve-stale/ns3/named.conf.in new file mode 100644 index 0000000..d5f4751 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation no; + qname-minimization off; + + stale-answer-enable yes; + stale-cache-enable yes; + stale-refresh-time 30; + stale-answer-client-timeout 1800; + max-cache-ttl 24h; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "serve.stale" IN { + type primary; + notify no; + file "serve.stale.db"; +}; diff --git a/bin/tests/system/serve-stale/ns3/serve.stale.db b/bin/tests/system/serve-stale/ns3/serve.stale.db new file mode 100644 index 0000000..704f451 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/serve.stale.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +serve.stale. IN SOA ns.serve.stale. matthijs.isc.org. 1 0 0 0 0 +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 + +$ORIGIN serve.stale. +test IN NS nss1.example.nxd. +test IN NS nss2.example.nxd. diff --git a/bin/tests/system/serve-stale/ns6/named.conf.in b/bin/tests/system/serve-stale/ns6/named.conf.in new file mode 100644 index 0000000..15f5dd6 --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "stale" IN { + type primary; + notify no; + file "stale.db"; +}; + +zone "serve.stale" IN { + type primary; + notify no; + file "serve.stale.db"; +}; diff --git a/bin/tests/system/serve-stale/ns6/serve.stale.db b/bin/tests/system/serve-stale/ns6/serve.stale.db new file mode 100644 index 0000000..2b17c68 --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/serve.stale.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +serve.stale. IN SOA ns.serve.stale. matthijs.isc.org. 1 0 0 0 0 +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 + +test IN TXT "Oops, I did it again" diff --git a/bin/tests/system/serve-stale/ns6/stale.db b/bin/tests/system/serve-stale/ns6/stale.db new file mode 100644 index 0000000..4ae0068 --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/stale.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +stale. IN SOA ns.stale. matthijs.isc.org. 1 0 0 0 0 +stale. IN NS ns.stale. +ns.stale. IN A 10.53.0.6 + +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 diff --git a/bin/tests/system/serve-stale/prereq.sh b/bin/tests/system/serve-stale/prereq.sh new file mode 100644 index 0000000..7411c8a --- /dev/null +++ b/bin/tests/system/serve-stale/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MTime::HiRes -e ''; then + echo_i "perl Time::HiRes module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/serve-stale/setup.sh b/bin/tests/system/serve-stale/setup.sh index 0a0dc47..42e1ac8 100644 --- a/bin/tests/system/serve-stale/setup.sh +++ b/bin/tests/system/serve-stale/setup.sh @@ -16,6 +16,7 @@ $SHELL clean.sh copy_setports ns1/named1.conf.in ns1/named.conf -copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh index 8c5ce84..a12a006 100755 --- a/bin/tests/system/serve-stale/tests.sh +++ b/bin/tests/system/serve-stale/tests.sh @@ -15,7 +15,7 @@ set -e . ../conf.sh -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" DIG="$DIG +time=12 +tries=1" max_stale_ttl=$(sed -ne 's,^[[:space:]]*max-stale-ttl \([[:digit:]]*\).*,\1,p' $TOP_SRCDIR/bin/named/config.c) @@ -29,84 +29,84 @@ n=0 # echo_i "test server with serve-stale options set" -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TXT ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics ($n)" ret=0 rm -f ns1/named.stats -$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.1 stats >/dev/null 2>&1 [ -f ns1/named.stats ] || ret=1 cp ns1/named.stats ns1/named.stats.$n # Check first 10 lines of Cache DB statistics. After prime queries, we expect # two active TXT, one active Others, one nxrrset TXT, and one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 -grep "1 Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "2 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n >ns1/named.stats.$n.cachedb || ret=1 +grep "1 Others" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "2 TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 @@ -115,87 +115,87 @@ sleep 2 # stale for somewhere between 3500-3599 seconds. echo_i "check rndc dump stale data.example ($n)" rndc_dumpdb ns1 || ret=1 -awk '/; stale/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n | - grep "; stale data\.example.*3[56]...*TXT.*A text record with a 2 second ttl" > /dev/null 2>&1 || ret=1 +awk '/; stale/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n \ + | grep "; stale data\.example.*3[56]...*TXT.*A text record with a 2 second ttl" >/dev/null 2>&1 || ret=1 # Also make sure the not expired data does not have a stale comment. -awk '/; authanswer/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n | - grep "; authanswer longttl\.example.*[56]...*TXT.*A text record with a 600 second ttl" > /dev/null 2>&1 || ret=1 +awk '/; authanswer/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n \ + | grep "; authanswer longttl\.example.*[56]...*TXT.*A text record with a 600 second ttl" >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+5))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+4)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+5)) & +echo_i "sending queries for tests $((n + 1))-$((n + 5))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 4)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 5)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check non-stale longttl.example TXT ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "longttl\.example\..*59[0-9].*IN.*TXT.*A text record with a 600 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "longttl\.example\..*59[0-9].*IN.*TXT.*A text record with a 600 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics ($n)" ret=0 rm -f ns1/named.stats -$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.1 stats >/dev/null 2>&1 [ -f ns1/named.stats ] || ret=1 cp ns1/named.stats ns1/named.stats.$n # Check first 10 lines of Cache DB statistics. After serve-stale queries, we # expect one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one # stale NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 -grep "1 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #!TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n >ns1/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #Others" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #!TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # Test stale-refresh-time when serve-stale is enabled via configuration. @@ -209,292 +209,315 @@ if [ $ret != 0 ]; then echo_i "failed"; fi # 7. Query data.example # 8. Check if response come from stale rrset, since the query # is still within stale-refresh-time window. -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 1-3 done above. # Step 4. -n=$((n+1)) +n=$((n + 1)) echo_i "sending query for test ($n)" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n # Step 5. echo_i "check stale data.example TXT (stale-refresh-time) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 6. -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 7. -echo_i "sending query for test $((n+1))" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) +echo_i "sending query for test $((n + 1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) # Step 8. -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT comes from cache (stale-refresh-time) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) + +# +# Test interaction with local zone +# + +n=$((n + 1)) +echo_i "check that serve-stale does not recurse for local authoritative zone ($n)" +ret=0 + +num=0 +threshold=10 +while [ $num -lt $threshold ]; do + + echo_i "dig test.serve.stale TXT ($n)" + $DIG -p ${PORT} @10.53.0.3 test.serve.stale TXT >dig.out.test$n.$num + grep "status: SERVFAIL" dig.out.test$n.$num >/dev/null || ret=1 + if [ $ret != 0 ]; then num=$threshold; fi + + sleep 1 + num=$((num + 1)) +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) # # Test disabling serve-stale via rndc. # -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns1/named.conf ($n)" ret=0 copy_setports ns1/named2.conf.in ns1/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns1 10.53.0.1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale off' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale off || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (serve-stale off) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (serve-stale off) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (serve-stale off) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (serve-stale off) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Test enabling serve-stale via rndc. # -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale on' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale on || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (serve-stale on) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (serve-stale on) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (serve-stale on) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (serve-stale on) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale off' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale off || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale reset' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale reset || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (serve-stale reset) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (serve-stale reset) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (serve-stale reset) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (serve-stale reset) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale off' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale off || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Update named.conf. @@ -502,200 +525,200 @@ status=$((status+ret)) # echo_i "test server with serve-stale options set, low max-stale-ttl" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns1/named.conf ($n)" ret=0 copy_setports ns1/named3.conf.in ns1/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns1 10.53.0.1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache, re-enable serve-stale and query again ($n)" ret=0 -$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 -$RNDCCMD 10.53.0.1 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 +$RNDCCMD 10.53.0.1 serve-stale on >rndc.out.test$n.2 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TXT (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Keep track of time so we can access these RRset later, when we expect them # to become ancient. t1=$($PERL -e 'print time()') -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics (low max-stale-ttl) ($n)" ret=0 rm -f ns1/named.stats -$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.1 stats >/dev/null 2>&1 [ -f ns1/named.stats ] || ret=1 cp ns1/named.stats ns1/named.stats.$n # Check first 10 lines of Cache DB statistics. After prime queries, we expect # two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 -grep "2 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n >ns1/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 Others" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (low max-stale-ttl) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*3.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*3.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics (low max-stale-ttl) ($n)" ret=0 rm -f ns1/named.stats -$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.1 stats >/dev/null 2>&1 [ -f ns1/named.stats ] || ret=1 cp ns1/named.stats ns1/named.stats.$n # Check first 10 lines of Cache DB statistics. After serve-stale queries, we # expect one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one # stale NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 -grep "1 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #!TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n >ns1/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #Others" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #!TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 -status=$((status+ret)) +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # Retrieve max-stale-ttl value. -interval_to_ancient=$(grep 'max-stale-ttl' ns1/named3.conf.in | awk '{ print $2 }' | tr -d ';') +interval_to_ancient=$(grep 'max-stale-ttl' ns1/named3.conf.in | awk '{ print $2 }' | tr -d ';') # We add 2 seconds to it since this is the ttl value of the records being # tested. interval_to_ancient=$((interval_to_ancient + 2)) @@ -705,52 +728,52 @@ elapsed=$((t2 - t1)) # If elapsed time so far is less than max-stale-ttl + 2 seconds, then we sleep # enough to ensure that we'll ask for ancient RRsets in the next queries. if [ $elapsed -lt $interval_to_ancient ]; then - sleep $((interval_to_ancient - elapsed)) + sleep $((interval_to_ancient - elapsed)) fi -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check ancient data.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check ancient othertype.example CAA (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check ancient nodata.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check ancient nxdomain.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Test stale-refresh-time when serve-stale is enabled via rndc. # Steps for testing stale-refresh-time option (default). @@ -763,87 +786,87 @@ status=$((status+ret)) # 7. Query data.example # 8. Check if response come from stale rrset, since the query # is within stale-refresh-time window. -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache, enable responses from authoritative server ($n)" ret=0 -$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 1. -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-refresh-time rndc) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 2. -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 3. sleep 2 # Step 4. -n=$((n+1)) +n=$((n + 1)) echo_i "sending query for test ($n)" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n # Step 5. echo_i "check stale data.example TXT (stale-refresh-time rndc) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 6. -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 7. -echo_i "sending query for test $((n+1))" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) +echo_i "sending query for test $((n + 1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) # Step 8. -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT comes from cache (stale-refresh-time rndc) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Steps for testing stale-refresh-time option (disabled). # 1. Prime cache data.example txt @@ -855,519 +878,530 @@ status=$((status+ret)) # 7. Query data.example # 8. Check if response come from stale rrset, since the query # is within stale-refresh-time window. -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns1/named.conf ($n)" ret=0 copy_setports ns1/named4.conf.in ns1/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns1 10.53.0.1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache, enable responses from authoritative server ($n)" ret=0 -$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 1. -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-refresh-time disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 2. -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 3. sleep 2 # Step 4. -n=$((n+1)) +n=$((n + 1)) echo_i "sending query for test ($n)" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n # Step 5. echo_i "check stale data.example TXT (stale-refresh-time disabled) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 6. -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 7. -echo_i "sending query for test $((n+1))" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) +echo_i "sending query for test $((n + 1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) # Step 8. -n=$((n+1)) +n=$((n + 1)) echo_i "check data.example TXT comes from authoritative (stale-refresh-time disabled) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Now test server with no serve-stale options set. # echo_i "test server with no serve-stale options set" -n=$((n+1)) +n=$((n + 1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named1.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "restart ns3" +stop_server --use-rndc --port ${CONTROLPORT} ns3 +start_server --noclean --restart --port ${PORT} ns3 + +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TXT (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics (max-stale-ttl default) ($n)" ret=0 rm -f ns3/named.stats -$RNDCCMD 10.53.0.3 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 stats >/dev/null 2>&1 [ -f ns3/named.stats ] || ret=1 cp ns3/named.stats ns3/named.stats.$n # Check first 10 lines of Cache DB statistics. After prime queries, we expect # two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n > ns3/named.stats.$n.cachedb || ret=1 -grep "2 TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 Others" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 NXDOMAIN" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n >ns3/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 Others" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 NXDOMAIN" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep "_default: stale cache enabled; stale answers disabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep "_default: stale cache enabled; stale answers disabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of data.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of othertype.example CAA (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nodata.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nxdomain.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics (max-stale-ttl default) ($n)" ret=0 rm -f ns3/named.stats -$RNDCCMD 10.53.0.3 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 stats >/dev/null 2>&1 [ -f ns3/named.stats ] || ret=1 cp ns3/named.stats ns3/named.stats.$n # Check first 10 lines of Cache DB statistics. After last queries, we expect # one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one stale # NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n > ns3/named.stats.$n.cachedb || ret=1 -grep "1 TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #Others" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #!TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n >ns3/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #Others" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #!TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 -status=$((status+ret)) +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale on' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 serve-stale on >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep "_default: stale cache enabled; stale answers enabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep "_default: stale cache enabled; stale answers enabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 # Check that if we don't have stale data for a domain name, we will # not answer anything until the resolver query timeout. -n=$((n+1)) +n=$((n + 1)) echo_i "check notincache.example TXT times out (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 notfound.example TXT > dig.out.test$n 2>&1 && ret=1 -grep "timed out" dig.out.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 notfound.example TXT >dig.out.test$n 2>&1 && ret=1 +grep "timed out" dig.out.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) & -$DIG -p ${PORT} @10.53.0.3 notfound.example TXT > dig.out.test$((n+5)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT >dig.out.test$((n + 4)) & +$DIG -p ${PORT} @10.53.0.3 notfound.example TXT >dig.out.test$((n + 5)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check data.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*30.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*30.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check othertype.example CAA (max-stale-ttl default) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "example\..*30.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "example\..*30.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check nodata.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*30.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*30.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check nxdomain.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The notfound.example check is different than nxdomain.example because # we didn't send a prime query to add notfound.example to the cache. -n=$((n+1)) +n=$((n + 1)) echo_i "check notfound.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Now test server with serve-stale answers disabled. # echo_i "test server with serve-stale disabled" -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TTL (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TTL (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics (serve-stale answers disabled) ($n)" ret=0 rm -f ns4/named.stats -$RNDCCMD 10.53.0.4 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.4 stats >/dev/null 2>&1 [ -f ns4/named.stats ] || ret=1 cp ns4/named.stats ns4/named.stats.$n # Check first 10 lines of Cache DB statistics. After prime queries, we expect # two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 -grep "2 TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 Others" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n >ns4/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 Others" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 NXDOMAIN" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.4 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep "_default: stale cache enabled; stale answers disabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.4 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep "_default: stale cache enabled; stale answers disabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.4 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.4 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.4 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.4 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.4 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.4 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of data.example TXT (serve-stale answers disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of othertype.example TXT (serve-stale answers disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nodata.example TXT (serve-stale answers disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nxdomain.example TXT (serve-stale answers disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics (serve-stale answers disabled) ($n)" ret=0 rm -f ns4/named.stats -$RNDCCMD 10.53.0.4 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.4 stats >/dev/null 2>&1 [ -f ns4/named.stats ] || ret=1 cp ns4/named.stats ns4/named.stats.$n # Check first 10 lines of Cache DB statistics. After last queries, we expect # one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one stale # NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 -grep "1 TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #Others" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #!TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n >ns4/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #Others" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #!TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # Dump the cache. -n=$((n+1)) +n=$((n + 1)) echo_i "dump the cache (serve-stale answers disabled) ($n)" ret=0 rndc_dumpdb ns4 -cache || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "stop ns4" stop_server --use-rndc --port ${CONTROLPORT} ns4 @@ -1383,15 +1417,15 @@ LASTWEEK=$(TZ=UTC perl -e 'my $now = time(); echo_i "mock the cache date to $LASTWEEK (serve-stale answers disabled) ($n)" ret=0 -sed -E "s/DATE [0-9]{14}/DATE $LASTWEEK/g" ns4/named_dump.db.test$n > ns4/named_dump.db.out || ret=1 +sed -E "s/DATE [0-9]{14}/DATE $LASTWEEK/g" ns4/named_dump.db.test$n >ns4/named_dump.db.out || ret=1 cp ns4/named_dump.db.out ns4/named_dump.db if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "start ns4" start_server --noclean --restart --port ${PORT} ns4 -n=$((n+1)) +n=$((n + 1)) echo_i "verify ancient cache statistics (serve-stale answers disabled) ($n)" ret=0 rm -f ns4/named.stats @@ -1400,12 +1434,12 @@ $RNDCCMD 10.53.0.4 stats #> /dev/null 2>&1 cp ns4/named.stats ns4/named.stats.$n # Check first 10 lines of Cache DB statistics. After last queries, we expect # everything to be removed or scheduled to be removed. -grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 -grep "#TXT" ns4/named.stats.$n.cachedb > /dev/null && ret=1 -grep "#Others" ns4/named.stats.$n.cachedb > /dev/null && ret=1 -grep "#!TXT" ns4/named.stats.$n.cachedb > /dev/null && ret=1 -grep "#NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null && ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n >ns4/named.stats.$n.cachedb || ret=1 +grep "#TXT" ns4/named.stats.$n.cachedb >/dev/null && ret=1 +grep "#Others" ns4/named.stats.$n.cachedb >/dev/null && ret=1 +grep "#!TXT" ns4/named.stats.$n.cachedb >/dev/null && ret=1 +grep "#NXDOMAIN" ns4/named.stats.$n.cachedb >/dev/null && ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # @@ -1413,199 +1447,199 @@ if [ $ret != 0 ]; then echo_i "failed"; fi # echo_i "test server with serve-stale cache disabled" -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TXT (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics (serve-stale cache disabled) ($n)" ret=0 rm -f ns5/named.stats -$RNDCCMD 10.53.0.5 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.5 stats >/dev/null 2>&1 [ -f ns5/named.stats ] || ret=1 cp ns5/named.stats ns5/named.stats.$n # Check first 10 lines of Cache DB statistics. After serve-stale queries, # we expect two active TXT RRsets, one active Others, one nxrrset TXT, and # one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 -grep "2 TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 Others" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n >ns5/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 Others" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.5 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep "_default: stale cache disabled; stale answers unavailable" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.5 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep "_default: stale cache disabled; stale answers unavailable" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.5 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.5 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.5 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.5 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.5 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.5 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of data.example TXT (serve-stale cache disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of othertype.example CAA (serve-stale cache disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nodata.example TXT (serve-stale cache disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nxdomain.example TXT (serve-stale cache disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics (serve-stale cache disabled) ($n)" ret=0 rm -f ns5/named.stats -$RNDCCMD 10.53.0.5 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.5 stats >/dev/null 2>&1 [ -f ns5/named.stats ] || ret=1 cp ns5/named.stats ns5/named.stats.$n # Check first 10 lines of Cache DB statistics. After serve-stale queries, # we expect one active TXT (longttl) and the rest to be expired from cache, # but since we keep everything for 5 minutes (RBTDB_VIRTUAL) in the cache # after expiry, they still show up in the stats. -grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 -grep -F "1 Others" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -grep -F "2 TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -grep -F "1 !TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n >ns5/named.stats.$n.cachedb || ret=1 +grep -F "1 Others" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +grep -F "2 TXT" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +grep -F "1 !TXT" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # Dump the cache. -n=$((n+1)) +n=$((n + 1)) echo_i "dump the cache (serve-stale cache disabled) ($n)" ret=0 rndc_dumpdb ns5 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Check that expired records are not dumped. ret=0 grep "; expired since .* (awaiting cleanup)" ns5/named_dump.db.test$n && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Dump the cache including expired entries. -n=$((n+1)) +n=$((n + 1)) echo_i "dump the cache including expired entries (serve-stale cache disabled) ($n)" ret=0 rndc_dumpdb ns5 -expired || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Check that expired records are dumped. echo_i "check rndc dump expired data.example ($n)" ret=0 -awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; expired since .* (awaiting cleanup) data\.example\..*A text record with a 2 second ttl" > /dev/null 2>&1 || ret=1 -awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; expired since .* (awaiting cleanup) nodata\.example\." > /dev/null 2>&1 || ret=1 -awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; expired since .* (awaiting cleanup) nxdomain\.example\." > /dev/null 2>&1 || ret=1 -awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; expired since .* (awaiting cleanup) othertype\.example\." > /dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; expired since .* (awaiting cleanup) data\.example\..*A text record with a 2 second ttl" >/dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; expired since .* (awaiting cleanup) nodata\.example\." >/dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; expired since .* (awaiting cleanup) nxdomain\.example\." >/dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; expired since .* (awaiting cleanup) othertype\.example\." >/dev/null 2>&1 || ret=1 # Also make sure the not expired data does not have an expired comment. -awk '/; authanswer/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; authanswer longttl\.example.*A text record with a 600 second ttl" > /dev/null 2>&1 || ret=1 +awk '/; authanswer/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; authanswer longttl\.example.*A text record with a 600 second ttl" >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "stop ns5" stop_server --use-rndc --port ${CONTROLPORT} ns5 @@ -1617,18 +1651,18 @@ FIVEMINUTESAGO=$(TZ=UTC perl -e 'my $now = time(); my ($s, $m, $h, $d, $mo, $y) = (localtime($fiveMinutesAgo))[0, 1, 2, 3, 4, 5]; printf("%04d%02d%02d%02d%02d%02d", $y+1900, $mo+1, $d, $h, $m, $s);') -n=$((n+1)) +n=$((n + 1)) echo_i "mock the cache date to $FIVEMINUTESAGO (serve-stale cache disabled) ($n)" ret=0 -sed -E "s/DATE [0-9]{14}/DATE $FIVEMINUTESAGO/g" ns5/named_dump.db > ns5/named_dump.db.out || ret=1 +sed -E "s/DATE [0-9]{14}/DATE $FIVEMINUTESAGO/g" ns5/named_dump.db >ns5/named_dump.db.out || ret=1 cp ns5/named_dump.db.out ns5/named_dump.db if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "start ns5" start_server --noclean --restart --port ${PORT} ns5 -n=$((n+1)) +n=$((n + 1)) echo_i "verify ancient cache statistics (serve-stale cache disabled) ($n)" ret=0 rm -f ns5/named.stats @@ -1637,11 +1671,11 @@ $RNDCCMD 10.53.0.5 stats #> /dev/null 2>&1 cp ns5/named.stats ns5/named.stats.$n # Check first 10 lines of Cache DB statistics. After last queries, we expect # everything to be removed or scheduled to be removed. -grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 -grep -F "#TXT" ns5/named.stats.$n.cachedb > /dev/null && ret=1 -grep -F "#Others" ns5/named.stats.$n.cachedb > /dev/null && ret=1 -grep -F "#!TXT" ns5/named.stats.$n.cachedb > /dev/null && ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n >ns5/named.stats.$n.cachedb || ret=1 +grep -F "#TXT" ns5/named.stats.$n.cachedb >/dev/null && ret=1 +grep -F "#Others" ns5/named.stats.$n.cachedb >/dev/null && ret=1 +grep -F "#!TXT" ns5/named.stats.$n.cachedb >/dev/null && ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi ################################################ @@ -1649,435 +1683,438 @@ if [ $ret != 0 ]; then echo_i "failed"; fi ################################################ echo_i "test stale-answer-client-timeout (1.8)" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named2.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "restart ns3" stop_server --use-rndc --port ${CONTROLPORT} ns3 start_server --noclean --restart --port ${PORT} ns3 -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-answer-client-timeout) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (stale-answer-client-timeout) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "delay responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt slowdown >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.slow TXT (stale-answer-client-timeout) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.slow TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null -echo_i "sending queries for tests $((n+1))-$((n+3))..." +echo_i "sending queries for tests $((n + 1))-$((n + 3))..." t1=$($PERL -e 'print time()') -$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 nodata.example TXT > dig.out.test$((n+2)) & -$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 data.slow TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 nodata.example TXT >dig.out.test$((n + 2)) & +$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 data.slow TXT >dig.out.test$((n + 3)) & wait t2=$($PERL -e 'print time()') # We configured a long value of 30 seconds for resolver-query-timeout. # That should give us enough time to receive an stale answer from cache # after stale-answer-client-timeout timer of 1.8 sec triggers. -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" ret=0 wait_for_log 5 "data.example client timeout, stale answer used" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 # Configured stale-answer-client-timeout is 1.8s, we allow some extra time # just in case other tests are taking too much cpu. -[ $((t2 - t1)) -le 10 ] || { echo_i "query took $((t2 - t1))s to resolve."; ret=1; } +[ $((t2 - t1)) -le 10 ] || { + echo_i "query took $((t2 - t1))s to resolve." + ret=1 +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.slow TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now query for RRset not in cache. The first query should time out, but once # we enable the authoritative server, the second query should be able to get a # response. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null -echo_i "sending queries for tests $((n+2))-$((n+4))..." +echo_i "sending queries for tests $((n + 2))-$((n + 4))..." # first dig runs in background for 10 seconds, second in background for 3 # seconds and the last for 3 seconds in the foreground. # the second RRSIG lookup triggers the issue in [GL #3622] -$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 longttl.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example RRSIG > dig.out.test$((n+4)) & -$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example TXT > dig.out.test$((n+2)) || true +$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 longttl.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example RRSIG >dig.out.test$((n + 4)) & +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example TXT >dig.out.test$((n + 2)) || true # Enable the authoritative name server after stale-answer-client-timeout. -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check not in cache longttl.example TXT times out (stale-answer-client-timeout 1.8) ($n)" ret=0 wait_for_log 4 "longttl.example client timeout, stale answer unavailable" ns3/named.run || ret=1 -grep "timed out" dig.out.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.test$n > /dev/null || ret=1 +grep "timed out" dig.out.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) wait -n=$((n+1)) +n=$((n + 1)) echo_i "check not in cache longttl.example TXT comes from authoritative (stale-answer-client-timeout 1.8) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check not in cache longttl.example RRSIG times out (stale-answer-client-timeout 1.8) ($n)" ret=0 -grep "timed out" dig.out.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.test$n > /dev/null || ret=1 +grep "timed out" dig.out.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # CVE-2022-3924, GL #3619 -n=$((n+1)) +n=$((n + 1)) echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)" ret=0 num=0 # Make sure to exceed the configured value of 'recursive-clients 10;' by running # 20 parallel queries with simulated network latency. while [ $num -lt 20 ]; do - $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 & - num=$((num+1)) -done; + $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 & + num=$((num + 1)) +done check_server_responds() { - $DIG -p ${PORT} @10.53.0.3 version.bind txt ch >dig.out.test$n || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + $DIG -p ${PORT} @10.53.0.3 version.bind txt ch >dig.out.test$n || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 } retry_quiet 5 check_server_responds || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ############################################# # Test for stale-answer-client-timeout off. # ############################################# echo_i "test stale-answer-client-timeout (off)" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named3.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Send a query, auth server is disabled, we will enable it after a while in # order to receive an answer before resolver-query-timeout expires. Since # stale-answer-client-timeout is disabled we must receive an answer from # authoritative server. -echo_i "sending query for test $((n+2))" -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+2)) & +echo_i "sending query for test $((n + 2))" +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$((n + 2)) & sleep 3 -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Wait until dig is done. wait -n=$((n+1)) +n=$((n + 1)) echo_i "check data.example TXT comes from authoritative server (stale-answer-client-timeout off) ($n)" -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ############################################################## # Test for stale-answer-client-timeout off and CNAME record. # ############################################################## echo_i "test stale-answer-client-timeout (0) and CNAME record" -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache shortttl.cname.example (stale-answer-client-timeout off) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "shortttl\.cname\.example\..*1.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n > /dev/null || ret=1 -grep "longttl\.target\.example\..*600.*IN.*A.*10\.53\.0\.2" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "shortttl\.cname\.example\..*1.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n >/dev/null || ret=1 +grep "longttl\.target\.example\..*600.*IN.*A.*10\.53\.0\.2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale shortttl.cname.example comes from cache (stale-answer-client-timeout off) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A >dig.out.test$n wait_for_log 5 "shortttl.cname.example resolver failure, stale answer used" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "shortttl\.cname\.example\..*3.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "shortttl\.cname\.example\..*3.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n >/dev/null || ret=1 # We can't reliably test the TTL of the longttl.target.example A record. -grep "longttl\.target\.example\..*IN.*A.*10\.53\.0\.2" dig.out.test$n > /dev/null || ret=1 +grep "longttl\.target\.example\..*IN.*A.*10\.53\.0\.2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check server is alive or restart ($n)" ret=0 -$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - echo_i "restart ns3" - start_server --noclean --restart --port ${PORT} serve-stale ns3 + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} serve-stale ns3 fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check server is alive or restart ($n)" ret=0 -$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - echo_i "restart ns3" - start_server --noclean --restart --port ${PORT} serve-stale ns3 + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} serve-stale ns3 fi -status=$((status+ret)) +status=$((status + ret)) ############################################# # Test for stale-answer-client-timeout 0. # ############################################# echo_i "test stale-answer-client-timeout (0)" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named4.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "restart ns3" stop_server --use-rndc --port ${CONTROLPORT} ns3 start_server --noclean --restart --port ${PORT} ns3 -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-answer-client-timeout 0)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (stale-answer-client-timeout 0)" ret=0 -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 0) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n wait_for_log 5 "nodata.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) wait_for_rrset_refresh() { - $DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "EDE" dig.out.test$n > /dev/null && return 1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 - grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || return 1 + $DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "EDE" dig.out.test$n >/dev/null && return 1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || return 1 + grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || return 1 } # This test ensures that after we get stale data due to # stale-answer-client-timeout 0, enabling the authoritative server will allow # the RRset to be updated. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0) ($n)" retry_quiet 10 wait_for_rrset_refresh || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) wait_for_nodata_refresh() { - $DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "ANSWER: 0," dig.out.test$n > /dev/null || return 1 - grep "example\..*[12].*IN.*SOA" dig.out.test$n > /dev/null || return 1 - return 0 + $DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "ANSWER: 0," dig.out.test$n >/dev/null || return 1 + grep "example\..*[12].*IN.*SOA" dig.out.test$n >/dev/null || return 1 + return 0 } -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale nodata.example TXT was refreshed (stale-answer-client-timeout 0) ($n)" retry_quiet 10 wait_for_nodata_refresh || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) #################################################################### # Test for stale-answer-client-timeout 0 and recursive-clients 10. # @@ -2085,48 +2122,48 @@ status=$((status+ret)) # ################################################################## echo_i "test stale-answer-client-timeout (0) and recursive-clients 10" -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.slow TXT (stale-answer-client-timeout 0) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.slow TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Run the following check twice. Sometimes a priming query interrupts the first # attempt to exceed the quota. attempt=0 while [ $ret -eq 0 ] && [ $attempt -lt 2 ]; do - n=$((n+1)) - echo_i "slow down response from authoritative server ($n)" - ret=0 - $DIG -p ${PORT} @10.53.0.2 slowdown TXT > dig.out.test$n - grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 - grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - # Let the data.slow TTL expire - sleep 2 - - n=$((n+1)) - echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 0) ($n)" - ret=0 - num=0 - # Attempt to exceed the configured value of 'recursive-clients 10;' by running - # 20 parallel queries for the stale domain which has slow auth. - while [ $num -lt 20 ]; do - $DIG +tries=1 +timeout=10 -p ${PORT} @10.53.0.3 data.slow TXT >/dev/null 2>&1 & - num=$((num+1)) - done; - # Let the dig processes finish. - wait - retry_quiet 5 check_server_responds || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - attempt=$((attempt+1)) + n=$((n + 1)) + echo_i "slow down response from authoritative server ($n)" + ret=0 + $DIG -p ${PORT} @10.53.0.2 slowdown TXT >dig.out.test$n + grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 + grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + # Let the data.slow TTL expire + sleep 2 + + n=$((n + 1)) + echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 0) ($n)" + ret=0 + num=0 + # Attempt to exceed the configured value of 'recursive-clients 10;' by running + # 20 parallel queries for the stale domain which has slow auth. + while [ $num -lt 20 ]; do + $DIG +tries=1 +timeout=10 -p ${PORT} @10.53.0.3 data.slow TXT >/dev/null 2>&1 & + num=$((num + 1)) + done + # Let the dig processes finish. + wait + retry_quiet 5 check_server_responds || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + attempt=$((attempt + 1)) done # Restart ns3 to avoid the exceeded recursive-clients limit from previous check @@ -2140,266 +2177,266 @@ start_server --noclean --restart --port ${PORT} ns3 ############################################################ echo_i "test stale-answer-client-timeout (0) and CNAME record" -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache cname1.stale.test A (stale-answer-client-timeout 0) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname1\.stale\.test\..*1.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n > /dev/null || ret=1 -grep "a1\.stale\.test\..*1.*IN.*A.*192\.0\.2\.1" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname1\.stale\.test\..*1.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n >/dev/null || ret=1 +grep "a1\.stale\.test\..*1.*IN.*A.*192\.0\.2\.1" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 1 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale cname1.stale.test A comes from cache (stale-answer-client-timeout 0) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A >dig.out.test$n wait_for_log 5 "cname1.stale.test stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname1\.stale\.test\..*3.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n > /dev/null || ret=1 -grep "a1\.stale\.test\..*3.*IN.*A.*192\.0\.2\.1" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname1\.stale\.test\..*3.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n >/dev/null || ret=1 +grep "a1\.stale\.test\..*3.*IN.*A.*192\.0\.2\.1" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check server is alive or restart ($n)" ret=0 -$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - echo_i "restart ns3" - start_server --noclean --restart --port ${PORT} ns3 + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} ns3 fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache cname2.stale.test A (stale-answer-client-timeout 0) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname2\.stale\.test\..*1.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n > /dev/null || ret=1 -grep "a2\.stale\.test\..*300.*IN.*A.*192\.0\.2\.2" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname2\.stale\.test\..*1.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n >/dev/null || ret=1 +grep "a2\.stale\.test\..*300.*IN.*A.*192\.0\.2\.2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow CNAME record in the RRSET to become stale. sleep 1 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale cname2.stale.test A comes from cache (stale-answer-client-timeout 0) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A >dig.out.test$n wait_for_log 5 "cname2.stale.test stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname2\.stale\.test\..*3.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname2\.stale\.test\..*3.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n >/dev/null || ret=1 # We can't reliably test the TTL of the a2.stale.test A record. -grep "a2\.stale\.test\..*IN.*A.*192\.0\.2\.2" dig.out.test$n > /dev/null || ret=1 +grep "a2\.stale\.test\..*IN.*A.*192\.0\.2\.2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check server is alive or restart ($n)" ret=0 -$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - echo_i "restart ns3" - start_server --noclean --restart --port ${PORT} ns3 + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} ns3 fi -status=$((status+ret)) +status=$((status + ret)) #################################################################### # Test for stale-answer-client-timeout 0 and stale-refresh-time 4. # #################################################################### echo_i "test stale-answer-client-timeout (0) and stale-refresh-time (4)" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named5.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache, enable responses from authoritative server ($n)" ret=0 -$RNDCCMD 10.53.0.3 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-answer-client-timeout 0, stale-refresh-time 4) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # This test ensures that after we get stale data due to # stale-answer-client-timeout 0, enabling the authoritative server will allow # the RRset to be updated. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" retry_quiet 10 wait_for_rrset_refresh || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow stale-refresh-time to be activated. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "wait until resolver query times out, activating stale-refresh-time" wait_for_log 15 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache within stale-refresh-time (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example query within stale refresh time" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # We give BIND some time to ensure that after we enable authoritative server, # this RRset is still not refreshed because it was hit during # stale-refresh-time window. sleep 1 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT was not refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example query within stale refresh time" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # After the refresh-time-window, the RRset will be refreshed. sleep 4 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) #################################################################### # Test serve-stale's interaction with fetch limits (cache only) # @@ -2409,108 +2446,108 @@ echo_i "test serve-stale's interaction with fetch-limits (cache only)" # We update the named configuration to enable fetch-limits. The fetch-limits # are set to 1, which is ridiciously low, but that is because for this test we # want to reach the fetch-limits. -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named6.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Disable responses from authoritative server. If we can't resolve the example # zone, fetch limits will be reached. -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 # Turn on serve-stale. -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale on' ($n)" ret=0 $RNDCCMD 10.53.0.3 serve-stale on || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Hit the fetch-limits. We burst the name server with a small batch of queries. # Only 2 queries are required to hit the fetch-limits. The first query will # start to resolve, the second one hit the fetch-limits. burst() { - num=${1} - rm -f burst.input.$$ - while [ $num -gt 0 ]; do - num=$((num - 1)) - echo "fetch${num}.example A" >> burst.input.$$ - done - $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ - rm -f burst.input.$$ + num=${1} + rm -f burst.input.$$ + while [ $num -gt 0 ]; do + num=$((num - 1)) + echo "fetch${num}.example A" >>burst.input.$$ + done + $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ + rm -f burst.input.$$ } wait_for_fetchlimits() { - burst 2 - # We expect a query for nx.example to fail because fetch-limits for - # the domain 'example.' (and everything below) has been reached. - $DIG -p ${PORT} +tries=1 +timeout=1 @10.53.0.3 nx.example > dig.out.test$n - grep "status: SERVFAIL" dig.out.test$n > /dev/null || return 1 + burst 2 + # We expect a query for nx.example to fail because fetch-limits for + # the domain 'example.' (and everything below) has been reached. + $DIG -p ${PORT} +tries=1 +timeout=1 @10.53.0.3 nx.example >dig.out.test$n + grep "status: SERVFAIL" dig.out.test$n >/dev/null || return 1 } -n=$((n+1)) +n=$((n + 1)) echo_i "hit fetch limits ($n)" ret=0 retry_quiet 10 wait_for_fetchlimits || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Expect stale data now (because fetch-limits for the domain 'example.' (and # everything below) has been reached. But we have a stale RRset for # 'data.example/TXT' that can be used. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (fetch-limits) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The previous query should not have started the stale-refresh-time window. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache again (fetch-limits) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ######################################################################## # Test serve-stale's interaction with fetch limits (dual-mode) # @@ -2519,115 +2556,115 @@ echo_i "test serve-stale's interaction with fetch limits (dual-mode)" # Update named configuration so that ns3 becomes a recursive resolver which is # also a secondary server for the root zone. -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named7.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Flush the cache to ensure the example/NS RRset cached during previous tests # does not override the authoritative delegation found in the root zone. -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache ($n)" ret=0 -$RNDCCMD 10.53.0.3 flush > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 flush >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Test that after flush, serve-stale configuration is not reset. -n=$((n+1)) +n=$((n + 1)) echo_i "check serve-stale configuration is not reset after flush ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Query name server with low fetch limits. The authoritative server (ans2) is # not responding. Sending queries for multiple names in the 'example' zone # in parallel causes the fetch limit for that zone (set to 1) to be # reached. This should not trigger a crash. -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT >dig.out.test$((n + 4)) & wait # Expect SERVFAIL for the entries not in cache. -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (fetch-limits dual-mode) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (fetch-limits dual-mode) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (fetch-limits dual-mode) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (fetch-limits dual-mode) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check DNS64 processing of a stale negative answer ($n)" ret=0 # configure ns3 with dns64 copy_setports ns3/named8.conf.in ns3/named.conf rndc_reload ns3 10.53.0.3 # flush cache, enable ans2 responses, make sure serve-stale is on -$RNDCCMD 10.53.0.3 flush > rndc.out.test$n.1 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.2 txt enable > /dev/null -$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 flush >rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >/dev/null +$RNDCCMD 10.53.0.3 serve-stale on >rndc.out.test$n.2 2>&1 || ret=1 # prime the cache with an AAAA NXRRSET response -$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA > dig.out.1.test$n -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "2001:aaaa" dig.out.1.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA >dig.out.1.test$n +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "2001:aaaa" dig.out.1.test$n >/dev/null || ret=1 # disable responses from the auth server -$DIG -p ${PORT} @10.53.0.2 txt disable > /dev/null +$DIG -p ${PORT} @10.53.0.2 txt disable >/dev/null # wait two seconds for the previous answer to become stale sleep 2 # resend the query and wait in the background; we should get a stale answer -$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA > dig.out.2.test$n & +$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA >dig.out.2.test$n & # re-enable queries after a pause, so the server gets a real answer too sleep 2 -$DIG -p ${PORT} @10.53.0.2 txt enable > /dev/null +$DIG -p ${PORT} @10.53.0.2 txt enable >/dev/null wait -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "2001:aaaa" dig.out.2.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "2001:aaaa" dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################### # Test serve-stale's interaction with prefetch processing # @@ -2654,52 +2691,52 @@ echo_i "test serve-stale's interaction with prefetch processing" # (DNS_EVENT_FETCHDONE). # flush cache -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache ($n)" ret=0 -$RNDCCMD 10.53.0.3 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # prime the cache with CNAME and A; CNAME expires sooner -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache cname.example A (stale-answer-client-timeout 1.8) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 cname.example A > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n > /dev/null || ret=1 -grep "target\.example\..*9.*IN.*A" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 cname.example A >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n >/dev/null || ret=1 +grep "target\.example\..*9.*IN.*A" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # wait for the CNAME to be stale; A will still be valid and in prefetch window. # (the longer TTL is needed, otherwise data won't be prefetch-eligible.) sleep 7 # re-enable auth responses, but with a delay answering the A -n=$((n+1)) +n=$((n + 1)) echo_i "delay responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt slowdown >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # resend the query and wait in the background; we should get a stale answer -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch processing of a stale CNAME target ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 cname.example A > dig.out.test$n & +$DIG -p ${PORT} @10.53.0.3 cname.example A >dig.out.test$n & sleep 2 wait -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n > /dev/null || ret=1 -grep "target\.example\..*[1-2].*IN.*A" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n >/dev/null || ret=1 +grep "target\.example\..*[1-2].*IN.*A" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/setup.sh b/bin/tests/system/setup.sh index 23145fa..73a7e78 100644 --- a/bin/tests/system/setup.sh +++ b/bin/tests/system/setup.sh @@ -17,17 +17,20 @@ . ./conf.sh -test $# -gt 0 || { echo "usage: $0 test-directory" >&2; exit 1; } +test $# -gt 0 || { + echo "usage: $0 test-directory" >&2 + exit 1 +} test=$1 shift -test -d $test || { echo "$0: $test: no such test" >&2; exit 1; } +test -d $test || { + echo "$0: $test: no such test" >&2 + exit 1 +} # Set up any dynamically generated test data -if test -f $test/setup.sh -then - ( cd $test && $SHELL setup.sh "$@" ) +if test -f $test/setup.sh; then + (cd $test && $SHELL setup.sh "$@") fi - - diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh index a94ad58..04414d2 100644 --- a/bin/tests/system/sfcache/ns1/sign.sh +++ b/bin/tests/system/sfcache/ns1/sign.sh @@ -20,19 +20,19 @@ zone=. infile=root.db.in zonefile=root.db -(cd ../ns2 && $SHELL sign.sh ) +(cd ../ns2 && $SHELL sign.sh) cp "../ns2/dsset-example." . keyname=$($KEYGEN -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf cp trusted.conf ../ns2/trusted.conf # ...or with an initializing key. -keyfile_to_initial_ds "$keyname" > managed.conf +keyfile_to_initial_ds "$keyname" >managed.conf diff --git a/bin/tests/system/sfcache/ns2/named.conf.in b/bin/tests/system/sfcache/ns2/named.conf.in index afb5a86..7052ac6 100644 --- a/bin/tests/system/sfcache/ns2/named.conf.in +++ b/bin/tests/system/sfcache/ns2/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh index 038d079..2f85059 100644 --- a/bin/tests/system/sfcache/ns2/sign.sh +++ b/bin/tests/system/sfcache/ns2/sign.sh @@ -23,6 +23,6 @@ zonefile=example.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null diff --git a/bin/tests/system/sfcache/ns5/named.conf.in b/bin/tests/system/sfcache/ns5/named.conf.in index 272d65b..36bfb96 100644 --- a/bin/tests/system/sfcache/ns5/named.conf.in +++ b/bin/tests/system/sfcache/ns5/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns5/sign.sh b/bin/tests/system/sfcache/ns5/sign.sh index 6ca88de..7d70bea 100644 --- a/bin/tests/system/sfcache/ns5/sign.sh +++ b/bin/tests/system/sfcache/ns5/sign.sh @@ -18,4 +18,4 @@ set -e keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh index d2aeee7..a01b269 100644 --- a/bin/tests/system/sfcache/tests.sh +++ b/bin/tests/system/sfcache/tests.sh @@ -22,86 +22,86 @@ n=0 rm -f dig.out.* dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd -p "$PORT" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd -p "$PORT" "$@" } rndc_with_opts() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } echo_i "checking DNSSEC SERVFAIL is cached ($n)" ret=0 -dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts +dnssec foo.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 rndc_dumpdb ns5 -all -awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n > sfcache.$n -grep "^; foo.example/A" sfcache.$n > /dev/null || ret=1 -n=$((n+1)) +awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n >sfcache.$n +grep "^; foo.example/A" sfcache.$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking SERVFAIL is returned from cache ($n)" ret=0 -dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec foo.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that +cd bypasses cache check ($n)" ret=0 -dig_with_opts +dnssec +cd foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +dnssec +cd foo.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "switching to non-dnssec SERVFAIL tests" ret=0 rndc_with_opts 10.53.0.5 flush 2>&1 | sed 's/^/I:ns5 /' rndc_dumpdb ns5 -all mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.1 -awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db.test$n.1 > sfcache.$n.1 +awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db.test$n.1 >sfcache.$n.1 [ -s "sfcache.$n.1" ] && ret=1 echo_i "checking SERVFAIL is cached ($n)" -dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts bar.example2. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 rndc_dumpdb ns5 -all mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.2 -awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n.2 > sfcache.$n.2 -grep "^; bar.example2/A" sfcache.$n.2 > /dev/null || ret=1 -n=$((n+1)) +awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n.2 >sfcache.$n.2 +grep "^; bar.example2/A" sfcache.$n.2 >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking SERVFAIL is returned from cache ($n)" ret=0 -nextpart ns5/named.run > /dev/null -dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -nextpart ns5/named.run > ns5/named.run.part$n -grep 'servfail cache hit bar.example2/A (CD=0)' ns5/named.run.part$n > /dev/null || ret=1 -n=$((n+1)) +nextpart ns5/named.run >/dev/null +dig_with_opts bar.example2. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +nextpart ns5/named.run >ns5/named.run.part$n +grep 'servfail cache hit bar.example2/A (CD=0)' ns5/named.run.part$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cache is bypassed with +cd query ($n)" ret=0 -dig_with_opts +cd bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -nextpart ns5/named.run > ns5/named.run.part$n -grep 'servfail cache hit' ns5/named.run.part$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +cd bar.example2. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +nextpart ns5/named.run >ns5/named.run.part$n +grep 'servfail cache hit' ns5/named.run.part$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cache is used for subsequent +cd query ($n)" ret=0 -dig_with_opts +dnssec bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -nextpart ns5/named.run > ns5/named.run.part$n -grep 'servfail cache hit bar.example2/A (CD=1)' ns5/named.run.part$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec bar.example2. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +nextpart ns5/named.run >ns5/named.run.part$n +grep 'servfail cache hit bar.example2/A (CD=1)' ns5/named.run.part$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/shutdown/tests_shutdown.py b/bin/tests/system/shutdown/tests_shutdown.py index 89cada2..19f853b 100755 --- a/bin/tests/system/shutdown/tests_shutdown.py +++ b/bin/tests/system/shutdown/tests_shutdown.py @@ -175,8 +175,8 @@ def test_named_shutdown(named_port, control_port, kill_method): rndc = os.getenv("RNDC") assert rndc is not None - # rndc configuration resides in ../common/rndc.conf - rndc_cfg = os.path.join("..", "common", "rndc.conf") + # rndc configuration resides in ../_common/rndc.conf + rndc_cfg = os.path.join("..", "_common", "rndc.conf") assert os.path.isfile(rndc_cfg) # rndc command with default arguments. diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index 1da21bf..70a4dc7 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -67,7 +67,7 @@ pksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $pzone) echo_i "setting child's activation time" # using now+30s to fix RT 24561 -$SETTIME -A now+30s $cksk2 > /dev/null +$SETTIME -A now+30s $cksk2 >/dev/null echo_i "signing child zone" czoneout=$($SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile) @@ -91,14 +91,14 @@ pkid=$(keyfile_to_key_id $pksk) echo_i "checking dnssec-signzone output matches expectations" ret=0 -echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 -echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 -echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 -echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1 +echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' >/dev/null || ret=1 +echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' >/dev/null || ret=1 +echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' >/dev/null || ret=1 +echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "parent $pzoneout" - echo_i "child $czoneout" - echo_i "failed"; + echo_i "parent $pzoneout" + echo_i "child $czoneout" + echo_i "failed" fi status=$((status + ret)) @@ -107,81 +107,81 @@ ret=0 # use an alternate output file so -x doesn't interfere with later checks pzoneout=$($SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile) czoneout=$($SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile) -echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 -echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1 -echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 -echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1 +echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' >/dev/null || ret=1 +echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' >/dev/null || ret=1 +echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' >/dev/null || ret=1 +echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "parent $pzoneout" - echo_i "child $czoneout" - echo_i "failed"; + echo_i "parent $pzoneout" + echo_i "child $czoneout" + echo_i "failed" fi status=$((status + ret)) echo_i "checking parent zone DNSKEY set" ret=0 -grep "key id = $pzid" $pfile.signed > /dev/null || { - ret=1 - echo_i "missing expected parent ZSK id = $pzid" +grep "key id = $pzid" $pfile.signed >/dev/null || { + ret=1 + echo_i "missing expected parent ZSK id = $pzid" } -grep "key id = $pkid" $pfile.signed > /dev/null || { - ret=1 - echo_i "missing expected parent KSK id = $pkid" +grep "key id = $pkid" $pfile.signed >/dev/null || { + ret=1 + echo_i "missing expected parent KSK id = $pkid" } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking parent zone DS records" ret=0 -awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out -grep -w "$ckactive" dsset.out > /dev/null || ret=1 -grep -w "$ckpublished" dsset.out > /dev/null || ret=1 +awk '$2 == "DS" {print $3}' $pfile.signed >dsset.out +grep -w "$ckactive" dsset.out >/dev/null || ret=1 +grep -w "$ckpublished" dsset.out >/dev/null || ret=1 # revoked key should not be there, hence the && -grep -w "$ckprerevoke" dsset.out > /dev/null && ret=1 -grep -w "$ckrevoked" dsset.out > /dev/null && ret=1 +grep -w "$ckprerevoke" dsset.out >/dev/null && ret=1 +grep -w "$ckrevoked" dsset.out >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking child zone DNSKEY set" ret=0 -grep "key id = $ckactive\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child KSK id = $ckactive" +grep "key id = $ckactive\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child KSK id = $ckactive" } -grep "key id = $ckpublished\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child prepublished KSK id = $ckpublished" +grep "key id = $ckpublished\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child prepublished KSK id = $ckpublished" } -grep "key id = $ckrevoked\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child revoked KSK id = $ckrevoked" +grep "key id = $ckrevoked\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child revoked KSK id = $ckrevoked" } -grep "key id = $czactive\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child ZSK id = $czactive" +grep "key id = $czactive\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child ZSK id = $czactive" } -grep "key id = $czpublished\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child prepublished ZSK id = $czpublished" +grep "key id = $czpublished\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child prepublished ZSK id = $czpublished" } -grep "key id = $czinactive\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child inactive ZSK id = $czinactive" +grep "key id = $czinactive\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child inactive ZSK id = $czinactive" } # should not be there, hence the && -grep "key id = $ckprerevoke\$" $cfile.signed > /dev/null && { - ret=1 - echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke" +grep "key id = $ckprerevoke\$" $cfile.signed >/dev/null && { + ret=1 + echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke" } -grep "key id = $czgenerated\$" $cfile.signed > /dev/null && { - ret=1 - echo_i "found unexpected child generated ZSK id = $czgenerated" +grep "key id = $czgenerated\$" $cfile.signed >/dev/null && { + ret=1 + echo_i "found unexpected child generated ZSK id = $czgenerated" } -grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && { - echo_i "found unexpected ZSK predecessor id = $czpredecessor (ignored)" +grep "key id = $czpredecessor\$" $cfile.signed >/dev/null && { + echo_i "found unexpected ZSK predecessor id = $czpredecessor (ignored)" } -grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && { - echo_i "found unexpected ZSK successor id = $czsuccessor (ignored)" +grep "key id = $czsuccessor\$" $cfile.signed >/dev/null && { + echo_i "found unexpected ZSK successor id = $czsuccessor (ignored)" } #grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && ret=1 #grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && ret=1 @@ -190,29 +190,29 @@ status=$((status + ret)) echo_i "checking key TTLs are correct" ret=0 -grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1 -grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1 -grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 -$SETTIME -L 45 ${czsk2} > /dev/null -grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 -$SETTIME -L 0 ${czsk2} > /dev/null -grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 +grep "${czone}. 30 IN" ${czsk1}.key >/dev/null 2>&1 || ret=1 +grep "${czone}. 30 IN" ${cksk1}.key >/dev/null 2>&1 || ret=1 +grep "${czone}. IN" ${czsk2}.key >/dev/null 2>&1 || ret=1 +$SETTIME -L 45 ${czsk2} >/dev/null +grep "${czone}. 45 IN" ${czsk2}.key >/dev/null 2>&1 || ret=1 +$SETTIME -L 0 ${czsk2} >/dev/null +grep "${czone}. IN" ${czsk2}.key >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking key TTLs were imported correctly" ret=0 awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \ - ${cfile}.signed || ret=1 + ${cfile}.signed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "re-signing and checking imported TTLs again" ret=0 -$SETTIME -L 15 ${czsk2} > /dev/null +$SETTIME -L 15 ${czsk2} >/dev/null czoneout=$($SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile) awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \ - ${cfile}.signed || ret=1 + ${cfile}.signed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -222,108 +222,159 @@ status=$((status + ret)) echo_i "checking child zone signatures" ret=0 # check DNSKEY signatures first -awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs +awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed >dnskey.sigs sub=0 -grep -w "$ckactive" dnskey.sigs > /dev/null || sub=1 -if [ $sub != 0 ]; then echo_i "missing ckactive $ckactive (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckactive" dnskey.sigs >/dev/null || sub=1 +if [ $sub != 0 ]; then + echo_i "missing ckactive $ckactive (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckrevoked" dnskey.sigs > /dev/null || sub=1 -if [ $sub != 0 ]; then echo_i "missing ckrevoke $ckrevoke (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckrevoked" dnskey.sigs >/dev/null || sub=1 +if [ $sub != 0 ]; then + echo_i "missing ckrevoke $ckrevoke (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czactive" dnskey.sigs > /dev/null || sub=1 -if [ $sub != 0 ]; then echo_i "missing czactive $czactive (dnskey)"; ret=1; fi +grep -w "$czactive" dnskey.sigs >/dev/null || sub=1 +if [ $sub != 0 ]; then + echo_i "missing czactive $czactive (dnskey)" + ret=1 +fi # should not be there: -echo $ret > /dev/null +echo $ret >/dev/null sync sub=0 -grep -w "$ckprerevoke" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckprerevoke" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckprerevoke $ckprerevoke (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckpublished" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckpublished" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckpublished $ckpublished (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czpublished" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czpublished" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czpublished $czpublished (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czinactive" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czinactive" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czinactive $czinactive (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czgenerated" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (dnskey)"; ret=1; fi +grep -w "$czgenerated" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czgenerated $czgenerated (dnskey)" + ret=1 +fi # now check other signatures first -awk '$2 == "RRSIG" && $3 != "DNSKEY" && $3 != "CDNSKEY" && $3 != "CDS" { getline; print $3 }' $cfile.signed | sort -un > other.sigs +awk '$2 == "RRSIG" && $3 != "DNSKEY" && $3 != "CDNSKEY" && $3 != "CDS" { getline; print $3 }' $cfile.signed | sort -un >other.sigs # should not be there: -echo $ret > /dev/null +echo $ret >/dev/null sync sub=0 -grep -w "$ckactive" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckactive $ckactive (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckactive" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckactive $ckactive (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckpublished" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckpublished" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckpublished $ckpublished (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckprerevoke" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckprerevoke" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckprerevoke $ckprerevoke (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckrevoked" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckrevoked $ckrevoked (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckrevoked" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckrevoked $ckrevoked (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czpublished" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czpublished" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czpublished $czpublished (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czinactive" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czinactive" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czinactive $czinactive (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czgenerated" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czgenerated" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czgenerated $czgenerated (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czpredecessor" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czpredecessor $czpredecessor (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czpredecessor" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czpredecessor $czpredecessor (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czsuccessor" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czsuccessor $czsuccessor (other)"; ret=1; fi +grep -w "$czsuccessor" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czsuccessor $czsuccessor (other)" + ret=1 +fi if [ $ret != 0 ]; then - sed 's/^/I:dnskey sigs: /' < dnskey.sigs - sed 's/^/I:other sigs: /' < other.sigs - echo_i "failed"; + sed 's/^/I:dnskey sigs: /' /dev/null | - awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' | - cut -c1-10) -soa_expiry=$($CHECKZONE -o - $czone $cfile.signed 2> /dev/null | - awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' | - cut -c1-10) +dnskey_expiry=$($CHECKZONE -o - $czone $cfile.signed 2>/dev/null \ + | awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' \ + | cut -c1-10) +soa_expiry=$($CHECKZONE -o - $czone $cfile.signed 2>/dev/null \ + | awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' \ + | cut -c1-10) [ $dnskey_expiry -gt $soa_expiry ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -336,14 +387,14 @@ mv $cfile.new $cfile.signed echo_i "checking dnssec-signzone output matches expectations" ret=0 -echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1 +echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking child zone signatures again" ret=0 -awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs -grep -w "$ckpublished" dnskey.sigs > /dev/null || ret=1 +awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed >dnskey.sigs +grep -w "$ckpublished" dnskey.sigs >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -357,8 +408,8 @@ status=$((status + ret)) # this also checks that the future sync record is not yet published echo_i "checking sync record deletion" ret=0 -$SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null -$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null +$SETTIME -P now -A now -Dsync now ${cksk5} >/dev/null +$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed >/dev/null mv $cfile.new $cfile.signed awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1 awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1 diff --git a/bin/tests/system/sortlist/tests.sh b/bin/tests/system/sortlist/tests.sh index 894b022..d3ce7ad 100644 --- a/bin/tests/system/sortlist/tests.sh +++ b/bin/tests/system/sortlist/tests.sh @@ -35,18 +35,18 @@ $DIG $DIGOPTS a.example. @10.53.0.1 -b 10.53.0.1 >test1.dig diff test1.dig test1.good || status=1 echo_i "test 1-element sortlist statement and undocumented BIND 8 features" - cat <test2.good +cat <test2.good b.example. 300 IN A 10.53.0.$n EOF -$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.2 | sed 1q | \ - grep -E '10.53.0.(2|3)$' > test2.out && -$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.3 | sed 1q | \ - grep -E '10.53.0.(2|3)$' >> test2.out && -$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.4 | sed 1q | \ - grep -E '10.53.0.4$' >> test2.out && -$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.5 | sed 1q | \ - grep -E '10.53.0.5$' >> test2.out || status=1 +$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.2 | sed 1q \ + | grep -E '10.53.0.(2|3)$' >test2.out \ + && $DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.3 | sed 1q \ + | grep -E '10.53.0.(2|3)$' >>test2.out \ + && $DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.4 | sed 1q \ + | grep -E '10.53.0.4$' >>test2.out \ + && $DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.5 | sed 1q \ + | grep -E '10.53.0.5$' >>test2.out || status=1 echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/spf/tests.sh b/bin/tests/system/spf/tests.sh index 07e6c19..a74f559 100644 --- a/bin/tests/system/spf/tests.sh +++ b/bin/tests/system/spf/tests.sh @@ -19,26 +19,25 @@ n=1 status=0 # Wait until all zones are loaded before checking SPF related logs -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "all zones loaded" ns1/named.run > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "all zones loaded" ns1/named.run >/dev/null && break + sleep 1 done echo_i "checking that SPF warnings have been correctly generated ($n)" ret=0 -grep "zone spf/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 -grep "'y.spf' found type SPF" ns1/named.run > /dev/null || ret=1 -grep "'spf' found type SPF" ns1/named.run > /dev/null && ret=1 +grep "zone spf/IN: loaded serial 0" ns1/named.run >/dev/null || ret=1 +grep "'y.spf' found type SPF" ns1/named.run >/dev/null || ret=1 +grep "'spf' found type SPF" ns1/named.run >/dev/null && ret=1 -grep "zone warn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 -grep "'y.warn' found type SPF" ns1/named.run > /dev/null || ret=1 -grep "'warn' found type SPF" ns1/named.run > /dev/null && ret=1 +grep "zone warn/IN: loaded serial 0" ns1/named.run >/dev/null || ret=1 +grep "'y.warn' found type SPF" ns1/named.run >/dev/null || ret=1 +grep "'warn' found type SPF" ns1/named.run >/dev/null && ret=1 -grep "zone nowarn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 -grep "'y.nowarn' found type SPF" ns1/named.run > /dev/null && ret=1 -grep "'nowarn' found type SPF" ns1/named.run > /dev/null && ret=1 +grep "zone nowarn/IN: loaded serial 0" ns1/named.run >/dev/null || ret=1 +grep "'y.nowarn' found type SPF" ns1/named.run >/dev/null && ret=1 +grep "'nowarn' found type SPF" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl index 2a2d780..904aa9b 100755 --- a/bin/tests/system/start.pl +++ b/bin/tests/system/start.pl @@ -230,22 +230,13 @@ sub construct_ns_command { my $command; - if ($ENV{'USE_VALGRIND'}) { - $command = "valgrind -q --gen-suppressions=all --num-callers=48 --fullpath-after= --log-file=named-$server-valgrind-%p.log "; - - if ($ENV{'USE_VALGRIND'} eq 'helgrind') { - $command .= "--tool=helgrind "; - } else { - $command .= "--tool=memcheck --track-origins=yes --leak-check=full "; - } - - $command .= "$NAMED -m none "; + if ($taskset) { + $command = "taskset $taskset $NAMED "; + } elsif ($ENV{'USE_RR'}) { + $ENV{'_RR_TRACE_DIR'} = "."; + $command = "rr record --chaos $NAMED "; } else { - if ($taskset) { - $command = "taskset $taskset $NAMED "; - } else { - $command = "$NAMED "; - } + $command = "$NAMED "; } my $args_file = $testdir . "/" . $server . "/" . "named.args"; diff --git a/bin/tests/system/staticstub/ns2/named.conf.in b/bin/tests/system/staticstub/ns2/named.conf.in index 55483ab..a734071 100644 --- a/bin/tests/system/staticstub/ns2/named.conf.in +++ b/bin/tests/system/staticstub/ns2/named.conf.in @@ -37,7 +37,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/staticstub/ns3/sign.sh b/bin/tests/system/staticstub/ns3/sign.sh index 9d87137..ec99bb8 100755 --- a/bin/tests/system/staticstub/ns3/sign.sh +++ b/bin/tests/system/staticstub/ns3/sign.sh @@ -17,27 +17,27 @@ zone=example. infile=example.db.in zonefile=example.db -(cd ../ns4 && $SHELL -e sign.sh ) +(cd ../ns4 && $SHELL -e sign.sh) cp ../ns4/dsset-sub.example. . keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone $zonefile > /dev/null +$SIGNER -g -o $zone $zonefile >/dev/null # Configure the resolving server with a trusted key. -keyfile_to_static_ds $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 >trusted.conf zone=undelegated infile=undelegated.db.in zonefile=undelegated.db keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone $zonefile > /dev/null +$SIGNER -g -o $zone $zonefile >/dev/null -keyfile_to_static_ds $keyname2 >> trusted.conf +keyfile_to_static_ds $keyname2 >>trusted.conf cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/staticstub/ns4/sign.sh b/bin/tests/system/staticstub/ns4/sign.sh index 0598016..c8f778e 100755 --- a/bin/tests/system/staticstub/ns4/sign.sh +++ b/bin/tests/system/staticstub/ns4/sign.sh @@ -20,6 +20,6 @@ zonefile=${zone}.db keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -o $zone $zonefile > /dev/null +$SIGNER -o $zone $zonefile >/dev/null diff --git a/bin/tests/system/staticstub/setup.sh b/bin/tests/system/staticstub/setup.sh index 61c5621..38e2218 100755 --- a/bin/tests/system/staticstub/setup.sh +++ b/bin/tests/system/staticstub/setup.sh @@ -15,10 +15,10 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in tmp -sed 's/SERVER_CONFIG_PLACEHOLDER/server-names { "ns.example.net"; };/' tmp > ns2/named.conf +sed 's/SERVER_CONFIG_PLACEHOLDER/server-names { "ns.example.net"; };/' tmp >ns2/named.conf copy_setports ns3/named.conf.in tmp -sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp > ns3/named.conf +sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp >ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/staticstub/tests.sh b/bin/tests/system/staticstub/tests.sh index e0f5788..9e1b3f6 100755 --- a/bin/tests/system/staticstub/tests.sh +++ b/bin/tests/system/staticstub/tests.sh @@ -16,54 +16,52 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 -for conf in conf/good*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/good*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done n=$((n + 1)) echo_i "trying an axfr that should be denied (NOTAUTH) ($n)" ret=0 -$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr > dig.out.ns2.test$n || ret=1 -grep "; Transfer failed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr >dig.out.ns2.test$n || ret=1 +grep "; Transfer failed." dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" ret=0 - $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt > dig.out.ns2.test$n \ - || ret=1 -grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt >dig.out.ns2.test$n \ + || ret=1 +grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" ret=0 -$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n \ - || ret=1 -grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt >dig.out.ns2.test$n \ + || ret=1 +grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -71,15 +69,15 @@ n=$((n + 1)) echo_i "allow-query ACL ($n)" ret=0 $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 \ - > dig.out.ns2.test$n || ret=1 -grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 + >dig.out.ns2.test$n || ret=1 +grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "look for static-stub zone data with recursion (should be found) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 digcomp knowngood.dig.out.rec dig.out.ns2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -88,11 +86,11 @@ n=$((n + 1)) echo_i "checking authoritative NS is ignored for delegation ($n)" ret=0 # the auth server returns a different (and incorrect) NS for .example. -$DIG $DIGOPTS +tcp example. @10.53.0.2 ns > dig.out.ns2.test1.$n || ret=1 -grep "ns4.example." dig.out.ns2.test1.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp example. @10.53.0.2 ns >dig.out.ns2.test1.$n || ret=1 +grep "ns4.example." dig.out.ns2.test1.$n >/dev/null || ret=1 # but static-stub configuration should still be used -$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 -grep "2nd test data" dig.out.ns2.test2.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt >dig.out.ns2.test2.$n || ret=1 +grep "2nd test data" dig.out.ns2.test2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -100,24 +98,23 @@ n=$((n + 1)) echo_i "checking queries for a child zone of the static-stub zone ($n)" ret=0 # prime the delegation to a child zone of the static-stub zone -$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt > dig.out.ns2.test1.$n || ret=1 -grep "1st sub test data" dig.out.ns2.test1.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt >dig.out.ns2.test1.$n || ret=1 +grep "1st sub test data" dig.out.ns2.test1.$n >/dev/null || ret=1 # temporarily disable the the parent zone copy_setports ns3/named.conf.in tmp -sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp > ns3/named.conf +sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp >ns3/named.conf rndc_reload ns3 10.53.0.3 # query the child zone again. this should directly go to the child and # succeed. -for i in 0 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 - grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt >dig.out.ns2.test2.$n || ret=1 + grep "2nd sub test data" dig.out.ns2.test2.$n >/dev/null && break + sleep 1 done -grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null || ret=1 +grep "2nd sub test data" dig.out.ns2.test2.$n >/dev/null || ret=1 # re-enable the parent copy_setports ns3/named.conf.in tmp -sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp > ns3/named.conf +sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp >ns3/named.conf rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -126,16 +123,16 @@ n=$((n + 1)) echo_i "checking authoritative NS addresses are ignored for delegation ($n)" ret=0 # the auth server returns a different (and incorrect) A/AAA RR for .example. -$DIG $DIGOPTS +tcp example. @10.53.0.2 a > dig.out.ns2.test1.$n || ret=1 -grep "10.53.0.4" dig.out.ns2.test1.$n > /dev/null || ret=1 -$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa > dig.out.ns2.test2.$n || ret=1 -grep "::1" dig.out.ns2.test2.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp example. @10.53.0.2 a >dig.out.ns2.test1.$n || ret=1 +grep "10.53.0.4" dig.out.ns2.test1.$n >/dev/null || ret=1 +$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa >dig.out.ns2.test2.$n || ret=1 +grep "::1" dig.out.ns2.test2.$n >/dev/null || ret=1 # reload the server. this will flush the ADB. rndc_reload ns2 10.53.0.2 # ask another RR that would require delegation. static-stub configuration # should still be used instead of the authoritative A/AAAA cached above. -$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt > dig.out.ns2.test3.$n || ret=1 -grep "3rd test data" dig.out.ns2.test3.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt >dig.out.ns2.test3.$n || ret=1 +grep "3rd test data" dig.out.ns2.test3.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -145,8 +142,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking NS of static-stub is ignored when referenced from other domain ($n)" ret=0 -$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "example com data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "example com data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -154,8 +151,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking static-stub with a server-name ($n)" ret=0 -$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "example org data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "example org data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -163,33 +160,32 @@ n=$((n + 1)) # Note: for a short term workaround we use ::1, assuming it's configured and # usable for our tests. We should eventually use the test ULA and available # checks introduced in change 2916. -if testsock6 ::1 -then - echo_i "checking IPv6 static-stub address ($n)" - ret=0 - $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 - grep "example info data" dig.out.ns2.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if testsock6 ::1; then + echo_i "checking IPv6 static-stub address ($n)" + ret=0 + $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 + grep "example info data" dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "SKIPPED: checking IPv6 static-stub address ($n)" + echo_i "SKIPPED: checking IPv6 static-stub address ($n)" fi n=$((n + 1)) echo_i "look for static-stub zone data with DNSSEC validation ($n)" ret=0 -$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "4th test data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "ad; QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "4th test data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "look for a child of static-stub zone data with DNSSEC validation ($n)" ret=0 -$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "ad; QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3rd sub test data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -198,20 +194,20 @@ n=$((n + 1)) echo_i "checking server reload with a different static-stub config ($n)" ret=0 copy_setports ns2/named.conf.in tmp -sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp > ns2/named.conf +sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp >ns2/named.conf rndc_reload ns2 10.53.0.2 -$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "2nd example org data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "2nd example org data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking static-stub of a undelegated tld resolves after DS query ($n)" ret=0 -$DIG $DIGOPTS undelegated. @10.53.0.2 ds > dig.out.ns2.ds.test$n -$DIG $DIGOPTS undelegated. @10.53.0.2 soa > dig.out.ns2.soa.test$n -grep "status: NXDOMAIN" dig.out.ns2.ds.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns2.soa.test$n > /dev/null || ret=1 +$DIG $DIGOPTS undelegated. @10.53.0.2 ds >dig.out.ns2.ds.test$n +$DIG $DIGOPTS undelegated. @10.53.0.2 soa >dig.out.ns2.soa.test$n +grep "status: NXDOMAIN" dig.out.ns2.ds.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns2.soa.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/statistics/ns2/named.conf.in b/bin/tests/system/statistics/ns2/named.conf.in index 48fb8b4..30c4651 100644 --- a/bin/tests/system/statistics/ns2/named.conf.in +++ b/bin/tests/system/statistics/ns2/named.conf.in @@ -40,7 +40,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/statistics/ns2/named2.conf.in b/bin/tests/system/statistics/ns2/named2.conf.in index d370931..39772f9 100644 --- a/bin/tests/system/statistics/ns2/named2.conf.in +++ b/bin/tests/system/statistics/ns2/named2.conf.in @@ -40,7 +40,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/statistics/prereq.sh b/bin/tests/system/statistics/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/statistics/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/statistics/tests.sh b/bin/tests/system/statistics/tests.sh index af57b60..f668e86 100644 --- a/bin/tests/system/statistics/tests.sh +++ b/bin/tests/system/statistics/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGCMD="$DIG +tcp -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf" status=0 @@ -26,19 +26,19 @@ stats=0 nsock0nstat=0 nsock1nstat=0 rndc_stats() { - _ns=$1 - _ip=$2 + _ns=$1 + _ip=$2 - $RNDCCMD -s $_ip stats > /dev/null 2>&1 || return 1 - [ -f "${_ns}/named.stats" ] || return 1 + $RNDCCMD -s $_ip stats >/dev/null 2>&1 || return 1 + [ -f "${_ns}/named.stats" ] || return 1 - last_stats=named.stats.$_ns-$stats-$n - mv ${_ns}/named.stats $last_stats - stats=$((stats+1)) + last_stats=named.stats.$_ns-$stats-$n + mv ${_ns}/named.stats $last_stats + stats=$((stats + 1)) } echo_i "fetching a.example from ns2's initial configuration ($n)" -$DIGCMD +noauth a.example. @10.53.0.2 any > dig.out.ns2.1 || ret=1 +$DIGCMD +noauth a.example. @10.53.0.2 any >dig.out.ns2.1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -52,29 +52,29 @@ n=$((n + 1)) ret=0 echo_i "verifying adb records in named.stats ($n)" -grep "ADB stats" $last_stats > /dev/null || ret=1 +grep "ADB stats" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking for 1 entry in adb hash table in named.stats ($n)" -grep "1 Addresses in hash table" $last_stats > /dev/null || ret=1 +grep "1 Addresses in hash table" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "verifying cache statistics in named.stats ($n)" -grep "Cache Statistics" $last_stats > /dev/null || ret=1 +grep "Cache Statistics" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "checking for 2 entries in adb hash table in named.stats ($n)" -$DIGCMD a.example.info. @10.53.0.2 any > /dev/null 2>&1 +$DIGCMD a.example.info. @10.53.0.2 any >/dev/null 2>&1 rndc_stats ns2 10.53.0.2 || ret=1 -grep "2 Addresses in hash table" $last_stats > /dev/null || ret=1 +grep "2 Addresses in hash table" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -89,13 +89,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "sending queries to ns3" -$DIGCMD +tries=2 +time=1 +recurse @10.53.0.3 foo.info. any > /dev/null 2>&1 || true +$DIGCMD +tries=2 +time=1 +recurse @10.53.0.3 foo.info. any >/dev/null 2>&1 || true ret=0 echo_i "dumping updated stats for ns3 ($n)" getstats() { - rndc_stats ns3 10.53.0.3 || return 1 - grep "2 recursing clients" $last_stats > /dev/null || return 1 + rndc_stats ns3 10.53.0.3 || return 1 + grep "2 recursing clients" $last_stats >/dev/null || return 1 } retry_quiet 5 getstats || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -104,14 +104,14 @@ n=$((n + 1)) ret=0 echo_i "verifying recursing clients output in named.stats ($n)" -grep "2 recursing clients" $last_stats > /dev/null || ret=1 +grep "2 recursing clients" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "verifying active fetches output in named.stats ($n)" -grep "1 active fetches" $last_stats > /dev/null || ret=1 +grep "1 active fetches" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -128,33 +128,33 @@ n=$((n + 1)) # no status line is emitted. ret=0 echo_i "verifying queries in progress in named.stats ($n)" -grep "1 UDP queries in progress" $last_stats > /dev/null || ret=1 -grep "TCP queries in progress" $last_stats > /dev/null && ret=1 +grep "1 UDP queries in progress" $last_stats >/dev/null || ret=1 +grep "TCP queries in progress" $last_stats >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "verifying bucket size output ($n)" -grep "bucket size" $last_stats > /dev/null || ret=1 +grep "bucket size" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "checking priming queries are counted ($n)" -grep "priming queries" $last_stats > /dev/null || ret=1 +grep "priming queries" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "checking that zones with slash are properly shown in XML output ($n)" -if $FEATURETEST --have-libxml2 && [ -x ${CURL} ] ; then - ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones > curl.out.${n} 2>/dev/null || ret=1 - grep '' curl.out.${n} > /dev/null || ret=1 +if $FEATURETEST --have-libxml2 && [ -x ${CURL} ]; then + ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones >curl.out.${n} 2>/dev/null || ret=1 + grep '' curl.out.${n} >/dev/null || ret=1 else - echo_i "skipping test as libxml2 and/or curl was not found" + echo_i "skipping test as libxml2 and/or curl was not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -162,11 +162,11 @@ n=$((n + 1)) ret=0 echo_i "checking that zones return their type ($n)" -if $FEATURETEST --have-libxml2 && [ -x ${CURL} ] ; then - ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones > curl.out.${n} 2>/dev/null || ret=1 - grep 'primary' curl.out.${n} > /dev/null || ret=1 +if $FEATURETEST --have-libxml2 && [ -x ${CURL} ]; then + ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones >curl.out.${n} 2>/dev/null || ret=1 + grep 'primary' curl.out.${n} >/dev/null || ret=1 else - echo_i "skipping test as libxml2 and/or curl was not found" + echo_i "skipping test as libxml2 and/or curl was not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -174,57 +174,57 @@ n=$((n + 1)) ret=0 echo_i "checking bind9.xsl vs xml ($n)" -if $FEATURETEST --have-libxml2 && "${CURL}" --http1.1 http://10.53.0.3:${EXTRAPORT1} > /dev/null 2>&1 && [ -x "${XSLTPROC}" ] ; then - $DIGCMD +notcp +recurse @10.53.0.3 soa . > dig.out.test$n.1 2>&1 - $DIGCMD +notcp +recurse @10.53.0.3 soa example > dig.out.test$n.2 2>&1 - # check multiple requests over the same socket - time1=$($PERL -e 'print time(), "\n";') - ${CURL} --http1.1 -o curl.out.${n}.xml http://10.53.0.3:${EXTRAPORT1}/xml/v3 \ - -o curl.out.${n}.xsl http://10.53.0.3:${EXTRAPORT1}/bind9.xsl 2>/dev/null || ret=1 - time2=$($PERL -e 'print time(), "\n";') - test $((time2 - time1)) -lt 5 || ret=1 - diff ${TOP_SRCDIR}/bin/named/bind9.xsl curl.out.${n}.xsl || ret=1 - ${XSLTPROC} curl.out.${n}.xsl - < curl.out.${n}.xml > xsltproc.out.${n} 2>/dev/null || ret=1 - cp curl.out.${n}.xml stats.xml.out || ret=1 +if $FEATURETEST --have-libxml2 && "${CURL}" --http1.1 http://10.53.0.3:${EXTRAPORT1} >/dev/null 2>&1 && [ -x "${XSLTPROC}" ]; then + $DIGCMD +notcp +recurse @10.53.0.3 soa . >dig.out.test$n.1 2>&1 + $DIGCMD +notcp +recurse @10.53.0.3 soa example >dig.out.test$n.2 2>&1 + # check multiple requests over the same socket + time1=$($PERL -e 'print time(), "\n";') + ${CURL} --http1.1 -o curl.out.${n}.xml http://10.53.0.3:${EXTRAPORT1}/xml/v3 \ + -o curl.out.${n}.xsl http://10.53.0.3:${EXTRAPORT1}/bind9.xsl 2>/dev/null || ret=1 + time2=$($PERL -e 'print time(), "\n";') + test $((time2 - time1)) -lt 5 || ret=1 + diff ${TOP_SRCDIR}/bin/named/bind9.xsl curl.out.${n}.xsl || ret=1 + ${XSLTPROC} curl.out.${n}.xsl - xsltproc.out.${n} 2>/dev/null || ret=1 + cp curl.out.${n}.xml stats.xml.out || ret=1 - # - # grep for expected sections. - # - grep "

ISC Bind 9 Configuration and Statistics

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Server Status

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Incoming Requests by DNS Opcode

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Incoming Queries by Query Type

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Outgoing Queries per view

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

View " xsltproc.out.${n} >/dev/null || ret=1 - grep "

Server Statistics

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Zone Maintenance Statistics

" xsltproc.out.${n} >/dev/null || ret=1 - # grep "

Resolver Statistics (Common)

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Resolver Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 - grep "

ADB Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 - grep "

Cache Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 - # grep "

Cache DB RRsets for View " xsltproc.out.${n} >/dev/null || ret=1 - grep "

Traffic Size Statistics

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

UDP Requests Received

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

UDP Responses Sent

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

TCP Requests Received

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

TCP Responses Sent

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Socket I/O Statistics

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Zones for View " xsltproc.out.${n} >/dev/null || ret=1 - grep "

Received QTYPES per view/zone

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

View _default" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Zone example" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Response Codes per view/zone

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

View _default" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Zone example" xsltproc.out.${n} >/dev/null || ret=1 - # grep "

Glue cache statistics

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

View _default" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Zone example" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Task Manager Configuration

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Tasks

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Memory Usage Summary

" xsltproc.out.${n} >/dev/null || ret=1 - grep "

Memory Contexts

" xsltproc.out.${n} >/dev/null || ret=1 + # + # grep for expected sections. + # + grep "

ISC Bind 9 Configuration and Statistics

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Server Status

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Incoming Requests by DNS Opcode

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Incoming Queries by Query Type

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Outgoing Queries per view

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

View " xsltproc.out.${n} >/dev/null || ret=1 + grep "

Server Statistics

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Zone Maintenance Statistics

" xsltproc.out.${n} >/dev/null || ret=1 + # grep "

Resolver Statistics (Common)

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Resolver Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "

ADB Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "

Cache Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + # grep "

Cache DB RRsets for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "

Traffic Size Statistics

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

UDP Requests Received

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

UDP Responses Sent

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

TCP Requests Received

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

TCP Responses Sent

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Socket I/O Statistics

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Zones for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "

Received QTYPES per view/zone

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Zone example" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Response Codes per view/zone

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Zone example" xsltproc.out.${n} >/dev/null || ret=1 + # grep "

Glue cache statistics

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Zone example" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Task Manager Configuration

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Tasks

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Memory Usage Summary

" xsltproc.out.${n} >/dev/null || ret=1 + grep "

Memory Contexts

" xsltproc.out.${n} >/dev/null || ret=1 else - echo_i "skipping test as libxml2 and/or curl with HTTP/1.1 support and/or xsltproc was not found" + echo_i "skipping test as libxml2 and/or curl with HTTP/1.1 support and/or xsltproc was not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -232,23 +232,23 @@ n=$((n + 1)) ret=0 echo_i "checking bind9.xml socket statistics ($n)" -if $FEATURETEST --have-libxml2 && [ -e stats.xml.out ] && [ -x "${XSLTPROC}" ] ; then - # Socket statistics (expect no errors) - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - # grep "0" stats.xml.out >/dev/null || ret=1 +if $FEATURETEST --have-libxml2 && [ -e stats.xml.out ] && [ -x "${XSLTPROC}" ]; then + # Socket statistics (expect no errors) + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + # grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 - grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 + grep "0" stats.xml.out >/dev/null || ret=1 else - echo_i "skipping test as libxml2 and/or stats.xml.out file and/or xsltproc was not found" + echo_i "skipping test as libxml2 and/or stats.xml.out file and/or xsltproc was not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -258,22 +258,22 @@ echo_i "Check that 'zone-statistics full;' is processed by 'rndc reconfig' ($n)" ret=0 # off by default rndc_stats ns2 10.53.0.2 || ret=1 -sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null && ret=0 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' >/dev/null && ret=0 # turn on copy_setports ns2/named2.conf.in ns2/named.conf rndc_reconfig ns2 10.53.0.2 rndc_stats ns2 10.53.0.2 || ret=1 -sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null || ret=1 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' >/dev/null || ret=1 # turn off copy_setports ns2/named.conf.in ns2/named.conf rndc_reconfig ns2 10.53.0.2 rndc_stats ns2 10.53.0.2 || ret=1 -sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null && ret=0 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' >/dev/null && ret=0 # turn on copy_setports ns2/named2.conf.in ns2/named.conf rndc_reconfig ns2 10.53.0.2 rndc_stats ns2 10.53.0.2 || ret=1 -sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null || ret=1 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) diff --git a/bin/tests/system/statschannel/conftest.py b/bin/tests/system/statschannel/conftest.py index 363dd7a..c26935b 100644 --- a/bin/tests/system/statschannel/conftest.py +++ b/bin/tests/system/statschannel/conftest.py @@ -9,17 +9,9 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -import os import pytest -@pytest.fixture -def statsport(request): - # pylint: disable=unused-argument - env_port = os.getenv("EXTRAPORT1") - if env_port is None: - env_port = 5301 - else: - env_port = int(env_port) - - return env_port +@pytest.fixture(scope="module") +def statsport(ports): + return ports["EXTRAPORT1"] diff --git a/bin/tests/system/statschannel/generic.py b/bin/tests/system/statschannel/generic.py index bf4b038..f4b3d85 100644 --- a/bin/tests/system/statschannel/generic.py +++ b/bin/tests/system/statschannel/generic.py @@ -10,8 +10,16 @@ # information regarding copyright ownership. from datetime import datetime, timedelta +from collections import defaultdict +from time import sleep import os +import dns.message +import dns.query +import dns.rcode + +import isctest + # ISO datetime format without msec fmt = "%Y-%m-%dT%H:%M:%SZ" @@ -19,9 +27,11 @@ fmt = "%Y-%m-%dT%H:%M:%SZ" # The constants were taken from BIND 9 source code (lib/dns/zone.c) max_refresh = timedelta(seconds=2419200) # 4 weeks max_expires = timedelta(seconds=14515200) # 24 weeks -now = datetime.utcnow().replace(microsecond=0) dayzero = datetime.utcfromtimestamp(0).replace(microsecond=0) +# Wait for the secondary zone files to appear to extract their mtime +max_secondary_zone_waittime_sec = 5 + # Generic helper functions def check_expires(expires, min_time, max_time): @@ -34,21 +44,20 @@ def check_refresh(refresh, min_time, max_time): assert refresh <= max_time -def check_loaded(loaded, expected): # pylint: disable=unused-argument +def check_loaded(loaded, expected, now): # Sanity check the zone timers values - # NOTE This check has been disabled due to GL #3983 - # assert loaded == expected - # assert loaded < now - pass + assert (loaded - expected).total_seconds() < max_secondary_zone_waittime_sec + assert loaded <= now def check_zone_timers(loaded, expires, refresh, loaded_exp): + now = datetime.utcnow().replace(microsecond=0) # Sanity checks the zone timers values if expires is not None: check_expires(expires, now, now + max_expires) if refresh is not None: check_refresh(refresh, now, now + max_refresh) - check_loaded(loaded, loaded_exp) + check_loaded(loaded, loaded_exp, now) # @@ -88,12 +97,26 @@ def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs): statsport = kwargs["statsport"] zonedir = kwargs["zonedir"] - zones = fetch_zones(statsip, statsport) - - for zone in zones: - (name, loaded, expires, refresh) = load_timers(zone, False) - mtime = zone_mtime(zonedir, name) - check_zone_timers(loaded, expires, refresh, mtime) + # If any one of the zone files isn't ready, then retry until timeout. + tries = max_secondary_zone_waittime_sec + while tries >= 0: + zones = fetch_zones(statsip, statsport) + again = False + for zone in zones: + (name, loaded, expires, refresh) = load_timers(zone, False) + mtime = zone_mtime(zonedir, name) + if (mtime != dayzero) or (tries == 0): + # mtime was either retrieved successfully or no tries were + # left, run the check anyway. + check_zone_timers(loaded, expires, refresh, mtime) + else: + tries = tries - 1 + again = True + break + if again: + sleep(1) + else: + break def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): @@ -106,3 +129,101 @@ def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): name = load_zone(zone) if name == "manykeys": check_manykeys(name) + + +def create_msg(qname, qtype): + msg = dns.message.make_query( + qname, qtype, want_dnssec=True, use_edns=0, payload=4096 + ) + + return msg + + +def create_expected(data): + expected = { + "dns-tcp-requests-sizes-received-ipv4": defaultdict(int), + "dns-tcp-responses-sizes-sent-ipv4": defaultdict(int), + "dns-tcp-requests-sizes-received-ipv6": defaultdict(int), + "dns-tcp-responses-sizes-sent-ipv6": defaultdict(int), + "dns-udp-requests-sizes-received-ipv4": defaultdict(int), + "dns-udp-requests-sizes-received-ipv6": defaultdict(int), + "dns-udp-responses-sizes-sent-ipv4": defaultdict(int), + "dns-udp-responses-sizes-sent-ipv6": defaultdict(int), + } + + for k, v in data.items(): + for kk, vv in v.items(): + expected[k][kk] += vv + + return expected + + +def update_expected(expected, key, msg): + msg_len = len(msg.to_wire()) + bucket_num = (msg_len // 16) * 16 + bucket = "{}-{}".format(bucket_num, bucket_num + 15) + + expected[key][bucket] += 1 + + +def check_traffic(data, expected): + def ordered(obj): + if isinstance(obj, dict): + return sorted((k, ordered(v)) for k, v in obj.items()) + if isinstance(obj, list): + return sorted(ordered(x) for x in obj) + return obj + + ordered_data = ordered(data) + ordered_expected = ordered(expected) + + assert len(ordered_data) == 8 + assert len(ordered_expected) == 8 + assert len(data) == len(ordered_data) + assert len(expected) == len(ordered_expected) + + assert ordered_data == ordered_expected + + +def test_traffic(fetch_traffic, **kwargs): + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + + data = fetch_traffic(statsip, statsport) + exp = create_expected(data) + + msg = create_msg("short.example.", "TXT") + update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) + ans = isctest.query.udp(msg, statsip) + isctest.check.noerror(ans) + update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("long.example.", "TXT") + update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) + ans = isctest.query.udp(msg, statsip) + isctest.check.noerror(ans) + update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("short.example.", "TXT") + update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) + ans = isctest.query.tcp(msg, statsip) + isctest.check.noerror(ans) + update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("long.example.", "TXT") + update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) + ans = isctest.query.tcp(msg, statsip) + isctest.check.noerror(ans) + update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) diff --git a/bin/tests/system/statschannel/generic_dnspython.py b/bin/tests/system/statschannel/generic_dnspython.py deleted file mode 100644 index 34a0398..0000000 --- a/bin/tests/system/statschannel/generic_dnspython.py +++ /dev/null @@ -1,128 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -from collections import defaultdict - -import dns.message -import dns.query -import dns.rcode - - -TIMEOUT = 10 - - -def create_msg(qname, qtype): - msg = dns.message.make_query( - qname, qtype, want_dnssec=True, use_edns=0, payload=4096 - ) - - return msg - - -def udp_query(ip, port, msg): - ans = dns.query.udp(msg, ip, TIMEOUT, port=port) - assert ans.rcode() == dns.rcode.NOERROR - - return ans - - -def tcp_query(ip, port, msg): - ans = dns.query.tcp(msg, ip, TIMEOUT, port=port) - assert ans.rcode() == dns.rcode.NOERROR - - return ans - - -def create_expected(data): - expected = { - "dns-tcp-requests-sizes-received-ipv4": defaultdict(int), - "dns-tcp-responses-sizes-sent-ipv4": defaultdict(int), - "dns-tcp-requests-sizes-received-ipv6": defaultdict(int), - "dns-tcp-responses-sizes-sent-ipv6": defaultdict(int), - "dns-udp-requests-sizes-received-ipv4": defaultdict(int), - "dns-udp-requests-sizes-received-ipv6": defaultdict(int), - "dns-udp-responses-sizes-sent-ipv4": defaultdict(int), - "dns-udp-responses-sizes-sent-ipv6": defaultdict(int), - } - - for k, v in data.items(): - for kk, vv in v.items(): - expected[k][kk] += vv - - return expected - - -def update_expected(expected, key, msg): - msg_len = len(msg.to_wire()) - bucket_num = (msg_len // 16) * 16 - bucket = "{}-{}".format(bucket_num, bucket_num + 15) - - expected[key][bucket] += 1 - - -def check_traffic(data, expected): - def ordered(obj): - if isinstance(obj, dict): - return sorted((k, ordered(v)) for k, v in obj.items()) - if isinstance(obj, list): - return sorted(ordered(x) for x in obj) - return obj - - ordered_data = ordered(data) - ordered_expected = ordered(expected) - - assert len(ordered_data) == 8 - assert len(ordered_expected) == 8 - assert len(data) == len(ordered_data) - assert len(expected) == len(ordered_expected) - - assert ordered_data == ordered_expected - - -def test_traffic(fetch_traffic, **kwargs): - statsip = kwargs["statsip"] - statsport = kwargs["statsport"] - port = kwargs["port"] - - data = fetch_traffic(statsip, statsport) - exp = create_expected(data) - - msg = create_msg("short.example.", "TXT") - update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) - ans = udp_query(statsip, port, msg) - update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - - check_traffic(data, exp) - - msg = create_msg("long.example.", "TXT") - update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) - ans = udp_query(statsip, port, msg) - update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - - check_traffic(data, exp) - - msg = create_msg("short.example.", "TXT") - update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) - ans = tcp_query(statsip, port, msg) - update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - - check_traffic(data, exp) - - msg = create_msg("long.example.", "TXT") - update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) - ans = tcp_query(statsip, port, msg) - update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - - check_traffic(data, exp) diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh index f9429ca..5a507da 100644 --- a/bin/tests/system/statschannel/ns2/sign.sh +++ b/bin/tests/system/statschannel/ns2/sign.sh @@ -22,9 +22,9 @@ zonefile=dnssec.db.signed ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # Sign deliberately with a very short expiration date. -"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1 -keyfile_to_key_id "$ksk" > dnssec.ksk.id -keyfile_to_key_id "$zsk" > dnssec.zsk.id +"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1 +keyfile_to_key_id "$ksk" >dnssec.ksk.id +keyfile_to_key_id "$zsk" >dnssec.zsk.id zone=manykeys. infile=manykeys.db.in @@ -36,10 +36,10 @@ zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 "$zone") ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 -f KSK "$zone") zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 "$zone") # Sign deliberately with a very short expiration date. -"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1 -keyfile_to_key_id "$ksk8" > manykeys.ksk8.id -keyfile_to_key_id "$zsk8" > manykeys.zsk8.id -keyfile_to_key_id "$ksk13" > manykeys.ksk13.id -keyfile_to_key_id "$zsk13" > manykeys.zsk13.id -keyfile_to_key_id "$ksk14" > manykeys.ksk14.id -keyfile_to_key_id "$zsk14" > manykeys.zsk14.id +"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1 +keyfile_to_key_id "$ksk8" >manykeys.ksk8.id +keyfile_to_key_id "$zsk8" >manykeys.zsk8.id +keyfile_to_key_id "$ksk13" >manykeys.ksk13.id +keyfile_to_key_id "$zsk13" >manykeys.zsk13.id +keyfile_to_key_id "$ksk14" >manykeys.ksk14.id +keyfile_to_key_id "$zsk14" >manykeys.zsk14.id diff --git a/bin/tests/system/statschannel/prereq.sh b/bin/tests/system/statschannel/prereq.sh new file mode 100644 index 0000000..a0ad7a9 --- /dev/null +++ b/bin/tests/system/statschannel/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +if ! ${PERL} -MFile::Fetch -e ''; then + echo_i "perl File::Fetch module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/statschannel/setup.sh b/bin/tests/system/statschannel/setup.sh index f5ef3ee..f304fdf 100644 --- a/bin/tests/system/statschannel/setup.sh +++ b/bin/tests/system/statschannel/setup.sh @@ -15,7 +15,7 @@ . ../conf.sh for conf in ns*/named.conf.in; do - copy_setports "$conf" "$(dirname "$conf")/$(basename "$conf" .in)" + copy_setports "$conf" "$(dirname "$conf")/$(basename "$conf" .in)" done (cd ns2 && $SHELL sign.sh) diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh index f06cad4..dad9f34 100644 --- a/bin/tests/system/statschannel/tests.sh +++ b/bin/tests/system/statschannel/tests.sh @@ -17,71 +17,69 @@ set -e . ../conf.sh DIGCMD="$DIG @10.53.0.2 -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" - -if ! $FEATURETEST --have-json-c -then - unset PERL_JSON - echo_i "JSON was not configured; skipping" >&2 -elif $PERL -e 'use JSON;' 2>/dev/null -then - PERL_JSON=1 +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" + +if ! $FEATURETEST --have-json-c; then + unset PERL_JSON + echo_i "JSON was not configured; skipping" >&2 +elif $PERL -e 'use JSON;' 2>/dev/null; then + PERL_JSON=1 else - unset PERL_JSON - echo_i "JSON tests require JSON library; skipping" >&2 + unset PERL_JSON + echo_i "JSON tests require JSON library; skipping" >&2 fi -if ! $FEATURETEST --have-libxml2 -then - unset PERL_XML - echo_i "XML was not configured; skipping" >&2 -elif $PERL -e 'use XML::Simple;' 2>/dev/null -then - PERL_XML=1 +if ! $FEATURETEST --have-libxml2; then + unset PERL_XML + echo_i "XML was not configured; skipping" >&2 +elif $PERL -e 'use XML::Simple;' 2>/dev/null; then + PERL_XML=1 else - unset PERL_XML - echo_i "XML tests require XML::Simple; skipping" >&2 + unset PERL_XML + echo_i "XML tests require XML::Simple; skipping" >&2 fi if [ ! "$PERL_JSON" ] && [ ! "$PERL_XML" ]; then - echo_i "skipping all tests" - exit 0 + echo_i "skipping all tests" + exit 0 fi - getzones() { - sleep 1 - echo_i "... using $1" - case $1 in - xml) path='xml/v3/zones' ;; - json) path='json/v1/zones' ;; - *) return 1 ;; - esac - file=$($PERL fetch.pl -p ${EXTRAPORT1} $path) - cp $file $file.$1.$3 - { $PERL zones-${1}.pl $file $2 2>/dev/null | sort > zones.out.$3; result=$?; } || true - return $result + sleep 1 + echo_i "... using $1" + case $1 in + xml) path='xml/v3/zones' ;; + json) path='json/v1/zones' ;; + *) return 1 ;; + esac + file=$($PERL fetch.pl -p ${EXTRAPORT1} $path) + cp $file $file.$1.$3 + { + $PERL zones-${1}.pl $file $2 2>/dev/null | sort >zones.out.$3 + result=$? + } || true + return $result } # TODO: Move loadkeys_on to conf.sh.common loadkeys_on() { - nsidx=$1 - zone=$2 - nextpart ns${nsidx}/named.run > /dev/null - $RNDCCMD 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" ns${nsidx}/named.run + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run >/dev/null + $RNDCCMD 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" ns${nsidx}/named.run } # verify that the http server dropped the connection without replying check_http_dropped() { - if [ -x "${NC}" ] ; then - "${NC}" 10.53.0.3 "${EXTRAPORT1}" > nc.out$n || ret=1 - if test -s nc.out$n; then - ret=1 - fi - else - echo_i "skipping test as nc not found" + if [ -x "${NC}" ]; then + "${NC}" 10.53.0.3 "${EXTRAPORT1}" >nc.out$n || ret=1 + if test -s nc.out$n; then + ret=1 fi + else + echo_i "skipping test as nc not found" + fi } status=0 @@ -133,12 +131,12 @@ n=$((n + 1)) echo_i "Prepare for if-modified-since test ($n)" ret=0 i=0 -if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] ; then - URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" - ${CURL} --silent --show-error --fail --output bind9.xsl.1 $URL - ret=$? +if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ]; then + URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" + ${CURL} --silent --show-error --fail --output bind9.xsl.1 $URL + ret=$? else - echo_i "skipping test: requires libxml2 and curl" + echo_i "skipping test: requires libxml2 and curl" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -147,38 +145,38 @@ n=$((n + 1)) echo_i "checking consistency between named.stats and xml/json ($n)" ret=0 rm -f ns2/named.stats -$DIGCMD +tcp example ns > dig.out.$n || ret=1 +$DIGCMD +tcp example ns >dig.out.$n || ret=1 $RNDCCMD 10.53.0.2 stats 2>&1 | sed 's/^/I:ns1 /' query_count=$(awk '/QUERY/ {print $1}' ns2/named.stats) txt_count=$(awk '/TXT/ {print $1}' ns2/named.stats) noerror_count=$(awk '/NOERROR/ {print $1}' ns2/named.stats) if [ $PERL_XML ]; then - file=$($PERL fetch.pl -p ${EXTRAPORT1} xml/v3/server) - mv $file xml.stats - $PERL server-xml.pl > xml.fmtstats 2> /dev/null - xml_query_count=$(awk '/opcode QUERY/ { print $NF }' xml.fmtstats) - xml_query_count=${xml_query_count:-0} - [ "$query_count" -eq "$xml_query_count" ] || ret=1 - xml_txt_count=$(awk '/qtype TXT/ { print $NF }' xml.fmtstats) - xml_txt_count=${xml_txt_count:-0} - [ "$txt_count" -eq "$xml_txt_count" ] || ret=1 - xml_noerror_count=$(awk '/rcode NOERROR/ { print $NF }' xml.fmtstats) - xml_noerror_count=${xml_noerror_count:-0} - [ "$noerror_count" -eq "$xml_noerror_count" ] || ret=1 + file=$($PERL fetch.pl -p ${EXTRAPORT1} xml/v3/server) + mv $file xml.stats + $PERL server-xml.pl >xml.fmtstats 2>/dev/null + xml_query_count=$(awk '/opcode QUERY/ { print $NF }' xml.fmtstats) + xml_query_count=${xml_query_count:-0} + [ "$query_count" -eq "$xml_query_count" ] || ret=1 + xml_txt_count=$(awk '/qtype TXT/ { print $NF }' xml.fmtstats) + xml_txt_count=${xml_txt_count:-0} + [ "$txt_count" -eq "$xml_txt_count" ] || ret=1 + xml_noerror_count=$(awk '/rcode NOERROR/ { print $NF }' xml.fmtstats) + xml_noerror_count=${xml_noerror_count:-0} + [ "$noerror_count" -eq "$xml_noerror_count" ] || ret=1 fi if [ $PERL_JSON ]; then - file=$($PERL fetch.pl -p ${EXTRAPORT1} json/v1/server) - mv $file json.stats - $PERL server-json.pl > json.fmtstats 2> /dev/null - json_query_count=$(awk '/opcode QUERY/ { print $NF }' json.fmtstats) - json_query_count=${json_query_count:-0} - [ "$query_count" -eq "$json_query_count" ] || ret=1 - json_txt_count=$(awk '/qtype TXT/ { print $NF }' json.fmtstats) - json_txt_count=${json_txt_count:-0} - [ "$txt_count" -eq "$json_txt_count" ] || ret=1 - json_noerror_count=$(awk '/rcode NOERROR/ { print $NF }' json.fmtstats) - json_noerror_count=${json_noerror_count:-0} - [ "$noerror_count" -eq "$json_noerror_count" ] || ret=1 + file=$($PERL fetch.pl -p ${EXTRAPORT1} json/v1/server) + mv $file json.stats + $PERL server-json.pl >json.fmtstats 2>/dev/null + json_query_count=$(awk '/opcode QUERY/ { print $NF }' json.fmtstats) + json_query_count=${json_query_count:-0} + [ "$query_count" -eq "$json_query_count" ] || ret=1 + json_txt_count=$(awk '/qtype TXT/ { print $NF }' json.fmtstats) + json_txt_count=${json_txt_count:-0} + [ "$txt_count" -eq "$json_txt_count" ] || ret=1 + json_noerror_count=$(awk '/rcode NOERROR/ { print $NF }' json.fmtstats) + json_noerror_count=${json_noerror_count:-0} + [ "$noerror_count" -eq "$json_noerror_count" ] || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -187,19 +185,19 @@ n=$((n + 1)) ret=0 echo_i "checking malloced memory statistics xml/json ($n)" if [ $PERL_XML ]; then - file=$($PERL fetch.pl -p ${EXTRAPORT1} xml/v3/mem) - mv $file xml.mem - $PERL mem-xml.pl $file > xml.fmtmem - grep "'Malloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 - grep "'malloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 - grep "'maxmalloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 + file=$($PERL fetch.pl -p ${EXTRAPORT1} xml/v3/mem) + mv $file xml.mem + $PERL mem-xml.pl $file >xml.fmtmem + grep "'Malloced' => '[0-9][0-9]*'" xml.fmtmem >/dev/null || ret=1 + grep "'malloced' => '[0-9][0-9]*'" xml.fmtmem >/dev/null || ret=1 + grep "'maxmalloced' => '[0-9][0-9]*'" xml.fmtmem >/dev/null || ret=1 fi if [ $PERL_JSON ]; then - file=$($PERL fetch.pl -p ${EXTRAPORT1} json/v1/mem) - mv $file json.mem - grep '"malloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 - grep '"maxmalloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 - grep '"Malloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 + file=$($PERL fetch.pl -p ${EXTRAPORT1} json/v1/mem) + mv $file json.mem + grep '"malloced":[0-9][0-9]*,' json.mem >/dev/null || ret=1 + grep '"maxmalloced":[0-9][0-9]*,' json.mem >/dev/null || ret=1 + grep '"Malloced":[0-9][0-9]*,' json.mem >/dev/null || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -207,48 +205,46 @@ n=$((n + 1)) echo_i "checking consistency between regular and compressed output ($n)" ret=0 -if [ -x "${CURL}" ] ; then - for i in 1 2 3 4 5; do - ret=0 - if $FEATURETEST --have-libxml2; - then - URL="http://10.53.0.2:${EXTRAPORT1}/xml/v3/server" - filter_str='s#.*##g' - else - URL="http://10.53.0.2:${EXTRAPORT1}/json/v1/server" - filter_str='s#"current-time.*",##g' - fi - "${CURL}" -D regular.headers "$URL" 2>/dev/null | \ - sed -e "$filter_str" > regular.out || ret=1 - "${CURL}" -D compressed.headers --compressed "$URL" 2>/dev/null | \ - sed -e "$filter_str" > compressed.out || ret=1 - diff regular.out compressed.out >/dev/null || ret=1 - if [ $ret != 0 ]; then - echo_i "failed on try $i, probably a timing issue, trying again" - sleep 1 - else - break - fi - done +if [ -x "${CURL}" ]; then + for i in 1 2 3 4 5; do + ret=0 + if $FEATURETEST --have-libxml2; then + URL="http://10.53.0.2:${EXTRAPORT1}/xml/v3/server" + filter_str='s#.*##g' + else + URL="http://10.53.0.2:${EXTRAPORT1}/json/v1/server" + filter_str='s#"current-time.*",##g' + fi + "${CURL}" -D regular.headers "$URL" 2>/dev/null \ + | sed -e "$filter_str" >regular.out || ret=1 + "${CURL}" -D compressed.headers --compressed "$URL" 2>/dev/null \ + | sed -e "$filter_str" >compressed.out || ret=1 + diff regular.out compressed.out >/dev/null || ret=1 + if [ $ret != 0 ]; then + echo_i "failed on try $i, probably a timing issue, trying again" + sleep 1 + else + break + fi + done else - echo_i "skipping test as curl not found" + echo_i "skipping test as curl not found" fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "checking if compressed output is really compressed ($n)" -if $FEATURETEST --with-zlib; -then - REGSIZE=$(cat regular.headers | \ - grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/") - COMPSIZE=$(cat compressed.headers | \ - grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/") - if [ ! $((REGSIZE / COMPSIZE)) -gt 2 ]; then - ret=1 - fi +if $FEATURETEST --with-zlib; then + REGSIZE=$(cat regular.headers \ + | grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/") + COMPSIZE=$(cat compressed.headers \ + | grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/") + if [ ! $((REGSIZE / COMPSIZE)) -gt 2 ]; then + ret=1 + fi else - echo_i "skipped" + echo_i "skipped" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -266,21 +262,21 @@ ret=0 # The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSK and one # RRset (DNSKEY) with the KSK. So starting named with signatures that expire # almost right away, this should trigger 10 zsk and 1 ksk sign operations. -echo "${refresh_prefix} ${zsk_id}: 10" > zones.expect -echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect -echo "${sign_prefix} ${zsk_id}: 10" >> zones.expect -echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk_id}: 10" >zones.expect +echo "${refresh_prefix} ${ksk_id}: 1" >>zones.expect +echo "${sign_prefix} ${zsk_id}: 10" >>zones.expect +echo "${sign_prefix} ${ksk_id}: 1" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after zone maintenance at startup ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 0 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -289,28 +285,28 @@ n=$((n + 1)) # Test sign operations after dynamic update. ret=0 ( -# Update dnssec zone to trigger signature creation. -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me" -echo send + # Update dnssec zone to trigger signature creation. + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me" + echo send ) | $NSUPDATE # This should trigger the resign of SOA, TXT and NSEC (+3 zsk). -echo "${refresh_prefix} ${zsk_id}: 10" > zones.expect -echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect -echo "${sign_prefix} ${zsk_id}: 13" >> zones.expect -echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk_id}: 10" >zones.expect +echo "${refresh_prefix} ${ksk_id}: 1" >>zones.expect +echo "${sign_prefix} ${zsk_id}: 13" >>zones.expect +echo "${sign_prefix} ${ksk_id}: 1" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after dynamic update ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 0 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -321,23 +317,23 @@ ret=0 echo_i "fetch zone '$zone' stats data after updating DNSKEY RRset ($n)" # Add a standby DNSKEY, this triggers resigning the DNSKEY RRset. zsk=$("$KEYGEN" -K ns2 -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -$SETTIME -K ns2 -P now -A never $zsk.key > /dev/null +$SETTIME -K ns2 -P now -A never $zsk.key >/dev/null loadkeys_on 2 $zone || ret=1 # This should trigger the resign of SOA (+1 zsk) and DNSKEY (+1 ksk). -echo "${refresh_prefix} ${zsk_id}: 11" > zones.expect -echo "${refresh_prefix} ${ksk_id}: 2" >> zones.expect -echo "${sign_prefix} ${zsk_id}: 14" >> zones.expect -echo "${sign_prefix} ${ksk_id}: 2" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk_id}: 11" >zones.expect +echo "${refresh_prefix} ${ksk_id}: 2" >>zones.expect +echo "${sign_prefix} ${zsk_id}: 14" >>zones.expect +echo "${sign_prefix} ${ksk_id}: 2" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 0 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -356,29 +352,29 @@ zsk14_id=$(cat ns2/$zone.zsk14.id) # RRset (DNSKEY) with the KSKs. So starting named with signatures that expire # almost right away, this should trigger 10 zsk and 1 ksk sign operations per # key. -echo "${refresh_prefix} ${zsk8_id}: 10" > zones.expect -echo "${refresh_prefix} ${zsk13_id}: 10" >> zones.expect -echo "${refresh_prefix} ${zsk14_id}: 10" >> zones.expect -echo "${refresh_prefix} ${ksk8_id}: 1" >> zones.expect -echo "${refresh_prefix} ${ksk13_id}: 1" >> zones.expect -echo "${refresh_prefix} ${ksk14_id}: 1" >> zones.expect -echo "${sign_prefix} ${zsk8_id}: 10" >> zones.expect -echo "${sign_prefix} ${zsk13_id}: 10" >> zones.expect -echo "${sign_prefix} ${zsk14_id}: 10" >> zones.expect -echo "${sign_prefix} ${ksk8_id}: 1" >> zones.expect -echo "${sign_prefix} ${ksk13_id}: 1" >> zones.expect -echo "${sign_prefix} ${ksk14_id}: 1" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect +echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect +echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${sign_prefix} ${zsk8_id}: 10" >>zones.expect +echo "${sign_prefix} ${zsk13_id}: 10" >>zones.expect +echo "${sign_prefix} ${zsk14_id}: 10" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after zone maintenance at startup ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 2 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -387,36 +383,36 @@ n=$((n + 1)) # Test sign operations after dynamic update (many keys). ret=0 ( -# Update dnssec zone to trigger signature creation. -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me" -echo send + # Update dnssec zone to trigger signature creation. + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me" + echo send ) | $NSUPDATE # This should trigger the resign of SOA, TXT and NSEC (+3 zsk). -echo "${refresh_prefix} ${zsk8_id}: 10" > zones.expect -echo "${refresh_prefix} ${zsk13_id}: 10" >> zones.expect -echo "${refresh_prefix} ${zsk14_id}: 10" >> zones.expect -echo "${refresh_prefix} ${ksk8_id}: 1" >> zones.expect -echo "${refresh_prefix} ${ksk13_id}: 1" >> zones.expect -echo "${refresh_prefix} ${ksk14_id}: 1" >> zones.expect -echo "${sign_prefix} ${zsk8_id}: 13" >> zones.expect -echo "${sign_prefix} ${zsk13_id}: 13" >> zones.expect -echo "${sign_prefix} ${zsk14_id}: 13" >> zones.expect -echo "${sign_prefix} ${ksk8_id}: 1" >> zones.expect -echo "${sign_prefix} ${ksk13_id}: 1" >> zones.expect -echo "${sign_prefix} ${ksk14_id}: 1" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect +echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect +echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${sign_prefix} ${zsk8_id}: 13" >>zones.expect +echo "${sign_prefix} ${zsk13_id}: 13" >>zones.expect +echo "${sign_prefix} ${zsk14_id}: 13" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after dynamic update ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 2 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -431,21 +427,21 @@ $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /' # be cleared and thus no longer visible. But NSEC and SOA are (mistakenly) # counted double, one time because of zone_resigninc and one time because of # zone_nsec3chain. So +5 zsk in total. -echo "${refresh_prefix} ${zsk8_id}: 15" > zones.expect -echo "${refresh_prefix} ${ksk8_id}: 2" >> zones.expect -echo "${sign_prefix} ${zsk8_id}: 18" >> zones.expect -echo "${sign_prefix} ${ksk8_id}: 2" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk8_id}: 15" >zones.expect +echo "${refresh_prefix} ${ksk8_id}: 2" >>zones.expect +echo "${sign_prefix} ${zsk8_id}: 18" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 2" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after dnssec-policy change ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 2 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -453,8 +449,8 @@ n=$((n + 1)) echo_i "Check HTTP/1.1 client-side pipelined requests are handled (GET) ($n)" ret=0 -if [ -x "${NC}" ] ; then - "${NC}" 10.53.0.3 "${EXTRAPORT1}" << EOF > nc.out$n || ret=1 +if [ -x "${NC}" ]; then + "${NC}" 10.53.0.3 "${EXTRAPORT1}" <nc.out$n || ret=1 GET /xml/v3/status HTTP/1.1 Host: 10.53.0.3:${EXTRAPORT1} @@ -463,15 +459,15 @@ Host: 10.53.0.3:${EXTRAPORT1} Connection: close EOF - lines=$(grep -c "^ nc.out$n || ret=1 + "${NC}" 10.53.0.3 "${EXTRAPORT1}" <nc.out$n || ret=1 POST /xml/v3/status HTTP/1.1 Host: 10.53.0.3:${EXTRAPORT1} Content-Type: application/json @@ -495,15 +491,15 @@ Connection: close {} EOF - lines=$(grep -c "^ nc.out$n || ret=1 + "${NC}" 10.53.0.3 "${EXTRAPORT1}" <nc.out$n || ret=1 GET /xml/v3/status HTTP/1.0 Connection: keep-alive GET /xml/v3/status HTTP/1.0 EOF - # should be two responses - lines=$(grep -c "^ nc.out$n || ret=1 + "${NC}" 10.53.0.3 "${EXTRAPORT1}" <nc.out$n || ret=1 GET /xml/v3/status HTTP/1.0 Connection: keep-alive Connection: close @@ -545,46 +541,45 @@ Connection: close GET /xml/v3/status HTTP/1.0 EOF - # should be one response (second is ignored) - lines=$(grep -c "^&1 | grep 'option --next: is unknown'); then - CURL_NEXT="${CURL}" + CURL_NEXT="${CURL}" fi echo_i "Check HTTP with more than 100 headers ($n)" ret=0 i=0 -if [ -x "${CURL_NEXT}" ] ; then - # build input stream. - : > header.in$n - while test $i -lt 101 - do - printf 'X-Bloat%d: VGhlIG1vc3QgY29tbW9uIHJlYXNvbiBmb3IgYmxvYXRpbmcgaXMgaGF2aW5nIGEgbG90IG9mIGdhcyBpbiB5b3VyIGd1dC4gCg==\r\n' $i >> header.in$n - i=$((i+1)) - done - printf '\r\n' >> header.in$n - - # send the requests then wait for named to close the socket. - URL="http://10.53.0.3:${EXTRAPORT1}/xml/v3/status" - "${CURL}" --silent --include --get "$URL" --next --get --header @header.in$n "$URL" > curl.out$n && ret=1 - # we expect 1 request to be processed. - lines=$(grep -c "^header.in$n + while test $i -lt 101; do + printf 'X-Bloat%d: VGhlIG1vc3QgY29tbW9uIHJlYXNvbiBmb3IgYmxvYXRpbmcgaXMgaGF2aW5nIGEgbG90IG9mIGdhcyBpbiB5b3VyIGd1dC4gCg==\r\n' $i >>header.in$n + i=$((i + 1)) + done + printf '\r\n' >>header.in$n + + # send the requests then wait for named to close the socket. + URL="http://10.53.0.3:${EXTRAPORT1}/xml/v3/status" + "${CURL}" --silent --include --get "$URL" --next --get --header @header.in$n "$URL" >curl.out$n && ret=1 + # we expect 1 request to be processed. + lines=$(grep -c "^ header.in$n - while test $i -lt 5000 - do - printf '%s' "VGhlIG1vc3QgY29tbW9uIHJlYXNvbiBmb3IgYmxvYXRpbmcgaXMgaGF2aW5nIGEgbG90IG9mIGdhcyBpbiB5b3VyIGd1dC4gCg==" >> header.in$n - i=$((i+1)) - done - printf '\r\n' >> header.in$n - - # send the requests then wait for named to close the socket. - URL="http://10.53.0.3:${EXTRAPORT1}/xml/v3/status" - "${CURL}" --silent --include --get "$URL" --next --get --header @header.in$n "$URL" > curl.out$n && ret=1 - # we expect 1 request to be processed. - lines=$(grep -c "^header.in$n + while test $i -lt 5000; do + printf '%s' "VGhlIG1vc3QgY29tbW9uIHJlYXNvbiBmb3IgYmxvYXRpbmcgaXMgaGF2aW5nIGEgbG90IG9mIGdhcyBpbiB5b3VyIGd1dC4gCg==" >>header.in$n + i=$((i + 1)) + done + printf '\r\n' >>header.in$n + + # send the requests then wait for named to close the socket. + URL="http://10.53.0.3:${EXTRAPORT1}/xml/v3/status" + "${CURL}" --silent --include --get "$URL" --next --get --header @header.in$n "$URL" >curl.out$n && ret=1 + # we expect 1 request to be processed. + lines=$(grep -c "^ curl.out$n || ret=1 - grep -a Content-Length curl.out$n | awk 'BEGIN { prev=0; } { if (prev != 0 && $2 - prev > 100) { exit(1); } prev = $2; }' || ret=1 +if [ -x "${CURL}" ]; then + URL="http://10.53.0.3:${EXTRAPORT1}/json/v1" + "${CURL}" --silent --include --header "Accept-Encoding: deflate, gzip, br, zstd" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" >curl.out$n || ret=1 + grep -a Content-Length curl.out$n | awk 'BEGIN { prev=0; } { if (prev != 0 && $2 - prev > 100) { exit(1); } prev = $2; }' || ret=1 else - echo_i "skipping test as curl not found" + echo_i "skipping test as curl not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -632,21 +626,20 @@ n=$((n + 1)) echo_i "Check if-modified-since works ($n)" ret=0 -if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] ; then - URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" - # ensure over-long time stamps are ignored - ${CURL} --silent --show-error --fail --output bind9.xsl.2 $URL \ - --header 'If-Modified-Since: 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789' - if ! [ bind9.xsl.2 -nt bind9.xsl.1 ] || - ! ${CURL} --silent --show-error --fail \ - --output bind9.xsl.3 $URL \ - --time-cond bind9.xsl.1 || - [ -f bind9.xsl.3 ] - then - ret=1 - fi +if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ]; then + URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" + # ensure over-long time stamps are ignored + ${CURL} --silent --show-error --fail --output bind9.xsl.2 $URL \ + --header 'If-Modified-Since: 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789' + if ! [ bind9.xsl.2 -nt bind9.xsl.1 ] \ + || ! ${CURL} --silent --show-error --fail \ + --output bind9.xsl.3 $URL \ + --time-cond bind9.xsl.1 \ + || [ -f bind9.xsl.3 ]; then + ret=1 + fi else - echo_i "skipping test: requires libxml2 and curl" + echo_i "skipping test: requires libxml2 and curl" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/statschannel/tests_json.py b/bin/tests/system/statschannel/tests_json.py index c459925..4f7c4a7 100755 --- a/bin/tests/system/statschannel/tests_json.py +++ b/bin/tests/system/statschannel/tests_json.py @@ -15,9 +15,11 @@ from datetime import datetime import pytest -import generic import pytest_custom_markers +pytest.register_assert_rewrite("generic") +import generic + pytestmark = pytest_custom_markers.have_json_c requests = pytest.importorskip("requests") @@ -98,8 +100,5 @@ def test_zone_with_many_keys_json(statsport): ) -def test_traffic_json(named_port, statsport): - generic_dnspython = pytest.importorskip("generic_dnspython") - generic_dnspython.test_traffic( - fetch_traffic_json, statsip="10.53.0.2", statsport=statsport, port=named_port - ) +def test_traffic_json(statsport): + generic.test_traffic(fetch_traffic_json, statsip="10.53.0.2", statsport=statsport) diff --git a/bin/tests/system/statschannel/tests_xml.py b/bin/tests/system/statschannel/tests_xml.py index 7f0b37e..5329615 100755 --- a/bin/tests/system/statschannel/tests_xml.py +++ b/bin/tests/system/statschannel/tests_xml.py @@ -16,9 +16,11 @@ import xml.etree.ElementTree as ET import pytest -import generic import pytest_custom_markers +pytest.register_assert_rewrite("generic") +import generic + pytestmark = pytest_custom_markers.have_libxml2 requests = pytest.importorskip("requests") @@ -128,8 +130,5 @@ def test_zone_with_many_keys_xml(statsport): ) -def test_traffic_xml(named_port, statsport): - generic_dnspython = pytest.importorskip("generic_dnspython") - generic_dnspython.test_traffic( - fetch_traffic_xml, statsip="10.53.0.2", statsport=statsport, port=named_port - ) +def test_traffic_xml(statsport): + generic.test_traffic(fetch_traffic_xml, statsip="10.53.0.2", statsport=statsport) diff --git a/bin/tests/system/stop.pl b/bin/tests/system/stop.pl index 572f709..24776fb 100644 --- a/bin/tests/system/stop.pl +++ b/bin/tests/system/stop.pl @@ -189,7 +189,7 @@ sub stop_rndc { my $how = $halt ? "halt" : "stop"; # Ugly, but should work. - system("$RNDC -c ../common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$test:$server /'"); + system("$RNDC -c ../_common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$test:$server /'"); return; } diff --git a/bin/tests/system/stopall.sh b/bin/tests/system/stopall.sh index 8eaa9d9..19d3f56 100644 --- a/bin/tests/system/stopall.sh +++ b/bin/tests/system/stopall.sh @@ -17,7 +17,6 @@ . ./conf.sh -for d in $SUBDIRS -do - $SHELL stop.sh $d +for d in $SUBDIRS; do + $SHELL stop.sh $d done diff --git a/bin/tests/system/stress/prereq.sh b/bin/tests/system/stress/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/stress/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/stress/tests_stress_update.py b/bin/tests/system/stress/tests_stress_update.py index d326f14..46ac1c9 100644 --- a/bin/tests/system/stress/tests_stress_update.py +++ b/bin/tests/system/stress/tests_stress_update.py @@ -24,7 +24,7 @@ def rndc_loop(test_state, server): cmdline = [ rndc, "-c", - "../common/rndc.conf", + "../_common/rndc.conf", "-p", port, "-s", diff --git a/bin/tests/system/stub/ns2/named.conf.in b/bin/tests/system/stub/ns2/named.conf.in index 1f006e0..3aa1e66 100644 --- a/bin/tests/system/stub/ns2/named.conf.in +++ b/bin/tests/system/stub/ns2/named.conf.in @@ -27,7 +27,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "child.example" { diff --git a/bin/tests/system/stub/ns3/named.conf.in b/bin/tests/system/stub/ns3/named.conf.in index e8e432f..a8e692f 100644 --- a/bin/tests/system/stub/ns3/named.conf.in +++ b/bin/tests/system/stub/ns3/named.conf.in @@ -27,7 +27,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/stub/ns5/named.conf.in b/bin/tests/system/stub/ns5/named.conf.in index 39e38cc..ce1021b 100644 --- a/bin/tests/system/stub/ns5/named.conf.in +++ b/bin/tests/system/stub/ns5/named.conf.in @@ -24,7 +24,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/stub/tests.sh b/bin/tests/system/stub/tests.sh index 9a9ca66..c9071dd 100644 --- a/bin/tests/system/stub/tests.sh +++ b/bin/tests/system/stub/tests.sh @@ -19,69 +19,81 @@ DIGOPTS="+tcp -p ${PORT}" status=0 echo_i "check that the stub zone has been saved to disk" -for i in 1 2 3 4 5 6 7 8 9 20 -do - [ -f ns3/child.example.st ] && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 20; do + [ -f ns3/child.example.st ] && break + sleep 1 done -[ -f ns3/child.example.st ] || { status=1; echo_i "failed"; } +[ -f ns3/child.example.st ] || { + status=1 + echo_i "failed" +} -for pass in 1 2 -do +for pass in 1 2; do -echo_i "trying an axfr that should be denied (NOTAUTH) (pass=$pass)" -ret=0 -$DIG $DIGOPTS child.example. @10.53.0.3 axfr > dig.out.ns3 || ret=1 -grep "; Transfer failed." dig.out.ns3 > /dev/null || ret=1 -[ $ret = 0 ] || { status=1; echo_i "failed"; } + echo_i "trying an axfr that should be denied (NOTAUTH) (pass=$pass)" + ret=0 + $DIG $DIGOPTS child.example. @10.53.0.3 axfr >dig.out.ns3 || ret=1 + grep "; Transfer failed." dig.out.ns3 >/dev/null || ret=1 + [ $ret = 0 ] || { + status=1 + echo_i "failed" + } -echo_i "look for stub zone data without recursion (should not be found) (pass=$pass)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS +norec data.child.example. \ - @10.53.0.3 txt > dig.out.ns3 || ret=1 - grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 - [ $ret = 0 ] && break - sleep 1 -done -digcomp knowngood.dig.out.norec dig.out.ns3 || ret=1 -[ $ret = 0 ] || { status=1; echo_i "failed"; } + echo_i "look for stub zone data without recursion (should not be found) (pass=$pass)" + for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS +norec data.child.example. \ + @10.53.0.3 txt >dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 >/dev/null || ret=1 + [ $ret = 0 ] && break + sleep 1 + done + digcomp knowngood.dig.out.norec dig.out.ns3 || ret=1 + [ $ret = 0 ] || { + status=1 + echo_i "failed" + } -echo_i "look for stub zone data with recursion (should be found) (pass=$pass)" -ret=0 -$DIG $DIGOPTS +noauth +noadd data.child.example. @10.53.0.3 txt > dig.out.ns3 || ret=1 -digcomp knowngood.dig.out.rec dig.out.ns3 || ret=1 -[ $ret = 0 ] || { status=1; echo_i "failed"; } + echo_i "look for stub zone data with recursion (should be found) (pass=$pass)" + ret=0 + $DIG $DIGOPTS +noauth +noadd data.child.example. @10.53.0.3 txt >dig.out.ns3 || ret=1 + digcomp knowngood.dig.out.rec dig.out.ns3 || ret=1 + [ $ret = 0 ] || { + status=1 + echo_i "failed" + } -[ $pass = 1 ] && { - echo_i "stopping stub server" - stop_server ns3 + [ $pass = 1 ] && { + echo_i "stopping stub server" + stop_server ns3 - echo_i "re-starting stub server" - start_server --noclean --restart --port ${PORT} ns3 -} + echo_i "re-starting stub server" + start_server --noclean --restart --port ${PORT} ns3 + } done echo_i "check that glue record is correctly transferred from primary when minimal-responses is on" ret=0 # First ensure that zone data was transfered. for i in 1 2 3 4 5 6 7; do - [ -f ns5/example.db ] && break - sleep 1 + [ -f ns5/example.db ] && break + sleep 1 done if [ -f ns5/example.db ]; then - # If NS glue wasn't transferred, this query would fail. - $DIG $DIGOPTS +nodnssec @10.53.0.5 target.example. txt > dig.out.ns5 || ret=1 - grep 'target\.example.*TXT.*"test"' dig.out.ns5 > /dev/null || ret=1 - # Ensure both ipv4 and ipv6 glue records were transferred. - grep -E 'ns4[[:space:]]+A[[:space:]]+10.53.0.4' ns5/example.db > /dev/null || ret=1 - grep -E 'AAAA[[:space:]]+fd92:7065:b8e:ffff::4' ns5/example.db > /dev/null || ret=1 - [ $ret = 0 ] || { status=1; echo_i "failed"; } -else + # If NS glue wasn't transferred, this query would fail. + $DIG $DIGOPTS +nodnssec @10.53.0.5 target.example. txt >dig.out.ns5 || ret=1 + grep 'target\.example.*TXT.*"test"' dig.out.ns5 >/dev/null || ret=1 + # Ensure both ipv4 and ipv6 glue records were transferred. + grep -E 'ns4[[:space:]]+A[[:space:]]+10.53.0.4' ns5/example.db >/dev/null || ret=1 + grep -E 'AAAA[[:space:]]+fd92:7065:b8e:ffff::4' ns5/example.db >/dev/null || ret=1 + [ $ret = 0 ] || { status=1 - echo_i "failed: stub zone transfer failed ns4(primary) <---> ns5/example.db" + echo_i "failed" + } +else + status=1 + echo_i "failed: stub zone transfer failed ns4(primary) <---> ns5/example.db" fi echo_i "exit status: $status" diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh index 9f699a0..264e504 100644 --- a/bin/tests/system/synthfromdnssec/ns1/sign.sh +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -19,58 +19,58 @@ infile=example.db.in zonefile=example.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" -echo insecure NS ns1.insecure >> "$zonefile" -echo ns1.insecure A 10.53.0.1 >> "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" +echo insecure NS ns1.insecure >>"$zonefile" +echo ns1.insecure A 10.53.0.1 >>"$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null +$SIGNER -P -o $zone $zonefile >/dev/null zone=insecure.example infile=example.db.in zonefile=insecure.example.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null +$SIGNER -P -o $zone $zonefile >/dev/null zone=dnamed infile=dnamed.db.in zonefile=dnamed.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null +$SIGNER -P -o $zone $zonefile >/dev/null zone=minimal infile=minimal.db.in zonefile=minimal.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" # do not regenerate NSEC chain as there in a minimal NSEC record present -$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null +$SIGNER -P -Z nonsecify -o $zone $zonefile >/dev/null zone=soa-without-dnskey infile=soa-without-dnskey.db.in zonefile=soa-without-dnskey.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" # do not regenerate NSEC chain as there in a minimal NSEC record present -$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null +$SIGNER -P -Z nonsecify -o $zone $zonefile >/dev/null zone=. infile=root.db.in zonefile=root.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh index d109871..5d0ddee 100644 --- a/bin/tests/system/synthfromdnssec/setup.sh +++ b/bin/tests/system/synthfromdnssec/setup.sh @@ -24,6 +24,6 @@ copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh index 1bfd00b..e4b77e4 100644 --- a/bin/tests/system/synthfromdnssec/tests.sh +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -16,7 +16,7 @@ # shellcheck source=conf.sh . ../conf.sh -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" set -e @@ -27,878 +27,867 @@ synth_default=yes rm -f dig.out.* dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } check_ad_flag() { - if [ ${1} = yes ] - then - grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null || return 1 - else - grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null && return 1 - fi - return 0 + if [ ${1} = yes ]; then + grep "flags:[^;]* ad[^;]*; QUERY" ${2} >/dev/null || return 1 + else + grep "flags:[^;]* ad[^;]*; QUERY" ${2} >/dev/null && return 1 + fi + return 0 } check_status() { - grep "status: ${1}," ${2} > /dev/null || return 1 - return 0 + grep "status: ${1}," ${2} >/dev/null || return 1 + return 0 } check_synth_soa() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*[0-9]*.IN.SOA" ${2} > /dev/null || return 1 - grep "^${name}.*3600.IN.SOA" ${2} > /dev/null && return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.SOA" ${2} >/dev/null || return 1 + grep "^${name}.*3600.IN.SOA" ${2} >/dev/null && return 1 + return 0 ) check_nosynth_soa() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*3600.IN.SOA" ${2} > /dev/null || return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.SOA" ${2} >/dev/null || return 1 + return 0 ) check_synth_a() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} > /dev/null || return 1 - grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null && return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} >/dev/null || return 1 + grep "^${name}.*3600.IN.A.[0-2]" ${2} >/dev/null && return 1 + return 0 ) check_nosynth_a() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null || return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.A.[0-2]" ${2} >/dev/null || return 1 + return 0 ) check_synth_aaaa() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*[0-9]*.IN.AAAA" ${2} > /dev/null || return 1 - grep "^${name}.*3600.IN.A" ${2} > /dev/null && return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.AAAA" ${2} >/dev/null || return 1 + grep "^${name}.*3600.IN.A" ${2} >/dev/null && return 1 + return 0 ) check_nosynth_aaaa() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*3600.IN.AAAA" ${2} > /dev/null || return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.AAAA" ${2} >/dev/null || return 1 + return 0 ) check_synth_cname() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*[0-9]*.IN.CNAME" ${2} > /dev/null || return 1 - grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null && return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.CNAME" ${2} >/dev/null || return 1 + grep "^${name}.*3600.IN.CNAME" ${2} >/dev/null && return 1 + return 0 ) check_nosynth_cname() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null || return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.CNAME" ${2} >/dev/null || return 1 + return 0 ) check_auth_count() { - grep "AUTHORITY: ${1}," ${2} > /dev/null || return 1 - return 0 + grep "AUTHORITY: ${1}," ${2} >/dev/null || return 1 + return 0 } -for ns in 2 4 5 6 -do - case $ns in - 2) ad=yes; description="";; - 4) ad=yes; description="no";; - 5) ad=yes; description="yes";; - 6) ad=no; description="yes; dnssec-validation no";; - *) exit 1;; - esac - echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wild.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildcname.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata1nsec.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata2nsec.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1 - check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > wildnodata2nsecafterdata.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1 - check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > insecure.wildnodata2nsecafterdata.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n > /dev/null || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 - grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +for ns in 2 4 5 6; do + case $ns in + 2) + ad=yes + description="" + ;; + 4) + ad=yes + description="no" + ;; + 5) + ad=yes + description="yes" + ;; + 6) + ad=no + description="yes; dnssec-validation no" + ;; + *) exit 1 ;; + esac + echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wild.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildcname.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildnodata1nsec.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildnodata2nsec.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT >dig.out.txt.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n >wildnodata2nsecafterdata.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >insecure.wild.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >insecure.wildcname.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT >dig.out.txt.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n >insecure.wildnodata2nsecafterdata.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nxdomain.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n >/dev/null || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts black.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n >/dev/null || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 + grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "prime redirect response (+nodnssec) (synth-from-dnssec ;) ($n)" ret=0 -dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +nodnssec a.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 check_ad_flag no dig.out.ns3.test$n || ret=1 check_status NOERROR dig.out.ns3.test$n || ret=1 -grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # ensure TTL of synthesised answers differs from direct answers. # sleep 1 -for ns in 2 4 5 6 -do - case $ns in - 2) ad=yes synth=${synth_default} description="";; - 4) ad=yes synth=no description="no";; - 5) ad=yes synth=yes description="yes";; - 6) ad=no synth=no description="yes; dnssec-validation no";; - *) exit 1;; +for ns in 2 4 5 6; do + case $ns in + 2) ad=yes synth=${synth_default} description="" ;; + 4) ad=yes synth=no description="no" ;; + 5) ad=yes synth=yes description="yes" ;; + 6) ad=no synth=no description="yes; dnssec-validation no" ;; + *) exit 1 ;; + esac + echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.example/A >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.example/A >/dev/null || ret=1 + fi + digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts nodata.example. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.example/AAAA >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.example/AAAA >/dev/null || ret=1 + fi + digcomp nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-a.example/A >/dev/null && ret=1 + else + check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-a.example/A >/dev/null || ret=1 + fi + digcomp wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-cname.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.example/A >/dev/null && ret=1 + else + check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.example/A >/dev/null || ret=1 + fi + grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1 + digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA >/dev/null || ret=1 + fi + digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA >/dev/null || ret=1 + fi + digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record + dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA >dig.out.a.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 + check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1 + # + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA >/dev/null || ret=1 + fi + digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.insecure.example/A >/dev/null || ret=1 + digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.insecure.example/AAAA >/dev/null || ret=1 + digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1 + nextpart ns1/named.run | grep b.wild-a.insecure.example/A >/dev/null || ret=1 + digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.insecure.example/A >/dev/null || ret=1 + grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1 + digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA >dig.out.a.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 + check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1 + # + dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nxdomaic.minimal/A >/dev/null || ret=1 + digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts black.minimal. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep black.minimal/AAAA >/dev/null || ret=1 + digcomp black.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts soa-without-dnskey. @10.53.0.${ns} A >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 + grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)" + ret=0 + ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i + # 2 views, _bind should always be '0 covering nsec returned' + count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l) + test $count = 2 || ret=1 + zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l) + if [ ${synth} = yes ]; then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)" + ret=0 + # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes' + count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + test $count = 2 || ret=1 + zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + if [ ${ad} = yes ]; then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + for synthesized in NXDOMAIN no-data wildcard; do + case $synthesized in + NXDOMAIN) count=1 ;; + no-data) count=4 ;; + wildcard) count=2 ;; esac - echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.example/A > /dev/null && ret=1 - else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.example/A > /dev/null || ret=1 - fi - digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null && ret=1 - else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null || ret=1 - fi - digcomp nodata.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)" + echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)" ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null && ret=1 + if [ ${synth} = yes ]; then + grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats >/dev/null || ret=1 else - check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null || ret=1 + grep "synthesized a ${synthesized} response" ns${ns}/named.stats >/dev/null && ret=1 fi - digcomp wild.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) + done - echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ]; then + echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)" ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null && ret=1 - else - check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null || ret=1 - fi - grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 - digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) + xml=xml.out$n + ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server >$xml 2>/dev/null || ret=1 + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null && ret=1 + counter=$(sed -n 's;.*.*\([0-9]*\).*0<" | wc -l) + if [ ${synth} = yes ]; then + test $zero = 0 || ret=1 else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null || ret=1 + test $zero = 1 || ret=1 fi - digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null && ret=1 + counter=$(sed -n 's;.*.*\([0-9]*\).*0<" | wc -l) + if [ ${ad} = yes ]; then + test $zero = 0 || ret=1 else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null || ret=1 + test $zero = 1 || ret=1 fi - digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" - ret=0 - # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record - dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 - check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1 - # - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null && ret=1 - else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null || ret=1 - fi - digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1 - digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1 - digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 - nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1 - digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1 - grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 - digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 - check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1 - # - dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep nxdomaic.minimal/A > /dev/null || ret=1 - digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1 - digcomp black.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts soa-without-dnskey. @10.53.0.${ns} A > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 - grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)" - ret=0 - ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i - # 2 views, _bind should always be '0 covering nsec returned' - count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l) + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD; do + case $synthesized in + SynthNXDOMAIN) count=1 ;; + SynthNODATA) count=4 ;; + SynthWILDCARD) count=2 ;; + esac + + echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ]; then + grep ''$count'' $xml >/dev/null || ret=1 + else + grep ''0'' $xml >/dev/null || ret=1 + fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + done + else + echo_i "Skipping XML statistics checks" + fi + + if $FEATURETEST --have-json-c && [ -x "${CURL}" ]; then + echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)" + ret=0 + json=json.out$n + ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server >$json 2>/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" + ret=0 + count=$(grep '"CoveringNSEC":' $json | wc -l) test $count = 2 || ret=1 - zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l) - if [ ${synth} = yes ] - then - test $zero = 1 || ret=1 + zero=$(grep '"CoveringNSEC":0' $json | wc -l) + if [ ${synth} = yes ]; then + test $zero = 1 || ret=1 else - test $zero = 2 || ret=1 + test $zero = 2 || ret=1 fi - n=$((n+1)) + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)" + echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" ret=0 - # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes' - count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + count=$(grep '"CacheNSECNodes":' $json | wc -l) test $count = 2 || ret=1 - zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) - if [ ${ad} = yes ] - then - test $zero = 1 || ret=1 + zero=$(grep '"CacheNSECNodes":0' $json | wc -l) + if [ ${ad} = yes ]; then + test $zero = 1 || ret=1 else - test $zero = 2 || ret=1 + test $zero = 2 || ret=1 fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - for synthesized in NXDOMAIN no-data wildcard - do - case $synthesized in - NXDOMAIN) count=1;; - no-data) count=4;; - wildcard) count=2;; - esac - echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)" - ret=0 - if [ ${synth} = yes ] - then - grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null || ret=1 - else - grep "synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null && ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - done - - if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ] ; then - echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)" - ret=0 - xml=xml.out$n - ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server > $xml 2>/dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" - ret=0 - counter=$(sed -n 's;.*.*\([0-9]*\).*0<" | wc -l) - if [ ${synth} = yes ] - then - test $zero = 0 || ret=1 - else - test $zero = 1 || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" - ret=0 - counter=$(sed -n 's;.*.*\([0-9]*\).*0<" | wc -l) - if [ ${ad} = yes ] - then - test $zero = 0 || ret=1 - else - test $zero = 1 || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD - do - case $synthesized in - SynthNXDOMAIN) count=1;; - SynthNODATA) count=4;; - SynthWILDCARD) count=2;; - esac - - echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" - ret=0 - if [ ${synth} = yes ] - then - grep ''$count'' $xml > /dev/null || ret=1 - else - grep ''0'' $xml > /dev/null || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - done - else - echo_i "Skipping XML statistics checks" - fi - - if $FEATURETEST --have-json-c && [ -x "${CURL}" ] ; then - echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)" - ret=0 - json=json.out$n - ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server > $json 2>/dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" - ret=0 - count=$(grep '"CoveringNSEC":' $json | wc -l) - test $count = 2 || ret=1 - zero=$(grep '"CoveringNSEC":0' $json | wc -l) - if [ ${synth} = yes ] - then - test $zero = 1 || ret=1 - else - test $zero = 2 || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" - ret=0 - count=$(grep '"CacheNSECNodes":' $json | wc -l) - test $count = 2 || ret=1 - zero=$(grep '"CacheNSECNodes":0' $json | wc -l) - if [ ${ad} = yes ] - then - test $zero = 1 || ret=1 - else - test $zero = 2 || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD - do - case $synthesized in - SynthNXDOMAIN) count=1;; - SynthNODATA) count=4;; - SynthWILDCARD) count=2;; - esac - - echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" - ret=0 - if [ ${synth} = yes ] - then - grep '"'$synthesized'":'$count'' $json > /dev/null || ret=1 - else - grep '"'$synthesized'":' $json > /dev/null && ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - done - else - echo_i "Skipping JSON statistics checks" - fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD; do + case $synthesized in + SynthNXDOMAIN) count=1 ;; + SynthNODATA) count=4 ;; + SynthWILDCARD) count=2 ;; + esac + + echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ]; then + grep '"'$synthesized'":'$count'' $json >/dev/null || ret=1 + else + grep '"'$synthesized'":' $json >/dev/null && ret=1 + fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + done + else + echo_i "Skipping JSON statistics checks" + fi done echo_i "check redirect response (+dnssec) (synth-from-dnssec ;) ($n)" ret=0 synth=${synth_default} -dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts b.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 check_ad_flag yes dig.out.ns3.test$n || ret=1 check_status NXDOMAIN dig.out.ns3.test$n || ret=1 -if [ ${synth} = yes ] -then - check_synth_soa . dig.out.ns3.test$n || ret=1 +if [ ${synth} = yes ]; then + check_synth_soa . dig.out.ns3.test$n || ret=1 else - check_nosynth_soa . dig.out.ns3.test$n || ret=1 + check_nosynth_soa . dig.out.ns3.test$n || ret=1 fi -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "check redirect response (+nodnssec) (synth-from-dnssec ;) ($n)" ret=0 -dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +nodnssec b.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 check_ad_flag no dig.out.ns3.test$n || ret=1 check_status NOERROR dig.out.ns3.test$n || ret=1 -grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)" ret=0 -dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1 -dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +dig_with_opts dnamed.example. ns @10.53.0.5 >dig.out.ns5.test$n || ret=1 +dig_with_opts a.dnamed.example. a @10.53.0.5 >dig.out.ns5-1.test$n || ret=1 check_status NOERROR dig.out.ns5-1.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "regression test for CVE-2022-0635 ($n)" ret=0 # add DNAME to cache -dig_with_opts dname.dnamed. dname @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +dig_with_opts dname.dnamed. dname @10.53.0.5 >dig.out.ns5-1.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1 # add A record to cache at name before DNAME owner -dig_with_opts a.dnamed. a @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +dig_with_opts a.dnamed. a @10.53.0.5 >dig.out.ns5-2.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 # add NSEC record to cache at name before DNAME owner -dig_with_opts a.dnamed. aaaa @10.53.0.5 > dig.out.ns5-3.test$n || ret=1 +dig_with_opts a.dnamed. aaaa @10.53.0.5 >dig.out.ns5-3.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1 # wait for NSEC to timeout sleep 6 # use DNAME for lookup -dig_with_opts b.dname.dnamed a @10.53.0.5 > dig.out.ns5-4.test$n || ret=1 +dig_with_opts b.dname.dnamed a @10.53.0.5 >dig.out.ns5-4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)" ret=0 #prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal' -dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +dig_with_opts internal @10.53.0.5 >dig.out.ns5-1.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1 grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1 #perform lookup in grafted zone -dig_with_opts example.internal @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +dig_with_opts example.internal @10.53.0.5 >dig.out.ns5-2.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "check synth-from-dnssec with grafted zone (primary zone) ($n)" ret=0 #prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal' -dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +dig_with_opts internal @10.53.0.5 >dig.out.ns5-1.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1 grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1 #perform lookup in grafted zone -dig_with_opts example.internal2 @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +dig_with_opts example.internal2 @10.53.0.5 >dig.out.ns5-2.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 grep '^example\.internal2\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tcp/ns2/named.conf.in b/bin/tests/system/tcp/ns2/named.conf.in index 0a97093..65c1f40 100644 --- a/bin/tests/system/tcp/ns2/named.conf.in +++ b/bin/tests/system/tcp/ns2/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/tcp/ns3/named.conf.in b/bin/tests/system/tcp/ns3/named.conf.in index 8516d72..82ba791 100644 --- a/bin/tests/system/tcp/ns3/named.conf.in +++ b/bin/tests/system/tcp/ns3/named.conf.in @@ -38,5 +38,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/tcp/ns4/named.conf.in b/bin/tests/system/tcp/ns4/named.conf.in index a7758cc..5982230 100644 --- a/bin/tests/system/tcp/ns4/named.conf.in +++ b/bin/tests/system/tcp/ns4/named.conf.in @@ -40,5 +40,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/tcp/ns5/named.conf.in b/bin/tests/system/tcp/ns5/named.conf.in index bd754f7..05e56f7 100644 --- a/bin/tests/system/tcp/ns5/named.conf.in +++ b/bin/tests/system/tcp/ns5/named.conf.in @@ -41,5 +41,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/tcp/tests.sh b/bin/tests/system/tcp/tests.sh index 12ca679..2e7d30e 100644 --- a/bin/tests/system/tcp/tests.sh +++ b/bin/tests/system/tcp/tests.sh @@ -17,11 +17,11 @@ set -e . ../conf.sh dig_with_opts() { - "${DIG}" -p "${PORT}" "$@" + "${DIG}" -p "${PORT}" "$@" } rndccmd() { - "${RNDC}" -p "${CONTROLPORT}" -c ../common/rndc.conf -s "$@" + "${RNDC}" -p "${CONTROLPORT}" -c ../_common/rndc.conf -s "$@" } status=0 @@ -42,7 +42,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking TCP request statistics (resolver) ($n)" ret=0 -dig_with_opts @10.53.0.3 txt.example. > dig.out.test$n +dig_with_opts @10.53.0.3 txt.example. >dig.out.test$n sleep 1 rndccmd 10.53.0.1 stats || ret=1 rndccmd 10.53.0.2 stats || ret=1 @@ -58,7 +58,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking TCP request statistics (forwarder) ($n)" ret=0 -dig_with_opts @10.53.0.4 txt.example. > dig.out.test$n +dig_with_opts @10.53.0.4 txt.example. >dig.out.test$n sleep 1 rndccmd 10.53.0.1 stats || ret=1 rndccmd 10.53.0.2 stats || ret=1 @@ -67,36 +67,36 @@ mv ns2/named.stats ns2/named.stats.test$n ntcp12="$(grep "TCP requests received" ns1/named.stats.test$n | tail -1 | awk '{print $1}')" ntcp22="$(grep "TCP requests received" ns2/named.stats.test$n | tail -1 | awk '{print $1}')" if [ "$ntcp11" -ne "$ntcp12" ]; then ret=1; fi -if [ "$ntcp21" -ge "$ntcp22" ];then ret=1; fi +if [ "$ntcp21" -ge "$ntcp22" ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # -------- TCP high-water tests ---------- refresh_tcp_stats() { - rndccmd 10.53.0.5 status > rndc.out.$n || ret=1 - TCP_CUR="$(sed -n "s/^tcp clients: \([0-9][0-9]*\).*/\1/p" rndc.out.$n)" - TCP_LIMIT="$(sed -n "s/^tcp clients: .*\/\([0-9][0-9]*\)/\1/p" rndc.out.$n)" - TCP_HIGH="$(sed -n "s/^TCP high-water: \([0-9][0-9]*\)/\1/p" rndc.out.$n)" + rndccmd 10.53.0.5 status >rndc.out.$n || ret=1 + TCP_CUR="$(sed -n "s/^tcp clients: \([0-9][0-9]*\).*/\1/p" rndc.out.$n)" + TCP_LIMIT="$(sed -n "s/^tcp clients: .*\/\([0-9][0-9]*\)/\1/p" rndc.out.$n)" + TCP_HIGH="$(sed -n "s/^TCP high-water: \([0-9][0-9]*\)/\1/p" rndc.out.$n)" } # Send a command to the tool script listening on 10.53.0.6. send_command() { - nextpart ans6/ans.run > /dev/null - echo "$*" | send 10.53.0.6 "${CONTROLPORT}" - wait_for_log_peek 10 "result=" ans6/ans.run || ret=1 - if ! nextpartpeek ans6/ans.run | grep -qF "result=OK"; then - return 1 - fi + nextpart ans6/ans.run >/dev/null + echo "$*" | send 10.53.0.6 "${CONTROLPORT}" + wait_for_log_peek 10 "result=" ans6/ans.run || ret=1 + if ! nextpartpeek ans6/ans.run | grep -qF "result=OK"; then + return 1 + fi } # Instructs ans6 to open $1 TCP connections to 10.53.0.5. open_connections() { - send_command "open" "${1}" 10.53.0.5 "${PORT}" || return 1 + send_command "open" "${1}" 10.53.0.5 "${PORT}" || return 1 } # Instructs ans6 to close $1 TCP connections to 10.53.0.5. close_connections() { - send_command "close" "${1}" || return 1 + send_command "close" "${1}" || return 1 } # Check TCP connections are working normally before opening @@ -104,8 +104,8 @@ close_connections() { n=$((n + 1)) echo_i "checking TCP query repsonse ($n)" ret=0 -dig_with_opts +tcp @10.53.0.5 txt.example > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +dig_with_opts +tcp @10.53.0.5 txt.example >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -132,9 +132,9 @@ OLD_TCP_CUR="${TCP_CUR}" TCP_ADDED=9 open_connections "${TCP_ADDED}" || ret=1 check_stats_added() { - refresh_tcp_stats - assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR + TCP_ADDED)) "current TCP clients count" || return 1 - assert_int_equal "${TCP_HIGH}" $((OLD_TCP_CUR + TCP_ADDED)) "TCP high-water value" || return 1 + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR + TCP_ADDED)) "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" $((OLD_TCP_CUR + TCP_ADDED)) "TCP high-water value" || return 1 } retry 2 check_stats_added || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -150,9 +150,9 @@ OLD_TCP_HIGH="${TCP_HIGH}" TCP_REMOVED=5 close_connections "${TCP_REMOVED}" || ret=1 check_stats_removed() { - refresh_tcp_stats - assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR - TCP_REMOVED)) "current TCP clients count" || return 1 - assert_int_equal "${TCP_HIGH}" "${OLD_TCP_HIGH}" "TCP high-water value" || return 1 + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR - TCP_REMOVED)) "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" "${OLD_TCP_HIGH}" "TCP high-water value" || return 1 } retry 2 check_stats_removed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -165,9 +165,9 @@ echo_i "TCP high-water: ensure tcp-clients is an upper bound ($n)" ret=0 open_connections $((TCP_LIMIT + 1)) || ret=1 check_stats_limit() { - refresh_tcp_stats - assert_int_equal "${TCP_CUR}" "${TCP_LIMIT}" "current TCP clients count" || return 1 - assert_int_equal "${TCP_HIGH}" "${TCP_LIMIT}" "TCP high-water value" || return 1 + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" "${TCP_LIMIT}" "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" "${TCP_LIMIT}" "TCP high-water value" || return 1 } retry 2 check_stats_limit || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -180,8 +180,8 @@ echo_i "checking TCP response recovery ($n)" ret=0 # "0" closes all connections close_connections 0 || ret=1 -dig_with_opts +tcp @10.53.0.5 txt.example > dig.out.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +dig_with_opts +tcp @10.53.0.5 txt.example >dig.out.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -194,8 +194,8 @@ echo_i "checking that BIND 9 doesn't crash on long TCP messages ($n)" ret=0 # Avoid logging useless information. rndccmd 10.53.0.1 trace 1 || ret=1 -{ $PERL ../packet.pl -a "10.53.0.1" -p "${PORT}" -t tcp -r 300000 1996-alloc_dnsbuf-crash-test.pkt || ret=1 ; } | cat_i -dig_with_opts +tcp @10.53.0.1 txt.example > dig.out.test$n || ret=1 +{ $PERL ../packet.pl -a "10.53.0.1" -p "${PORT}" -t tcp -r 300000 1996-alloc_dnsbuf-crash-test.pkt || ret=1; } | cat_i +dig_with_opts +tcp @10.53.0.1 txt.example >dig.out.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index ceaaf37..aaf793b 100755 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -18,78 +18,77 @@ dir="" msg="cryptography" if test -z "$KEYGEN"; then - . ../conf.sh - alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS" + . ../conf.sh + alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS" else - alg="" - quiet=1 - args="-q" + alg="" + quiet=1 + args="-q" fi while test "$#" -gt 0; do - case $1 in + case $1 in -q) - if test $quiet -eq 0; then - args="$args -q" - quiet=1 - fi - ;; - rsa|RSA|rsasha1|RSASHA1) - alg="-a RSASHA1" - msg="RSA cryptography" - ;; - rsasha256|RSASHA256) - alg="-a RSASHA256" - msg="RSA cryptography" - ;; - rsasha512|RSASHA512) - alg="-a RSASHA512" - msg="RSA cryptography" - ;; - ecdsa|ECDSA|ecdsap256sha256|ECDSAP256SHA256) - alg="-a ECDSAP256SHA256" - msg="ECDSA cryptography" - ;; - ecdsap384sha384|ECDSAP384SHA384) - alg="-a ECDSAP384SHA384" - msg="ECDSA cryptography" - ;; - eddsa|EDDSA|ed25519|ED25519) - alg="-a ED25519" - msg="EDDSA cryptography" - ;; - ed448|ED448) - alg="-a ED448" - msg="EDDSA cryptography" - ;; + if test $quiet -eq 0; then + args="$args -q" + quiet=1 + fi + ;; + rsa | RSA | rsasha1 | RSASHA1) + alg="-a RSASHA1" + msg="RSA cryptography" + ;; + rsasha256 | RSASHA256) + alg="-a RSASHA256" + msg="RSA cryptography" + ;; + rsasha512 | RSASHA512) + alg="-a RSASHA512" + msg="RSA cryptography" + ;; + ecdsa | ECDSA | ecdsap256sha256 | ECDSAP256SHA256) + alg="-a ECDSAP256SHA256" + msg="ECDSA cryptography" + ;; + ecdsap384sha384 | ECDSAP384SHA384) + alg="-a ECDSAP384SHA384" + msg="ECDSA cryptography" + ;; + eddsa | EDDSA | ed25519 | ED25519) + alg="-a ED25519" + msg="EDDSA cryptography" + ;; + ed448 | ED448) + alg="-a ED448" + msg="EDDSA cryptography" + ;; *) - echo "${prog}: unknown argument" - exit 1 - ;; - esac - shift + echo "${prog}: unknown argument" + exit 1 + ;; + esac + shift done if test -z "$alg"; then - echo "${prog}: no algorithm selected" - exit 1 + echo "${prog}: no algorithm selected" + exit 1 fi if test -n "$TMPDIR"; then - dir=$(mktemp -d "$TMPDIR/XXXXXX") - args="$args -K $dir" + dir=$(mktemp -d "$TMPDIR/XXXXXX") + args="$args -K $dir" fi -if $KEYGEN $args $alg foo > /dev/null 2>&1 -then - if test -z "$dir"; then - rm -f Kfoo* - else - rm -rf "$dir" - fi +if $KEYGEN $args $alg foo >/dev/null 2>&1; then + if test -z "$dir"; then + rm -f Kfoo* + else + rm -rf "$dir" + fi else - if test $quiet -eq 0; then - echo_i "This test requires support for $msg" >&2 - fi - exit 255 + if test $quiet -eq 0; then + echo_i "This test requires support for $msg" >&2 + fi + exit 255 fi diff --git a/bin/tests/system/testsummary.sh b/bin/tests/system/testsummary.sh index 52c79b9..6d7f02c 100644 --- a/bin/tests/system/testsummary.sh +++ b/bin/tests/system/testsummary.sh @@ -31,25 +31,25 @@ keepfile=0 while getopts "n" flag; do - case $flag in - n) keepfile=1 ;; - *) exit 1 ;; - esac + case $flag in + n) keepfile=1 ;; + *) exit 1 ;; + esac done if [ "$(find . -name 'test.output.*' 2>/dev/null | wc -l)" -eq 0 ]; then - echowarn "I:No 'test.output.*' files were found." - echowarn "I:Printing summary from pre-existing 'systests.output'." + echowarn "I:No 'test.output.*' files were found." + echowarn "I:Printing summary from pre-existing 'systests.output'." else - cat test.output.* > systests.output - if [ $keepfile -eq 0 ]; then - rm -f test.output.* - fi + cat test.output.* >systests.output + if [ $keepfile -eq 0 ]; then + rm -f test.output.* + fi fi if [ ! -f systests.output ]; then - echowarn "I:No 'systests.output' file found." - exit 1 + echowarn "I:No 'systests.output' file found." + exit 1 fi status=0 @@ -58,34 +58,34 @@ echoinfo "$(grep 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output | cut -d' FAILED_TESTS=$(grep 'R:[a-z0-9_-][a-z0-9_-]*:FAIL' systests.output | cut -d':' -f2 | sort | sed -e 's/^/I: /') if [ -n "${FAILED_TESTS}" ]; then - echoinfo "I:The following system tests failed:" - echoinfo "${FAILED_TESTS}" - status=1 + echoinfo "I:The following system tests failed:" + echoinfo "${FAILED_TESTS}" + status=1 fi CRASHED_TESTS=$(find . \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.txt' | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /') if [ -n "${CRASHED_TESTS}" ]; then - echoinfo "I:Core dumps were found for the following system tests:" - echoinfo "${CRASHED_TESTS}" + echoinfo "I:Core dumps were found for the following system tests:" + echoinfo "${CRASHED_TESTS}" fi ASSERTION_FAILED_TESTS=$(find . -name named.run -print0 | xargs -0 grep "assertion failure" | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /') if [ -n "${ASSERTION_FAILED_TESTS}" ]; then - echoinfo "I:Assertion failures were detected for the following system tests:" - echoinfo "${ASSERTION_FAILED_TESTS}" + echoinfo "I:Assertion failures were detected for the following system tests:" + echoinfo "${ASSERTION_FAILED_TESTS}" fi TSAN_REPORT_TESTS=$(find . -name 'tsan.*' | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /') if [ -n "${TSAN_REPORT_TESTS}" ]; then - echoinfo "I:ThreadSanitizer reported issues for the following system tests:" - echoinfo "${TSAN_REPORT_TESTS}" + echoinfo "I:ThreadSanitizer reported issues for the following system tests:" + echoinfo "${TSAN_REPORT_TESTS}" fi RESULTS_FOUND=$(grep -c 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output) TESTS_RUN=$(echo "${SUBDIRS}" | wc -w) if [ "${RESULTS_FOUND}" -ne "${TESTS_RUN}" ]; then - echofail "I:Found ${RESULTS_FOUND} test results, but ${TESTS_RUN} tests were run" - status=1 + echofail "I:Found ${RESULTS_FOUND} test results, but ${TESTS_RUN} tests were run" + status=1 fi exit $status diff --git a/bin/tests/system/timeouts/ns1/named.conf.in b/bin/tests/system/timeouts/ns1/named.conf.in index 1c46549..b7d468b 100644 --- a/bin/tests/system/timeouts/ns1/named.conf.in +++ b/bin/tests/system/timeouts/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/timeouts/prereq.sh b/bin/tests/system/timeouts/prereq.sh index 0fac912..a37df94 100644 --- a/bin/tests/system/timeouts/prereq.sh +++ b/bin/tests/system/timeouts/prereq.sh @@ -13,18 +13,16 @@ . ../conf.sh -if test -n "$PYTHON" -then - if $PYTHON -c "from dns.query import send_tcp" 2> /dev/null - then - : - else - echo_i "This test requires the dnspython >= 2.0.0 module." >&2 - exit 1 - fi -else - echo_i "This test requires Python and the dnspython module." >&2 +if test -n "$PYTHON"; then + if $PYTHON -c "from dns.query import send_tcp" 2>/dev/null; then + : + else + echo_i "This test requires the dnspython >= 2.0.0 module." >&2 exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 fi exit 0 diff --git a/bin/tests/system/timeouts/setup.sh b/bin/tests/system/timeouts/setup.sh index c4019d2..2503054 100644 --- a/bin/tests/system/timeouts/setup.sh +++ b/bin/tests/system/timeouts/setup.sh @@ -27,4 +27,4 @@ print('') for a in range(150000): print('%s IN NS a' % (a)) - print('%s IN NS b' % (a))" > ns1/large.db + print('%s IN NS b' % (a))" >ns1/large.db diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh index 864542f..72959da 100644 --- a/bin/tests/system/tkey/tests.sh +++ b/bin/tests/system/tkey/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" @10.53.0.1 -p "$PORT" "$@" + "$DIG" @10.53.0.1 -p "$PORT" "$@" } status=0 @@ -26,138 +26,137 @@ echo_i "generating new DH key ($n)" ret=0 dhkeyname=$($KEYGEN -T KEY -a DH -b 768 -n host client) || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status + echo_i "failed" + status=$((status + ret)) + echo_i "exit status: $status" + exit $status fi -status=$((status+ret)) -n=$((n+1)) - -for owner in . foo.example. -do - echo_i "creating new key using owner name \"$owner\" ($n)" - ret=0 - keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" $owner) || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "checking the new key ($n)" - ret=0 - dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 - grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null || ret=1 - grep "Some TSIG could not be validated" dig.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "deleting new key ($n)" - ret=0 - $KEYDELETE 10.53.0.1 "$PORT" "$keyname" || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "checking that new key has been deleted ($n)" - ret=0 - dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 - grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null && ret=1 - grep "Some TSIG could not be validated" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) + +for owner in . foo.example.; do + echo_i "creating new key using owner name \"$owner\" ($n)" + ret=0 + keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" $owner) || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) + echo_i "exit status: $status" + exit $status + fi + status=$((status + ret)) + n=$((n + 1)) + + echo_i "checking the new key ($n)" + ret=0 + dig_with_opts txt txt.example -k "$keyname" >dig.out.test$n || ret=1 + grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 + grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n >/dev/null || ret=1 + grep "Some TSIG could not be validated" dig.out.test$n >/dev/null && ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=$((status + ret)) + n=$((n + 1)) + + echo_i "deleting new key ($n)" + ret=0 + $KEYDELETE 10.53.0.1 "$PORT" "$keyname" || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=$((status + ret)) + n=$((n + 1)) + + echo_i "checking that new key has been deleted ($n)" + ret=0 + dig_with_opts txt txt.example -k "$keyname" >dig.out.test$n || ret=1 + grep "status: NOERROR" dig.out.test$n >/dev/null && ret=1 + grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n >/dev/null && ret=1 + grep "Some TSIG could not be validated" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=$((status + ret)) + n=$((n + 1)) done echo_i "creating new key using owner name bar.example. ($n)" ret=0 keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status + echo_i "failed" + status=$((status + ret)) + echo_i "exit status: $status" + exit $status fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "checking the key with 'rndc tsig-list' ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list >rndc.out.test$n +grep "key \"bar.example.server" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "using key in a request ($n)" ret=0 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_opts -k "$keyname" txt.example txt >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "deleting the key with 'rndc tsig-delete' ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-delete bar.example.server > /dev/null || ret=1 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null && ret=1 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "TSIG could not be validated" dig.out.test$n > /dev/null || ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-delete bar.example.server >/dev/null || ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list >rndc.out.test$n +grep "key \"bar.example.server" rndc.out.test$n >/dev/null && ret=1 +dig_with_opts -k "$keyname" txt.example txt >dig.out.test$n || ret=1 +grep "TSIG could not be validated" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "recreating the bar.example. key ($n)" ret=0 keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status + echo_i "failed" + status=$((status + ret)) + echo_i "exit status: $status" + exit $status fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "checking the new key with 'rndc tsig-list' ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list >rndc.out.test$n +grep "key \"bar.example.server" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "using the new key in a request ($n)" ret=0 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_opts -k "$keyname" txt.example txt >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tools/tests.sh b/bin/tests/system/tools/tests.sh index a7113cb..835c325 100644 --- a/bin/tests/system/tools/tests.sh +++ b/bin/tests/system/tools/tests.sh @@ -16,33 +16,42 @@ status=0 checkout() { - rc=$1 - case $rc in - 0) : ok ;; - *) echo_i "failed" - status=$((status + 1)) - return 1 ;; - esac - case $out in - *$hash*) : ok ;; - *) echo_i "expect $hash" - echo_i "output $out" - echo_i "failed" - status=$((status + 1)) ;; - esac + rc=$1 + case $rc in + 0) : ok ;; + *) + echo_i "failed" + status=$((status + 1)) + return 1 + ;; + esac + case $out in + *$hash*) : ok ;; + *) + echo_i "expect $hash" + echo_i "output $out" + echo_i "failed" + status=$((status + 1)) + ;; + esac } # test cases taken from RFC 5155 appendix A algo=1 flags=0 iters=12 salt="aabbccdd" -while read name hash -do - echo_i "checking $NSEC3HASH $name" - { out=$($NSEC3HASH $salt $algo $iters $name); rc=$?; } || true - checkout $rc +while read name hash; do + echo_i "checking $NSEC3HASH $name" + { + out=$($NSEC3HASH $salt $algo $iters $name) + rc=$? + } || true + checkout $rc - echo_i "checking $NSEC3HASH -r $name" - { out=$($NSEC3HASH -r $algo $flags $iters $salt $name); rc=$?; } || true - checkout $rc + echo_i "checking $NSEC3HASH -r $name" + { + out=$($NSEC3HASH -r $algo $flags $iters $salt $name) + rc=$? + } || true + checkout $rc done <&1); rc=$?; } || true +{ + out=$($NSEC3HASH 00 1 0 2>&1) + rc=$? +} || true checkfail $rc echo_i "checking $NSEC3HASH extra args" -{ out=$($NSEC3HASH 00 1 0 two names 2>&1); rc=$?; } || true +{ + out=$($NSEC3HASH 00 1 0 two names 2>&1) + rc=$? +} || true checkfail $rc echo_i "checking $NSEC3HASH bad option" -{ out=$($NSEC3HASH -? 2>&1); rc=$?; } || true +{ + out=$($NSEC3HASH -? 2>&1) + rc=$? +} || true checkfail $rc echo_i "exit status: $status" diff --git a/bin/tests/system/transport-acl/ns1/named.conf.in b/bin/tests/system/transport-acl/ns1/named.conf.in index cf0ccd5..d2a941a 100644 --- a/bin/tests/system/transport-acl/ns1/named.conf.in +++ b/bin/tests/system/transport-acl/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/transport-acl/setup.sh b/bin/tests/system/transport-acl/setup.sh index 672a5b6..f726f70 100644 --- a/bin/tests/system/transport-acl/setup.sh +++ b/bin/tests/system/transport-acl/setup.sh @@ -16,6 +16,6 @@ $SHELL clean.sh -$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 > ns1/example.db +$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 >ns1/example.db copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/transport-acl/tests.sh b/bin/tests/system/transport-acl/tests.sh index 9bed02b..c866462 100644 --- a/bin/tests/system/transport-acl/tests.sh +++ b/bin/tests/system/transport-acl/tests.sh @@ -20,34 +20,34 @@ dig_out_basename="dig.out.test" testing="testing allow-transfer transport ACL functionality" dig_with_opts() { - # shellcheck disable=SC2086 - "$DIG" +noadd +nosea +nostat +noquest +nocmd "$@" + # shellcheck disable=SC2086 + "$DIG" +noadd +nosea +nostat +noquest +nocmd "$@" } status=0 n=0 -run_dig_test () { - test_message="$1" - shift - n=$((n+1)) - echo_i "$test_message ($n)" - ret=0 - dig_with_opts "$@" > "$dig_out_basename$n" || ret=1 +run_dig_test() { + test_message="$1" + shift + n=$((n + 1)) + echo_i "$test_message ($n)" + ret=0 + dig_with_opts "$@" >"$dig_out_basename$n" || ret=1 } -run_dig_expect_axfr_success () { - run_dig_test "$@" - grep "; Transfer failed" "$dig_out_basename$n" > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +run_dig_expect_axfr_success() { + run_dig_test "$@" + grep "; Transfer failed" "$dig_out_basename$n" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } -run_dig_expect_axfr_failure () { - run_dig_test "$@" - grep "; Transfer failed" "$dig_out_basename$n" > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +run_dig_expect_axfr_failure() { + run_dig_test "$@" + grep "; Transfer failed" "$dig_out_basename$n" >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } # generic tests @@ -61,7 +61,7 @@ run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT1}" +tcp - run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT1}" +tls -b 10.53.0.10 @10.53.0.2 axfr example1 -run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example1 +run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example1 run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT2}" +tls -b 10.53.0.10 @10.53.0.2 axfr example1 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh index d8dbbe3..cd90cee 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh @@ -17,9 +17,8 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf -if $FEATURETEST --md5 -then - cat >> ns1/named.conf << EOF +if $FEATURETEST --md5; then + cat >>ns1/named.conf < dig.out.md5.old || ret=1 - grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi - - echo_i "fetching using hmac-md5 (new form)" - ret=0 - $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 - grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi +if $FEATURETEST --md5; then + echo_i "fetching using hmac-md5 (old form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa >dig.out.md5.old || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi + + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa >dig.out.md5.new || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi else - echo_i "skipping using hmac-md5" + echo_i "skipping using hmac-md5" fi echo_i "fetching using hmac-sha1" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1 || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa >dig.out.sha1 || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha224" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224 || ret=1 -grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa >dig.out.sha224 || ret=1 +grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha256" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256 || ret=1 -grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa >dig.out.sha256 || ret=1 +grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha384" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384 || ret=1 -grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa >dig.out.sha384 || ret=1 +grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha512" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512 || ret=1 -grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa >dig.out.sha512 || ret=1 +grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi # @@ -95,227 +101,245 @@ fi # Truncated TSIG # # -if $FEATURETEST --md5 -then - echo_i "fetching using hmac-md5 (trunc)" - ret=0 - $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 - grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi +if $FEATURETEST --md5; then + echo_i "fetching using hmac-md5 (trunc)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa >dig.out.md5.trunc || ret=1 + grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi else - echo_i "skipping using hmac-md5 (trunc)" + echo_i "skipping using hmac-md5 (trunc)" fi echo_i "fetching using hmac-sha1 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa > dig.out.sha1.trunc || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa >dig.out.sha1.trunc || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha224 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa > dig.out.sha224.trunc || ret=1 -grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa >dig.out.sha224.trunc || ret=1 +grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha256 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa > dig.out.sha256.trunc || ret=1 -grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa >dig.out.sha256.trunc || ret=1 +grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha384 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa > dig.out.sha384.trunc || ret=1 -grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa >dig.out.sha384.trunc || ret=1 +grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha512-256 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa > dig.out.sha512.trunc || ret=1 -grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa >dig.out.sha512.trunc || ret=1 +grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi - # # # Check for bad truncation. # # -if $FEATURETEST --md5 -then - echo_i "fetching using hmac-md5-80 (BADTRUNC)" - ret=0 - $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 - grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi +if $FEATURETEST --md5; then + echo_i "fetching using hmac-md5-80 (BADTRUNC)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa >dig.out.md5-80 || ret=1 + grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi else - echo_i "skipping using hmac-md5-80 (BADTRUNC)" + echo_i "skipping using hmac-md5-80 (BADTRUNC)" fi echo_i "fetching using hmac-sha1-80 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1-80 || ret=1 -grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa >dig.out.sha1-80 || ret=1 +grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha224-112 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224-112 || ret=1 -grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa >dig.out.sha224-112 || ret=1 +grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha256-128 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256-128 || ret=1 -grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa >dig.out.sha256-128 || ret=1 +grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha384-192 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384-192 || ret=1 -grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa >dig.out.sha384-192 || ret=1 +grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha512-256 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512-256 || ret=1 -grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa >dig.out.sha512-256 || ret=1 +grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "attempting fetch with bad tsig algorithm" ret=0 -$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa > dig.out.badalgo 2>&1 || ret=1 -grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa >dig.out.badalgo 2>&1 || ret=1 +grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "checking both OPT and TSIG records are returned when TC=1" ret=0 -$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt > dig.out.large 2>&1 || ret=1 -grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1 -grep "status: NOERROR" dig.out.large > /dev/null || ret=1 -grep "EDNS:" dig.out.large > /dev/null || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt >dig.out.large 2>&1 || ret=1 +grep "flags:.* tc[ ;]" dig.out.large >/dev/null || ret=1 +grep "status: NOERROR" dig.out.large >/dev/null || ret=1 +grep "EDNS:" dig.out.large >/dev/null || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "check that dnssec-keygen won't generate TSIG keys" ret=0 -$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1 -grep "unknown algorithm" keygen.out3 > /dev/null || ret=1 +$KEYGEN -a hmac-sha256 -b 128 -n host example.net >keygen.out3 2>&1 && ret=1 +grep "unknown algorithm" keygen.out3 >/dev/null || ret=1 echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" ret=0 -$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null || ret=1 -$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 -grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 version.bind txt ch >dig.out.verify || ret=1 +grep "status: NOERROR" dig.out.verify >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi -if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' > /dev/null 2>&1 -then +if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' >/dev/null 2>&1; then echo_i "check that TSIG in the wrong place returns FORMERR" ret=0 - $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d < badlocation > packet.out - grep "rcode = FORMERR" packet.out > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 + $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d packet.out + grep "rcode = FORMERR" packet.out >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi fi echo_i "check that a malformed truncated response to a TSIG query is handled" ret=0 -$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1 -grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG -p $PORT @10.53.0.1 bad-tsig >dig.out.bad-tsig || ret=1 +grep "status: SERVFAIL" dig.out.bad-tsig >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi -if $FEATURETEST --md5 -then - echo_i "fetching using hmac-md5 (legacy)" - ret=0 - $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy 2>&1 || ret=1 - grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1 - grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi +if $FEATURETEST --md5; then + echo_i "fetching using hmac-md5 (legacy)" + ret=0 + $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa >dig.out.md5.legacy 2>&1 || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy >/dev/null || ret=1 + grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi else - echo_i "skipping using hmac-md5" + echo_i "skipping using hmac-md5" fi echo_i "fetching using hmac-sha1 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy 2>&1 || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa >dig.out.sha1.legacy 2>&1 || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy >/dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha224 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 2>&1 || ret=1 -grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa >dig.out.sha224 2>&1 || ret=1 +grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 >/dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha256 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 2>&1 || ret=1 -grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa >dig.out.sha256 2>&1 || ret=1 +grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 >/dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha384 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 2>&1 || ret=1 -grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa >dig.out.sha384 2>&1 || ret=1 +grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 >/dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha512 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 2>&1 || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 > /dev/null || ret=1 -grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa >dig.out.sha512 2>&1 || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 >/dev/null || ret=1 +grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "exit status: $status" diff --git a/bin/tests/system/tsiggss/prereq.sh b/bin/tests/system/tsiggss/prereq.sh index 0f8e2d6..1abaf8e 100644 --- a/bin/tests/system/tsiggss/prereq.sh +++ b/bin/tests/system/tsiggss/prereq.sh @@ -14,9 +14,9 @@ . ../conf.sh # enable the tsiggss test only if gssapi was enabled -$FEATURETEST --gssapi || { - echo_i "gssapi and krb5 not supported - skipping tsiggss test" - exit 255 +$FEATURETEST --gssapi || { + echo_i "gssapi and krb5 not supported - skipping tsiggss test" + exit 255 } exit 0 diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh index 37b80fd..0353cb5 100644 --- a/bin/tests/system/tsiggss/setup.sh +++ b/bin/tests/system/tsiggss/setup.sh @@ -18,4 +18,4 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf key=$($KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n HOST -T KEY key.example.nil.) -cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db +cat ns1/example.nil.db.in ns1/${key}.key >ns1/example.nil.db diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh index 97cc7bb..c37f32e 100644 --- a/bin/tests/system/tsiggss/tests.sh +++ b/bin/tests/system/tsiggss/tests.sh @@ -22,50 +22,49 @@ n=1 DIGOPTS="@10.53.0.1 -p ${PORT}" -test_update () { - num="$1" - host="$2" - type="$3" - cmd="$4" - digout="$5" - - cat < ns1/update.txt +test_update() { + num="$1" + host="$2" + type="$3" + cmd="$4" + digout="$5" + + cat <ns1/update.txt server 10.53.0.1 ${PORT} update add $host $cmd send answer EOF - echo_i "testing update for $host $type $cmd" - $NSUPDATE -g -d ns1/update.txt > nsupdate.out${num} 2>&1 || { - echo_i "update failed for $host $type $cmd" - sed "s/^/I:/" nsupdate.out${num} - return 1 - } - - # Verify that TKEY response is signed. - tkeyout=$(awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}) - pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0" - echo $tkeyout | grep "$pattern" > /dev/null || { - echo_i "bad tkey response (not tsig signed)" - return 1 - } - - # Weak verification that TKEY response is signed. - grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || { - echo_i "bad tkey response (not tsig signed)" - return 1 - } - - out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^${host}") - lines=$(echo "$out" | grep "$digout" | wc -l) - [ $lines -eq 1 ] || { - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - return 0 + echo_i "testing update for $host $type $cmd" + $NSUPDATE -g -d ns1/update.txt >nsupdate.out${num} 2>&1 || { + echo_i "update failed for $host $type $cmd" + sed "s/^/I:/" nsupdate.out${num} + return 1 + } + + # Verify that TKEY response is signed. + tkeyout=$(awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}) + pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0" + echo $tkeyout | grep "$pattern" >/dev/null || { + echo_i "bad tkey response (not tsig signed)" + return 1 + } + + # Weak verification that TKEY response is signed. + grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || { + echo_i "bad tkey response (not tsig signed)" + return 1 + } + + out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^${host}") + lines=$(echo "$out" | grep "$digout" | wc -l) + [ $lines -eq 1 ] || { + echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 } - # Testing updates with good credentials. KRB5CCNAME="FILE:"$(pwd)/ns1/administrator.ccache export KRB5CCNAME @@ -73,24 +72,23 @@ export KRB5CCNAME echo_i "testing updates to testdc1 as administrator ($n)" ret=0 test_update $n testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to testdc2 as administrator ($n)" ret=0 test_update $n testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to denied as administrator ($n)" ret=0 -test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && ret=1 -n=$((n+1)) +test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) # Testing denied updates. KRB5CCNAME="FILE:"$(pwd)/ns1/testdenied.ccache @@ -98,44 +96,44 @@ export KRB5CCNAME echo_i "testing updates to denied (A) as a user ($n)" ret=0 -test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to denied (TXT) as a user ($n)" ret=0 test_update $n testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (CNAME) ($n)" ret=0 -test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (CNAME) with auth sock ($n)" ret=0 -$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 & +$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >/dev/null 2>&1 & sleep 1 test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (A) ($n)" ret=0 -test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external policy with SIG(0) key ($n)" ret=0 -$NSUPDATE -k ns1/Kkey.example.nil.*.private < /dev/null 2>&1 || ret=1 +$NSUPDATE -k ns1/Kkey.example.nil.*.private </dev/null 2>&1 || ret=1 server 10.53.0.1 ${PORT} zone example.nil update add fred.example.nil 120 cname foo.bar. @@ -144,31 +142,34 @@ END output=$($DIG $DIGOPTS +short cname fred.example.nil.) [ -n "$output" ] || ret=1 [ $ret -eq 0 ] || echo_i "failed" -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "ensure too long realm name is fatal in non-interactive mode ($n)" ret=0 -$NSUPDATE < nsupdate.out${n} 2>&1 && ret=1 +$NSUPDATE <nsupdate.out${n} 2>&1 && ret=1 realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename END -grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1 -grep "syntax error" nsupdate.out${n} > /dev/null || ret=1 -n=$((n+1)) +grep "realm is too long" nsupdate.out${n} >/dev/null || ret=1 +grep "syntax error" nsupdate.out${n} >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "ensure too long realm name is not fatal in interactive mode ($n)" ret=0 -$NSUPDATE -i < nsupdate.out${n} 2>&1 || ret=1 +$NSUPDATE -i <nsupdate.out${n} 2>&1 || ret=1 realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename END -grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } -n=$((n+1)) +grep "realm is too long" nsupdate.out${n} >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) [ $status -eq 0 ] && echo_i "tsiggss tests all OK" diff --git a/bin/tests/system/ttl/ns1/named.conf.in b/bin/tests/system/ttl/ns1/named.conf.in index 51eee0c..6864614 100644 --- a/bin/tests/system/ttl/ns1/named.conf.in +++ b/bin/tests/system/ttl/ns1/named.conf.in @@ -35,7 +35,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "min-example" { diff --git a/bin/tests/system/unknown/setup.sh b/bin/tests/system/unknown/setup.sh index 0c043bf..b08a677 100644 --- a/bin/tests/system/unknown/setup.sh +++ b/bin/tests/system/unknown/setup.sh @@ -17,4 +17,7 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf -(cd ns3; $SHELL -e sign.sh) +( + cd ns3 + $SHELL -e sign.sh +) diff --git a/bin/tests/system/unknown/tests.sh b/bin/tests/system/unknown/tests.sh index f52b50e..eb61f21 100644 --- a/bin/tests/system/unknown/tests.sh +++ b/bin/tests/system/unknown/tests.sh @@ -21,144 +21,136 @@ n=0 DIGOPTS="-p ${PORT}" dig_cmd() { - # shellcheck disable=SC2086 - "$DIG" $DIGOPTS "$@" | grep -v '^;' + # shellcheck disable=SC2086 + "$DIG" $DIGOPTS "$@" | grep -v '^;' } -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of an IN A record ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 11 12 -do - ret=0 - dig_cmd +short @10.53.0.1 a$i.example a in > dig.out.$i.test$n - echo 10.0.0.1 | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3 4 5 6 7 8 9 10 11 12; do + ret=0 + dig_cmd +short @10.53.0.1 a$i.example a in >dig.out.$i.test$n + echo 10.0.0.1 | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of an IN TXT record ($n)" -for i in 1 2 3 4 5 6 7 -do - ret=0 - dig_cmd +short @10.53.0.1 txt$i.example txt in > dig.out.$i.test$n - echo '"hello"' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3 4 5 6 7; do + ret=0 + dig_cmd +short @10.53.0.1 txt$i.example txt in >dig.out.$i.test$n + echo '"hello"' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of an IN TYPE123 record ($n)" -for i in 1 2 3 -do - ret=0 - dig_cmd +short @10.53.0.1 unk$i.example type123 in > dig.out.$i.test$n - echo '\# 1 00' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3; do + ret=0 + dig_cmd +short @10.53.0.1 unk$i.example type123 in >dig.out.$i.test$n + echo '\# 1 00' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for NULL record ($n)" ret=0 -dig_cmd +short @10.53.0.1 null.example null in > dig.out.test$n +dig_cmd +short @10.53.0.1 null.example null in >dig.out.test$n echo '\# 1 00' | diff - dig.out.test$n || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "querying for empty NULL record ($n)" ret=0 -dig_cmd +short @10.53.0.1 empty.example null in > dig.out.test$n +dig_cmd +short @10.53.0.1 empty.example null in >dig.out.test$n echo '\# 0' | diff - dig.out.test$n || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of a CLASS10 TYPE1 record ($n)" -for i in 1 2 -do - ret=0 - dig_cmd +short @10.53.0.1 a$i.example a class10 > dig.out.$i.test$n - echo '\# 4 0A000001' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2; do + ret=0 + dig_cmd +short @10.53.0.1 a$i.example a class10 >dig.out.$i.test$n + echo '\# 4 0A000001' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of a CLASS10 TXT record ($n)" -for i in 1 2 3 4 -do - ret=0 - dig_cmd +short @10.53.0.1 txt$i.example txt class10 > dig.out.$i.test$n - echo '"hello"' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3 4; do + ret=0 + dig_cmd +short @10.53.0.1 txt$i.example txt class10 >dig.out.$i.test$n + echo '"hello"' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of a CLASS10 TYPE123 record ($n)" -for i in 1 2 -do - ret=0 - dig_cmd +short @10.53.0.1 unk$i.example type123 class10 > dig.out.$i.test$n - echo '\# 1 00' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2; do + ret=0 + dig_cmd +short @10.53.0.1 unk$i.example type123 class10 >dig.out.$i.test$n + echo '\# 1 00' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for SOAs of zone that should have failed to load ($n)" -for i in 1 2 3 4 -do - ret=0 - $DIG $DIGOPTS @10.53.0.1 broken$i. soa in > dig.out.$i.test$n || ret=1 - grep "SERVFAIL" dig.out.$i.test$n > /dev/null || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3 4; do + ret=0 + $DIG $DIGOPTS @10.53.0.1 broken$i. soa in >dig.out.$i.test$n || ret=1 + grep "SERVFAIL" dig.out.$i.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on primary ($n)" for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_cmd @10.53.0.1 +tcp +short large.example TYPE45234 > dig.out.$i.test$n - diff -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + dig_cmd @10.53.0.1 +tcp +short large.example TYPE45234 >dig.out.$i.test$n + diff -s large.out dig.out.$i.test$n >/dev/null || { + ret=1 + echo_i "diff failed" + } + [ "$ret" -eq 0 ] && break + sleep 1 done [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on secondary ($n)" for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_cmd @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out.$i.test$n - diff -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + dig_cmd @10.53.0.2 +tcp +short large.example TYPE45234 >dig.out.$i.test$n + diff -s large.out dig.out.$i.test$n >/dev/null || { + ret=1 + echo_i "diff failed" + } + [ "$ret" -eq 0 ] && break + sleep 1 done [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) @@ -169,23 +161,29 @@ start_server --noclean --restart --port ${PORT} ns2 # server may be answering queries before zones are loaded, # so retry a few times if this query fails -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on secondary ($n)" for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_cmd @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out.$i.test$n - diff -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + dig_cmd @10.53.0.2 +tcp +short large.example TYPE45234 >dig.out.$i.test$n + diff -s large.out dig.out.$i.test$n >/dev/null || { + ret=1 + echo_i "diff failed" + } + [ "$ret" -eq 0 ] && break + sleep 1 done [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on inline secondary ($n)" ret=0 -dig_cmd @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out.test$n -diff large.out dig.out.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } +dig_cmd @10.53.0.3 +tcp +short large.example TYPE45234 >dig.out.test$n +diff large.out dig.out.test$n >/dev/null || { + ret=1 + echo_i "diff failed" +} [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) @@ -195,39 +193,42 @@ start_server --noclean --restart --port ${PORT} ns3 # server may be answering queries before zones are loaded, # so retry a few times if this query fails -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on inline secondary ($n)" for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_cmd @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out.$i.test$n - diff large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + dig_cmd @10.53.0.3 +tcp +short large.example TYPE45234 >dig.out.$i.test$n + diff large.out dig.out.$i.test$n >/dev/null || { + ret=1 + echo_i "diff failed" + } + [ "$ret" -eq 0 ] && break + sleep 1 done [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that '"'"\\#"'"' is not treated as the unknown escape sequence ($n)" ret=0 -dig_cmd @10.53.0.1 +tcp +short txt8.example txt > dig.out.test$n +dig_cmd @10.53.0.1 +tcp +short txt8.example txt >dig.out.test$n echo '"#" "2" "0145"' | diff - dig.out.test$n || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'TXT \# text' is not treated as the unknown escape sequence ($n)" ret=0 -dig_cmd @10.53.0.1 +tcp +short txt9.example txt > dig.out.test$n +dig_cmd @10.53.0.1 +tcp +short txt9.example txt >dig.out.test$n echo '"#" "text"' | diff - dig.out.test$n || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'TYPE353 \# cat' produces 'not a valid number' ($n)" ret=0 -$CHECKZONE nan.bad zones/nan.bad > check.out 2>&1 && ret=1 -grep "not a valid number" check.out > /dev/null || ret=1 +$CHECKZONE nan.bad zones/nan.bad >check.out 2>&1 && ret=1 +grep "not a valid number" check.out >/dev/null || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/upforwd/prereq.sh b/bin/tests/system/upforwd/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/upforwd/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh index f2719ba..facc79d 100644 --- a/bin/tests/system/upforwd/setup.sh +++ b/bin/tests/system/upforwd/setup.sh @@ -20,28 +20,25 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named1.conf.in ns3/named.conf -if $FEATURETEST --enable-dnstap -then - cat <<'EOF' > ns3/dnstap.conf +if $FEATURETEST --enable-dnstap; then + cat <<'EOF' >ns3/dnstap.conf dnstap-identity "ns3"; dnstap-version "xxx"; dnstap-output file "dnstap.out"; dnstap { all; }; EOF else - echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf + echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf fi - # # SIG(0) required cryptographic support which may not be configured. # -keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -b 1024 -T KEY sig0.example2 2>keyname.err) -if test -n "$keyname" -then - cat ns1/example1.db $keyname.key > ns1/example2.db - echo $keyname > keyname +keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -b 1024 -T KEY sig0.example2 2>keyname.err) +if test -n "$keyname"; then + cat ns1/example1.db $keyname.key >ns1/example2.db + echo $keyname >keyname else - cat ns1/example1.db > ns1/example2.db + cat ns1/example1.db >ns1/example2.db fi -cat_i < keyname.err +cat_i dnstapread.out$n - read UQ UR < dnstapread.out$n - echo_i "UQ=$UQ UR=$UR" - test $UQ -eq $UR || return 1 + "$DNSTAPREAD" dnstap.out.$n \ + | awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' >dnstapread.out$n + read UQ UR dig.out.ns1 || ret=1 - grep "status: NOERROR" dig.out.ns1 > /dev/null || ret=1 - $DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1 - grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 - $DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1 - grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 - test $ret = 0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG +tcp -p ${PORT} example. @10.53.0.1 soa >dig.out.ns1 || ret=1 + grep "status: NOERROR" dig.out.ns1 >/dev/null || ret=1 + $DIG +tcp -p ${PORT} example. @10.53.0.2 soa >dig.out.ns2 || ret=1 + grep "status: NOERROR" dig.out.ns2 >/dev/null || ret=1 + $DIG +tcp -p ${PORT} example. @10.53.0.3 soa >dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 >/dev/null || ret=1 + test $ret = 0 && break + sleep 1 done -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching primary copy of zone before update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching secondary 1 copy of zone before update ($n)" -$DIG $DIGOPTS example.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching secondary 2 copy of zone before update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.3 axfr > dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.3 axfr >dig.out.ns3 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "comparing pre-update copies to known good data ($n)" @@ -78,7 +86,10 @@ ret=0 digcomp knowngood.before dig.out.ns1 || ret=1 digcomp knowngood.before dig.out.ns2 || ret=1 digcomp knowngood.before dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "updating zone (signed) ($n)" ret=0 @@ -89,7 +100,10 @@ update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 TXT Foo send EOF -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "sleeping 15 seconds for server to incorporate changes" @@ -97,22 +111,28 @@ sleep 15 echo_i "fetching primary copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching secondary 1 copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "fetching secondary 2 copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.3 axfr > dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.3 axfr >dig.out.ns3 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "comparing post-update copies to known good data ($n)" @@ -120,23 +140,28 @@ ret=0 digcomp knowngood.after1 dig.out.ns1 || ret=1 digcomp knowngood.after1 dig.out.ns2 || ret=1 digcomp knowngood.after1 dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "checking 'forwarding update for zone' is logged ($n)" ret=0 -grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +grep "forwarding update for zone 'example/IN'" ns3/named.run >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) -if $FEATURETEST --enable-dnstap -then - echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" - ret=0 - capture_dnstap - uq_equals_ur || ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) +if $FEATURETEST --enable-dnstap; then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) fi echo_i "updating zone (unsigned) ($n)" @@ -148,7 +173,10 @@ update add unsigned.example. 600 A 10.10.10.1 update add unsigned.example. 600 TXT Foo send EOF -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "sleeping 15 seconds for server to incorporate changes" @@ -156,48 +184,55 @@ sleep 15 echo_i "fetching primary copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "fetching secondary 1 copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching secondary 2 copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.3 axfr > dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.3 axfr >dig.out.ns3 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "comparing post-update copies to known good data ($n)" ret=0 digcomp knowngood.after2 dig.out.ns1 || ret=1 digcomp knowngood.after2 dig.out.ns2 || ret=1 digcomp knowngood.after2 dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi - -if $FEATURETEST --enable-dnstap -then - echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" - ret=0 - capture_dnstap - uq_equals_ur || ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi + +if $FEATURETEST --enable-dnstap; then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) fi n=$((n + 1)) -if test -f keyname -then - echo_i "checking update forwarding to with sig0 ($n)" - ret=0 - keyname=$(cat keyname) - $NSUPDATE -k $keyname.private -- - < dig.out.ns1.test$n - grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) - - if $FEATURETEST --enable-dnstap - then - echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" - ret=0 - capture_dnstap - uq_equals_ur || ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) - fi + $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 >dig.out.ns1.test$n + grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) + + if $FEATURETEST --enable-dnstap; then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) + fi fi echo_i "attempting an update that should be rejected by ACL ($n)" ret=0 { - $NSUPDATE -- - << EOF + $NSUPDATE -- - < nsupdate.out.$n 2>&1 && ret=1 -grep REFUSED nsupdate.out.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +} >nsupdate.out.$n 2>&1 && ret=1 +grep REFUSED nsupdate.out.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "checking update forwarding to dead primary ($n)" count=0 ret=0 -while [ $count -lt 5 -a $ret -eq 0 ] -do -( -$NSUPDATE -- - < /dev/null 2>&1 & - $DIG -p ${PORT} +noadd +notcp +noauth noprimary. @10.53.0.3 soa > dig.out.ns3 || ret=1 - grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 - count=$((count + 1)) + ) >/dev/null 2>&1 & + $DIG -p ${PORT} +noadd +notcp +noauth noprimary. @10.53.0.3 soa >dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 >/dev/null || ret=1 + count=$((count + 1)) done -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) -if $FEATURETEST --enable-dnstap -then - echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" - ret=0 - capture_dnstap - uq_equals_ur && ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) +if $FEATURETEST --enable-dnstap; then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) fi n=$((n + 1)) @@ -277,19 +315,22 @@ echo_i "attempting updates that should exceed quota ($n)" # lower the update quota to 1. copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null for loop in 1 2 3 4 5 6 7 8 9 10; do -{ - $NSUPDATE -- - > /dev/null 2>&1 </dev/null 2>&1 < verify.out.$n 2>&1 || ret=1 - [ $ret = 0 ] || failed +for file in zones/*.good; do + n=$((n + 1)) + zone=$(expr "$file" : 'zones/\(.*\).good') + echo_i "checking supposedly good zone: $zone ($n)" + ret=0 + case $zone in + zsk-only.*) only=-z ;; + ksk-only.*) only=-z ;; + *) only= ;; + esac + $VERIFY ${only} -o $zone $file >verify.out.$n 2>&1 || ret=1 + [ $ret = 0 ] || failed done -for file in zones/*.bad -do - n=$((n + 1)) - zone=$(expr "$file" : 'zones/\(.*\).bad') - echo_i "checking supposedly bad zone: $zone ($n)" - ret=0 - dumpit=0 - case $zone in - zsk-only.*) only=-z;; - ksk-only.*) only=-z;; - *) only=;; - esac - expect1= expect2= - case $zone in - *.dnskeyonly) - expect1="DNSKEY is not signed" - ;; - *.expired) - expect1="signature has expired" - expect2="No self-signed .*DNSKEY found" - ;; - *.ksk-expired) - expect1="signature has expired" - expect2="No self-signed .*DNSKEY found" - ;; - *.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec) - expect1="unexpected NSEC RRset at" - ;; - *.nsec.broken-chain) - expect1="Bad NSEC record for.*, next name mismatch" - ;; - *.bad-bitmap) - expect1="bit map mismatch" - ;; - *.missing-empty) - expect1="Missing NSEC3 record for"; - ;; - unsigned) - expect1="Zone contains no DNSSEC keys" - ;; - *.extra-nsec3) - expect1="Expected and found NSEC3 chains not equal"; - ;; - *) - dumpit=1 - ;; - esac - $VERIFY ${only} -o $zone $file > verify.out.$n 2>&1 && ret=1 - grep "${expect1:-.}" verify.out.$n > /dev/null || ret=1 - grep "${expect2:-.}" verify.out.$n > /dev/null || ret=1 - [ $ret = 0 ] || failed - [ $dumpit = 1 ] && cat verify.out.$n +for file in zones/*.bad; do + n=$((n + 1)) + zone=$(expr "$file" : 'zones/\(.*\).bad') + echo_i "checking supposedly bad zone: $zone ($n)" + ret=0 + dumpit=0 + case $zone in + zsk-only.*) only=-z ;; + ksk-only.*) only=-z ;; + *) only= ;; + esac + expect1= expect2= + case $zone in + *.dnskeyonly) + expect1="DNSKEY is not signed" + ;; + *.expired) + expect1="signature has expired" + expect2="No self-signed .*DNSKEY found" + ;; + *.ksk-expired) + expect1="signature has expired" + expect2="No self-signed .*DNSKEY found" + ;; + *.out-of-zone-nsec | *.below-bottom-of-zone-nsec | *.below-dname-nsec) + expect1="unexpected NSEC RRset at" + ;; + *.nsec.broken-chain) + expect1="Bad NSEC record for.*, next name mismatch" + ;; + *.bad-bitmap) + expect1="bit map mismatch" + ;; + *.missing-empty) + expect1="Missing NSEC3 record for" + ;; + unsigned) + expect1="Zone contains no DNSSEC keys" + ;; + *.extra-nsec3) + expect1="Expected and found NSEC3 chains not equal" + ;; + *) + dumpit=1 + ;; + esac + $VERIFY ${only} -o $zone $file >verify.out.$n 2>&1 && ret=1 + grep "${expect1:-.}" verify.out.$n >/dev/null || ret=1 + grep "${expect2:-.}" verify.out.$n >/dev/null || ret=1 + [ $ret = 0 ] || failed + [ $dumpit = 1 ] && cat verify.out.$n done n=$((n + 1)) echo_i "checking error message when -o is not used and a SOA record not at top of zone is found ($n)" ret=0 # When -o is not used, origin is set to zone file name, which should cause an error in this case -$VERIFY zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1 -grep "not at top of zone" verify.out.$n > /dev/null || ret=1 -grep "use -o to specify a different zone origin" verify.out.$n > /dev/null || ret=1 +$VERIFY zones/ksk+zsk.nsec.good >verify.out.$n 2>&1 && ret=1 +grep "not at top of zone" verify.out.$n >/dev/null || ret=1 +grep "use -o to specify a different zone origin" verify.out.$n >/dev/null || ret=1 [ $ret = 0 ] || failed n=$((n + 1)) echo_i "checking error message when an invalid -o is specified and a SOA record not at top of zone is found ($n)" ret=0 -$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1 -grep "not at top of zone" verify.out.$n > /dev/null || ret=1 -grep "use -o to specify a different zone origin" verify.out.$n > /dev/null && ret=1 +$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good >verify.out.$n 2>&1 && ret=1 +grep "not at top of zone" verify.out.$n >/dev/null || ret=1 +grep "use -o to specify a different zone origin" verify.out.$n >/dev/null && ret=1 [ $ret = 0 ] || failed echo_i "exit status: $status" diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh index 494174d..044ae7f 100644 --- a/bin/tests/system/verify/zones/genzones.sh +++ b/bin/tests/system/verify/zones/genzones.sh @@ -15,17 +15,17 @@ SYSTESTDIR=verify -dumpit () { - echo_d "${debug}: dumping ${1}" - cat "${1}" | cat_d +dumpit() { + echo_d "${debug}: dumping ${1}" + cat "${1}" | cat_d } -setup () { - echo_i "setting up $2 zone: $1" - debug="$1" - zone="$1" - file="$1.$2" - n=$((${n:-0} + 1)) +setup() { + echo_i "setting up $2 zone: $1" + debug="$1" + zone="$1" + file="$1.$2" + n=$((${n:-0} + 1)) } # A unsigned zone should fail validation. @@ -34,50 +34,50 @@ cp unsigned.db unsigned.bad # A set of nsec zones. setup zsk-only.nsec good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SP -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk-only.nsec good -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SPz -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -SPx -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec.apex-dname good -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n cp unsigned.db ${file}.tmp -echo "@ DNAME data" >> ${file}.tmp -$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n +echo "@ DNAME data" >>${file}.tmp +$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp >s.out$n || dumpit s.out$n # A set of nsec3 zones. setup zsk-only.nsec3 good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk-only.nsec3 good -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec3 good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.optout good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec3.apex-dname good -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n cp unsigned.db ${file}.tmp -echo "@ DNAME data" >> ${file}.tmp -$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n +echo "@ DNAME data" >>${file}.tmp +$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp >s.out$n || dumpit s.out$n # # generate an NSEC record like @@ -86,9 +86,9 @@ $SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n # becomes foo when the zone is loaded. # setup nsec-next-name-case-mismatch good -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat << EOF > ${zone}.tmp +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat <${zone}.tmp \$TTL 0 @ IN SOA foo . ( 1 28800 7200 604800 1800 ) @ NS foo @@ -98,141 +98,141 @@ FOO AAAA ::1 FOO A 127.0.0.2 aba CNAME FOO EOF -$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n || dumpit s.out$n -sed 's/^FOO\./foo\./' < ${file}.tmp > ${file} +$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp >s.out$n || dumpit s.out$n +sed 's/^FOO\./foo\./' <${file}.tmp >${file} # A set of zones with only DNSKEY records. setup zsk-only.dnskeyonly bad key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg.out) || dumpit kg.out$n -cat unsigned.db $key1.key > ${file} +cat unsigned.db $key1.key >${file} setup ksk-only.dnskeyonly bad key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg.out) || dumpit kg.out$n -cat unsigned.db $key1.key > ${file} +cat unsigned.db $key1.key >${file} setup ksk+zsk.dnskeyonly bad key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg.out) || dumpit kg.out$n key2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg.out) || dumpit kg.out$n -cat unsigned.db $key1.key $key2.key > ${file} +cat unsigned.db $key1.key $key2.key >${file} # A set of zones with expired records s="-s -2678400" setup zsk-only.nsec.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk-only.nsec.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup zsk-only.nsec3.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk-only.nsec3.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec3.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n # ksk expired setup ksk+zsk.nsec.ksk-expired bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n -$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n +$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n now=$(date -u +%Y%m%d%H%M%S) exp=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}) [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file setup ksk+zsk.nsec3.ksk-expired bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n -$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n +$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n now=$(date -u +%Y%m%d%H%M%S) exp=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}) [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file # broken nsec chain setup ksk+zsk.nsec.broken-chain bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp -$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} >${file}.tmp +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk >s.out$n || dumpit s.out$n # bad nsec bitmap setup ksk+zsk.nsec.bad-bitmap bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp -$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} >${file}.tmp +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk >s.out$n || dumpit s.out$n # extra NSEC record out side of zone setup ksk+zsk.nsec.out-of-zone-nsec bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +echo "out-of-zone. 3600 IN NSEC ${zone}. A" >>${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n # extra NSEC record below bottom of zone setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >>${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk >s.out$n || dumpit s.out$n # dnssec-signzone signs any node with a NSEC record. -awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file} +awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp >${file} # extra NSEC record below DNAME setup ksk+zsk.nsec.below-dname-nsec bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >>${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n # missing NSEC3 record at empty node # extract the hash fields from the empty node's NSEC 3 record then fix up # the NSEC3 chain to remove it setup ksk+zsk.nsec3.missing-empty bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n a=$(awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}) b=$(awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}) awk ' $4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; } $4 == "NSEC3" && NF == 9 { next; } -{ print; }' ${file} > ${file}.tmp -$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n +{ print; }' ${file} >${file}.tmp +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk >s.out$n || dumpit s.out$n # extra NSEC3 record setup ksk+zsk.nsec3.extra-nsec3 bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n awk ' BEGIN { ZONE="'${zone}'."; @@ -241,7 +241,7 @@ $4 == "NSEC3" && NF == 9 { $1 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3H." ZONE; $9 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3I"; print; -}' ${file} > ${file}.tmp -cat ${file}.tmp >> ${file} +}' ${file} >${file}.tmp +cat ${file}.tmp >>${file} rm -f ${file}.tmp -$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n diff --git a/bin/tests/system/views/ns2/named1.conf.in b/bin/tests/system/views/ns2/named1.conf.in index 4a257c0..d79a35e 100644 --- a/bin/tests/system/views/ns2/named1.conf.in +++ b/bin/tests/system/views/ns2/named1.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/views/ns2/named2.conf.in b/bin/tests/system/views/ns2/named2.conf.in index 8a4d773..8819f50 100644 --- a/bin/tests/system/views/ns2/named2.conf.in +++ b/bin/tests/system/views/ns2/named2.conf.in @@ -39,7 +39,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { @@ -74,7 +74,7 @@ view "external" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/views/ns3/named1.conf.in b/bin/tests/system/views/ns3/named1.conf.in index b4fbf41..a4cb243 100644 --- a/bin/tests/system/views/ns3/named1.conf.in +++ b/bin/tests/system/views/ns3/named1.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/views/ns3/named2.conf.in b/bin/tests/system/views/ns3/named2.conf.in index 0ef2009..0f819fa 100644 --- a/bin/tests/system/views/ns3/named2.conf.in +++ b/bin/tests/system/views/ns3/named2.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/views/ns5/named.conf.in b/bin/tests/system/views/ns5/named.conf.in index 4c4ee4e..23556a7 100644 --- a/bin/tests/system/views/ns5/named.conf.in +++ b/bin/tests/system/views/ns5/named.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "child.clone" { diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh index e0cca83..9ccf5d0 100644 --- a/bin/tests/system/views/setup.sh +++ b/bin/tests/system/views/setup.sh @@ -28,11 +28,11 @@ copy_setports ns5/named.conf.in ns5/named.conf # same source of "random" data and we want different keys for # internal and external instances of inline. # -$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -q inline > /dev/null 2>&1 -$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -qfk inline > /dev/null 2>&1 -k1=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline 2> /dev/null) -k2=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline 2> /dev/null) -$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline > /dev/null 2>&1 -$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline > /dev/null 2>&1 +$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -q inline >/dev/null 2>&1 +$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -qfk inline >/dev/null 2>&1 +k1=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline 2>/dev/null) +k2=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline 2>/dev/null) +$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline >/dev/null 2>&1 +$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline >/dev/null 2>&1 test -n "$k1" && rm -f ns2/external/"$k1".* test -n "$k2" && rm -f ns2/external/"$k2".* diff --git a/bin/tests/system/views/tests.sh b/bin/tests/system/views/tests.sh index 06cb3b1..27c3285 100644 --- a/bin/tests/system/views/tests.sh +++ b/bin/tests/system/views/tests.sh @@ -17,22 +17,22 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth -p "${PORT}" "$@" + "$DIG" +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth -p "${PORT}" "$@" } dig_with_shortopts() { - "$DIG" +tcp +short -p "${PORT}" "$@" + "$DIG" +tcp +short -p "${PORT}" "$@" } -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 echo_i "fetching a.example from ns2's initial configuration" -dig_with_opts a.example. @10.53.0.2 any > dig.out.ns2.1 || status=1 +dig_with_opts a.example. @10.53.0.2 any >dig.out.ns2.1 || status=1 echo_i "fetching a.example from ns3's initial configuration" -dig_with_opts a.example. @10.53.0.3 any > dig.out.ns3.1 || status=1 +dig_with_opts a.example. @10.53.0.3 any >dig.out.ns3.1 || status=1 echo_i "copying in new configurations for ns2 and ns3" rm -f ns2/named.conf ns3/named.conf ns2/example.db @@ -41,30 +41,30 @@ copy_setports ns2/named2.conf.in ns2/named.conf copy_setports ns3/named2.conf.in ns3/named.conf echo_i "reloading ns2 and ns3 with rndc" -nextpart ns2/named.run > /dev/null -nextpart ns3/named.run > /dev/null +nextpart ns2/named.run >/dev/null +nextpart ns3/named.run >/dev/null rndc_reload ns2 10.53.0.2 rndc_reload ns3 10.53.0.3 echo_i "wait for reload to complete" ret=0 _check_reload() ( - nextpartpeek ns2/named.run | grep "all zones loaded" > /dev/null && \ - nextpartpeek ns3/named.run | grep "all zones loaded" > /dev/null && \ - nextpartpeek ns3/named.run | grep "zone_dump: zone example/IN: enter" > /dev/null + nextpartpeek ns2/named.run | grep "all zones loaded" >/dev/null \ + && nextpartpeek ns3/named.run | grep "all zones loaded" >/dev/null \ + && nextpartpeek ns3/named.run | grep "zone_dump: zone example/IN: enter" >/dev/null ) retry_quiet 10 _check_reload || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "fetching a.example from ns2's 10.53.0.4, source address 10.53.0.4" -dig_with_opts -b 10.53.0.4 a.example. @10.53.0.4 any > dig.out.ns4.2 || status=1 +dig_with_opts -b 10.53.0.4 a.example. @10.53.0.4 any >dig.out.ns4.2 || status=1 echo_i "fetching a.example from ns2's 10.53.0.2, source address 10.53.0.2" -dig_with_opts -b 10.53.0.2 a.example. @10.53.0.2 any > dig.out.ns2.2 || status=1 +dig_with_opts -b 10.53.0.2 a.example. @10.53.0.2 any >dig.out.ns2.2 || status=1 echo_i "fetching a.example from ns3's 10.53.0.3, source address defaulted" -dig_with_opts @10.53.0.3 a.example. any > dig.out.ns3.2 || status=1 +dig_with_opts @10.53.0.3 a.example. any >dig.out.ns3.2 || status=1 echo_i "comparing ns3's initial a.example to one from reconfigured 10.53.0.2" digcomp dig.out.ns3.1 dig.out.ns2.2 || status=1 @@ -77,14 +77,13 @@ digcomp dig.out.ns2.1 dig.out.ns4.2 || status=1 echo_i "comparing ns2's initial a.example to one from reconfigured 10.53.0.3" echo_i "(should be different)" -if $PERL ../digcomp.pl dig.out.ns2.1 dig.out.ns3.2 >/dev/null -then - echo_i "no differences found. something's wrong." - status=1 +if $PERL ../digcomp.pl dig.out.ns2.1 dig.out.ns3.2 >/dev/null; then + echo_i "no differences found. something's wrong." + status=1 fi echo_i "updating cloned zone in internal view" -$NSUPDATE << EOF +$NSUPDATE < /dev/null || { ret=1; echo_i "expected response from NS3 got '$three'"; } -echo "$four" | grep NS5 > /dev/null || { ret=1; echo_i "expected response from NS5 got '$four'"; } +echo "$three" | grep NS3 >/dev/null || { + ret=1 + echo_i "expected response from NS3 got '$three'" +} +echo "$four" | grep NS5 >/dev/null || { + ret=1 + echo_i "expected response from NS5 got '$four'" +} if [ "$one" = "$two" ]; then - echo_i "'$one' matches '$two'" - ret=1 + echo_i "'$one' matches '$two'" + ret=1 fi if [ "$one" != "$three" ]; then - echo_i "'$one' does not match '$three'" - ret=1 + echo_i "'$one' does not match '$three'" + ret=1 fi if [ "$two" != "$four" ]; then - echo_i "'$two' does not match '$four'" - ret=1 + echo_i "'$two' does not match '$four'" + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -130,11 +135,11 @@ status=$((status + ret)) echo_i "verifying inline zones work with views" ret=0 wait_for_signed() { - "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.2 +dnssec DNSKEY inline > dig.out.internal - "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.5 +dnssec DNSKEY inline > dig.out.external - grep "ANSWER: 4," dig.out.internal > /dev/null || return 1 - grep "ANSWER: 4," dig.out.external > /dev/null || return 1 - return 0 + "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.2 +dnssec DNSKEY inline >dig.out.internal + "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.5 +dnssec DNSKEY inline >dig.out.external + grep "ANSWER: 4," dig.out.internal >/dev/null || return 1 + grep "ANSWER: 4," dig.out.external >/dev/null || return 1 + return 0 } retry_quiet 10 wait_for_signed || ret=1 int=$(awk '$4 == "DNSKEY" { print $8 }' dig.out.internal | sort) @@ -150,11 +155,11 @@ copy_setports ns2/named3.conf.in ns2/named.conf i=1 while [ $i -lt 50 ]; do - ret=0 - zone_name=$(printf "example%03d.com" $i) + ret=0 + zone_name=$(printf "example%03d.com" $i) - # Add a new zone to the configuration. - cat >> ns2/zones.conf <<-EOF + # Add a new zone to the configuration. + cat >>ns2/zones.conf <<-EOF zone "${zone_name}" { type primary; file "db.${zone_name}"; @@ -164,8 +169,8 @@ while [ $i -lt 50 ]; do }; EOF - # Create a master file for the zone. - cat > "ns2/db.${zone_name}" <<-EOF + # Create a master file for the zone. + cat >"ns2/db.${zone_name}" <<-EOF \$TTL 86400 @ IN SOA localhost. hostmaster.localhost ( 1612542642 ; serial @@ -178,10 +183,13 @@ while [ $i -lt 50 ]; do localhost IN A 127.0.0.1 EOF - $KEYGEN -q -Kns2 -fk -aecdsa256 "${zone_name}" > /dev/null - $RNDCCMD 10.53.0.2 reconfig || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; break; fi - i=$((i + 1)) + $KEYGEN -q -Kns2 -fk -aecdsa256 "${zone_name}" >/dev/null + $RNDCCMD 10.53.0.2 reconfig || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + break + fi + i=$((i + 1)) done status=$((status + ret)) diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh index d414bb1..d1d8626 100755 --- a/bin/tests/system/wildcard/ns1/sign.sh +++ b/bin/tests/system/wildcard/ns1/sign.sh @@ -27,12 +27,12 @@ zonefile=nsec.db outfile=nsec.db.signed dssets="$dssets dsset-${zone}." -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" zone=private.nsec @@ -40,15 +40,15 @@ infile=private.nsec.db.in zonefile=private.nsec.db outfile=private.nsec.db.signed -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_ds $keyname2 > private.nsec.conf +keyfile_to_static_ds $keyname2 >private.nsec.conf zone=nsec3 infile=nsec3.db.in @@ -56,12 +56,12 @@ zonefile=nsec3.db outfile=nsec3.db.signed dssets="$dssets dsset-${zone}." -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" zone=private.nsec3 @@ -69,27 +69,27 @@ infile=private.nsec3.db.in zonefile=private.nsec3.db outfile=private.nsec3.db.signed -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_ds $keyname2 > private.nsec3.conf +keyfile_to_static_ds $keyname2 >private.nsec3.conf zone=. infile=root.db.in zonefile=root.db outfile=root.db.signed -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) cat $infile $keyname1.key $keyname2.key $dssets >$zonefile -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_ds $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 >trusted.conf diff --git a/bin/tests/system/wildcard/ns2/named.conf.in b/bin/tests/system/wildcard/ns2/named.conf.in index a9a2a70..9d90299 100644 --- a/bin/tests/system/wildcard/ns2/named.conf.in +++ b/bin/tests/system/wildcard/ns2/named.conf.in @@ -26,5 +26,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/wildcard/ns3/named.conf.in b/bin/tests/system/wildcard/ns3/named.conf.in index 0b958fa..f7e20ea 100644 --- a/bin/tests/system/wildcard/ns3/named.conf.in +++ b/bin/tests/system/wildcard/ns3/named.conf.in @@ -28,5 +28,5 @@ include "../ns1/trusted.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/wildcard/ns5/named.conf.in b/bin/tests/system/wildcard/ns5/named.conf.in index 1cd358d..3668ee3 100644 --- a/bin/tests/system/wildcard/ns5/named.conf.in +++ b/bin/tests/system/wildcard/ns5/named.conf.in @@ -28,5 +28,5 @@ include "../ns1/trusted.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/wildcard/tests.sh b/bin/tests/system/wildcard/tests.sh index b956874..204b5ff 100644 --- a/bin/tests/system/wildcard/tests.sh +++ b/bin/tests/system/wildcard/tests.sh @@ -25,124 +25,124 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned auth ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned non-validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns2.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns2.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns3.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned validating + CD ($n)" ret=0 -$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns5.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns5.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that returned NSEC wildcard non-existence proof validates ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns4.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned private, validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns3.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that returned NSEC wildcard non-existence proof for private zone validates ($n)" ret=0 -$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns4.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned auth ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned non-validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns2.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns2.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns3.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns3.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned validating + CD ($n)" ret=0 -$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns5.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns5.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that returned NSEC3 wildcard non-existence proof validates ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns4.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns4.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned private, validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that returned NSEC3 wildcard non-existence proof for private zone validates ($n)" ret=0 -$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -151,95 +151,95 @@ echo_i "checking RFC 4592 responses ..." n=$((n + 1)) echo_i "checking RFC 4592: host3.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN > dig.out.ns1.test$n || ret=1 -grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN >dig.out.ns1.test$n || ret=1 +grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: host3.example. QTYPE=A, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host3.example. A IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host3.example. A IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: foo.bar.example. QTYPE=TXT, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN > dig.out.ns1.test$n || ret=1 -grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN >dig.out.ns1.test$n || ret=1 +grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host1.example MX IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host1.example MX IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: sub.*.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: _telnet._tcp.host1.example. QTYPE=SRV, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: host.subdel.example. QTYPE=A, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 -grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n > /dev/null || ret=1 -grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 +grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n >/dev/null || ret=1 +grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: ghost.*.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: _foo._udp.bar.example. QTYPE=SRV, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 "_foo._udp.bar.example" SRV IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 "_foo._udp.bar.example" SRV IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -247,33 +247,43 @@ n=$((n + 1)) echo_i "check wild card expansions by code point ($n)" ret=0 i=0 -while test $i -lt 256 -do - x=$(expr 00$i : '.*\(...\)$' || true) - $DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT > dig.out.ns1.$x.test$n - if test $i -le 32 -o $i -ge 127 - then - grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } - # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64 - elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \ - $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92 - then - case $i in - 34) a='"';; - 36) a='$';; - 40) a='(';; - 41) a=')';; - 46) a='\.';; - 59) a=';';; - 64) a='@';; - 92) a='\\';; - *) a=''; echo_i "code point $x failed" ; ret=1 ;; - esac - grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } - else - grep '^\\' dig.out.ns1.$x.test$n && { echo_i "code point $x failed" ; ret=1; } - fi - i=$((i + 1)) +while test $i -lt 256; do + x=$(expr 00$i : '.*\(...\)$' || true) + $DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT >dig.out.ns1.$x.test$n + if test $i -le 32 -o $i -ge 127; then + grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n >/dev/null || { + echo_i "code point $x failed" + ret=1 + } + # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64 + elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \ + $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92; then + case $i in + 34) a='"' ;; + 36) a='$' ;; + 40) a='(' ;; + 41) a=')' ;; + 46) a='\.' ;; + 59) a=';' ;; + 64) a='@' ;; + 92) a='\\' ;; + *) + a='' + echo_i "code point $x failed" + ret=1 + ;; + esac + grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n >/dev/null || { + echo_i "code point $x failed" + ret=1 + } + else + grep '^\\' dig.out.ns1.$x.test$n && { + echo_i "code point $x failed" + ret=1 + } + fi + i=$((i + 1)) done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/xfer/ns1/named1.conf.in b/bin/tests/system/xfer/ns1/named1.conf.in index d7ce420..74111e0 100644 --- a/bin/tests/system/xfer/ns1/named1.conf.in +++ b/bin/tests/system/xfer/ns1/named1.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/xfer/ns1/named2.conf.in b/bin/tests/system/xfer/ns1/named2.conf.in index b349c33..401de47 100644 --- a/bin/tests/system/xfer/ns1/named2.conf.in +++ b/bin/tests/system/xfer/ns1/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/xfer/ns1/named3.conf.in b/bin/tests/system/xfer/ns1/named3.conf.in index 05af961..b195986 100644 --- a/bin/tests/system/xfer/ns1/named3.conf.in +++ b/bin/tests/system/xfer/ns1/named3.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/xfer/ns2/named.conf.in b/bin/tests/system/xfer/ns2/named.conf.in index b81bd1c..81649ff 100644 --- a/bin/tests/system/xfer/ns2/named.conf.in +++ b/bin/tests/system/xfer/ns2/named.conf.in @@ -46,7 +46,7 @@ acl tzkey { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/xfer/ns3/named.conf.in b/bin/tests/system/xfer/ns3/named.conf.in index 16d0759..dcc6472 100644 --- a/bin/tests/system/xfer/ns3/named.conf.in +++ b/bin/tests/system/xfer/ns3/named.conf.in @@ -40,7 +40,7 @@ key tsigzone. { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/xfer/ns6/named.conf.in b/bin/tests/system/xfer/ns6/named.conf.in index 87397b0..142383c 100644 --- a/bin/tests/system/xfer/ns6/named.conf.in +++ b/bin/tests/system/xfer/ns6/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -35,7 +35,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "primary" { diff --git a/bin/tests/system/xfer/ns7/named.conf.in b/bin/tests/system/xfer/ns7/named.conf.in index 47a9b05..41ea1cb 100644 --- a/bin/tests/system/xfer/ns7/named.conf.in +++ b/bin/tests/system/xfer/ns7/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -34,7 +34,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "primary2" { diff --git a/bin/tests/system/xfer/ns8/named.conf.in b/bin/tests/system/xfer/ns8/named.conf.in index 831e934..3846d4e 100644 --- a/bin/tests/system/xfer/ns8/named.conf.in +++ b/bin/tests/system/xfer/ns8/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/xfer/prereq.sh b/bin/tests/system/xfer/prereq.sh index c7b7828..c517aed 100644 --- a/bin/tests/system/xfer/prereq.sh +++ b/bin/tests/system/xfer/prereq.sh @@ -16,11 +16,15 @@ # macOS ships with Net::DNS 0.74 which does not work with # HMAC-SHA256, despite the workarounds in ans.pl -if perl -MNet::DNS -e 'exit $Net::DNS::VERSION >= 1.0' -then - version=$(perl -MNet::DNS -e 'print $Net::DNS::VERSION') - echo_i "perl Net::DNS $version is too old - skipping xfer test" - exit 1 +if ${PERL} -MNet::DNS -e 'exit ($Net::DNS::VERSION >= 1.0)'; then + version=$(${PERL} -MNet::DNS -e 'print $Net::DNS::VERSION') + echo_i "perl Net::DNS $version is too old - skipping xfer test" + exit 1 +fi + +if ! ${PERL} -MDigest::HMAC -e ''; then + echo_i "perl Digest::HMAC module is required" + exit 1 fi exit 0 diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh index ff64d8f..bd885d2 100644 --- a/bin/tests/system/xfer/setup.sh +++ b/bin/tests/system/xfer/setup.sh @@ -21,7 +21,7 @@ $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 6 3 >ns6/primary.db $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 7 >ns7/primary2.db cp -f ns4/root.db.in ns4/root.db -$PERL -e 'for ($i=0;$i<10000;$i++){ printf("x%u 0 in a 10.53.0.1\n", $i);}' >> ns4/root.db +$PERL -e 'for ($i=0;$i<10000;$i++){ printf("x%u 0 in a 10.53.0.1\n", $i);}' >>ns4/root.db copy_setports ns1/named1.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf @@ -39,7 +39,7 @@ touch -t 200101010000 ns2/sec.db cp ns2/mapped.db.in ns2/mapped.db -$PERL -e 'for ($i=0;$i<4096;$i++){ printf("name%u 259200 A 1.2.3.4\nname%u 259200 TXT \"Hello World %u\"\n", $i, $i, $i);}' > ns8/small.db -$PERL -e 'printf("large IN TYPE45234 \\# 48000 "); for ($i=0;$i<16*3000;$i++) { printf("%02x", $i % 256); } printf("\n");' > ns8/large.db +$PERL -e 'for ($i=0;$i<4096;$i++){ printf("name%u 259200 A 1.2.3.4\nname%u 259200 TXT \"Hello World %u\"\n", $i, $i, $i);}' >ns8/small.db +$PERL -e 'printf("large IN TYPE45234 \\# 48000 "); for ($i=0;$i<16*3000;$i++) { printf("%02x", $i % 256); } printf("\n");' >ns8/large.db cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh index f012d8b..a2c0adb 100755 --- a/bin/tests/system/xfer/tests.sh +++ b/bin/tests/system/xfer/tests.sh @@ -16,68 +16,68 @@ set -e . ../conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" NS_PARAMS="-X named.lock -m record -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152" status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing basic zone transfer functionality (from primary) ($n)" tmp=0 -$DIG $DIGOPTS example. @10.53.0.2 axfr > dig.out.ns2.test$n || tmp=1 +$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2.test$n || tmp=1 grep "^;" dig.out.ns2.test$n | cat_i digcomp dig1.good dig.out.ns2.test$n || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing basic zone transfer functionality (from secondary) ($n)" tmp=0 # # Spin to allow the zone to transfer. # -wait_for_xfer () { - ZONE=$1 - SERVER=$2 - $DIG $DIGOPTS $ZONE @$SERVER axfr > dig.out.test$n || return 1 - grep "^;" dig.out.test$n > /dev/null && return 1 - return 0 +wait_for_xfer() { + ZONE=$1 + SERVER=$2 + $DIG $DIGOPTS $ZONE @$SERVER axfr >dig.out.test$n || return 1 + grep "^;" dig.out.test$n >/dev/null && return 1 + return 0 } retry_quiet 25 wait_for_xfer example. 10.53.0.3 || tmp=1 grep "^;" dig.out.test$n | cat_i digcomp dig1.good dig.out.test$n || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing zone transfer functionality (fallback to DNS after DoT failed) ($n)" tmp=0 retry_quiet 25 wait_for_xfer dot-fallback. 10.53.0.2 || tmp=1 grep "^;" dig.out.test$n | cat_i digcomp dig3.good dig.out.test$n || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing TSIG signed zone transfers ($n)" tmp=0 -$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1 +$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 >dig.out.ns2.test$n || tmp=1 grep "^;" dig.out.ns2.test$n | cat_i # # Spin to allow the zone to transfer. # -wait_for_xfer_tsig () { - $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1 - grep "^;" dig.out.ns3.test$n > /dev/null && return 1 - return 0 +wait_for_xfer_tsig() { + $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 >dig.out.ns3.test$n || return 1 + grep "^;" dig.out.ns3.test$n >/dev/null && return 1 + return 0 } retry_quiet 25 wait_for_xfer_tsig || tmp=1 grep "^;" dig.out.ns3.test$n | cat_i digcomp dig.out.ns2.test$n dig.out.ns3.test$n || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) echo_i "reload servers for in preparation for ixfr-from-differences tests" @@ -121,53 +121,53 @@ rndc_reload ns7 10.53.0.7 sleep 3 -n=$((n+1)) +n=$((n + 1)) echo_i "testing zone is dumped after successful transfer ($n)" tmp=0 $DIG $DIGOPTS +noall +answer +multi @10.53.0.2 \ - secondary. soa > dig.out.ns2.test$n || tmp=1 -grep "1397051952 ; serial" dig.out.ns2.test$n > /dev/null 2>&1 || tmp=1 -grep "1397051952 ; serial" ns2/sec.db > /dev/null 2>&1 || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) + secondary. soa >dig.out.ns2.test$n || tmp=1 +grep "1397051952 ; serial" dig.out.ns2.test$n >/dev/null 2>&1 || tmp=1 +grep "1397051952 ; serial" ns2/sec.db >/dev/null 2>&1 || tmp=1 +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences yes; ($n)" tmp=0 echo_i "wait for reloads..." wait_for_reloads() ( - $DIG $DIGOPTS @10.53.0.6 +noall +answer soa primary > dig.out.soa1.ns6.test$n - grep "1397051953" dig.out.soa1.ns6.test$n > /dev/null || return 1 - $DIG $DIGOPTS @10.53.0.1 +noall +answer soa secondary > dig.out.soa2.ns1.test$n - grep "1397051953" dig.out.soa2.ns1.test$n > /dev/null || return 1 - $DIG $DIGOPTS @10.53.0.2 +noall +answer soa example > dig.out.soa3.ns2.test$n - grep "1397051953" dig.out.soa3.ns2.test$n > /dev/null || return 1 - return 0 + $DIG $DIGOPTS @10.53.0.6 +noall +answer soa primary >dig.out.soa1.ns6.test$n + grep "1397051953" dig.out.soa1.ns6.test$n >/dev/null || return 1 + $DIG $DIGOPTS @10.53.0.1 +noall +answer soa secondary >dig.out.soa2.ns1.test$n + grep "1397051953" dig.out.soa2.ns1.test$n >/dev/null || return 1 + $DIG $DIGOPTS @10.53.0.2 +noall +answer soa example >dig.out.soa3.ns2.test$n + grep "1397051953" dig.out.soa3.ns2.test$n >/dev/null || return 1 + return 0 ) retry_quiet 20 wait_for_reloads || tmp=1 echo_i "wait for transfers..." wait_for_transfers() ( - a=0 b=0 c=0 d=0 - $DIG $DIGOPTS @10.53.0.3 +noall +answer soa example > dig.out.soa1.ns3.test$n - grep "1397051953" dig.out.soa1.ns3.test$n > /dev/null && a=1 - $DIG $DIGOPTS @10.53.0.3 +noall +answer soa primary > dig.out.soa2.ns3.test$n - grep "1397051953" dig.out.soa2.ns3.test$n > /dev/null && b=1 - $DIG $DIGOPTS @10.53.0.6 +noall +answer soa secondary > dig.out.soa3.ns6.test$n - grep "1397051953" dig.out.soa3.ns6.test$n > /dev/null && c=1 - [ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0 - - # re-notify if necessary - $RNDCCMD 10.53.0.6 notify primary 2>&1 | sed 's/^/ns6 /' | cat_i - $RNDCCMD 10.53.0.1 notify secondary 2>&1 | sed 's/^/ns1 /' | cat_i - $RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i - return 1 + a=0 b=0 c=0 d=0 + $DIG $DIGOPTS @10.53.0.3 +noall +answer soa example >dig.out.soa1.ns3.test$n + grep "1397051953" dig.out.soa1.ns3.test$n >/dev/null && a=1 + $DIG $DIGOPTS @10.53.0.3 +noall +answer soa primary >dig.out.soa2.ns3.test$n + grep "1397051953" dig.out.soa2.ns3.test$n >/dev/null && b=1 + $DIG $DIGOPTS @10.53.0.6 +noall +answer soa secondary >dig.out.soa3.ns6.test$n + grep "1397051953" dig.out.soa3.ns6.test$n >/dev/null && c=1 + [ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0 + + # re-notify if necessary + $RNDCCMD 10.53.0.6 notify primary 2>&1 | sed 's/^/ns6 /' | cat_i + $RNDCCMD 10.53.0.1 notify secondary 2>&1 | sed 's/^/ns1 /' | cat_i + $RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i + return 1 ) retry_quiet 20 wait_for_transfers || tmp=1 $DIG $DIGOPTS example. \ - @10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1 + @10.53.0.3 axfr >dig.out.ns3.test$n || tmp=1 grep "^;" dig.out.ns3.test$n | cat_i digcomp dig2.good dig.out.ns3.test$n || tmp=1 @@ -176,20 +176,20 @@ digcomp dig2.good dig.out.ns3.test$n || tmp=1 test -f ns3/example.bk || tmp=1 test -f ns3/example.bk.jnl || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences primary; (primary zone) ($n)" tmp=0 $DIG $DIGOPTS primary. \ - @10.53.0.6 axfr > dig.out.ns6.test$n || tmp=1 + @10.53.0.6 axfr >dig.out.ns6.test$n || tmp=1 grep "^;" dig.out.ns6.test$n | cat_i $DIG $DIGOPTS primary. \ - @10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1 -grep "^;" dig.out.ns3.test$n > /dev/null && cat_i < dig.out.ns3.test$n + @10.53.0.3 axfr >dig.out.ns3.test$n || tmp=1 +grep "^;" dig.out.ns3.test$n >/dev/null && cat_i dig.out.ns6.test$n || tmp=1 + @10.53.0.6 axfr >dig.out.ns6.test$n || tmp=1 grep "^;" dig.out.ns6.test$n | cat_i $DIG $DIGOPTS secondary. \ - @10.53.0.1 axfr > dig.out.ns1.test$n || tmp=1 + @10.53.0.1 axfr >dig.out.ns1.test$n || tmp=1 grep "^;" dig.out.ns1.test$n | cat_i digcomp dig.out.ns6.test$n dig.out.ns1.test$n || tmp=1 @@ -218,10 +218,10 @@ digcomp dig.out.ns6.test$n dig.out.ns1.test$n || tmp=1 test -f ns6/sec.bk || tmp=1 test -f ns6/sec.bk.jnl && tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)" tmp=0 @@ -229,19 +229,19 @@ tmp=0 test -f ns7/primary2.db || tmp=1 test -f ns7/primary2.db.jnl && tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)" tmp=0 $DIG $DIGOPTS secondary. \ - @10.53.0.1 axfr > dig.out.ns1.test$n || tmp=1 + @10.53.0.1 axfr >dig.out.ns1.test$n || tmp=1 grep "^;" dig.out.ns1.test$n | cat_i $DIG $DIGOPTS secondary. \ - @10.53.0.7 axfr > dig.out.ns7.test$n || tmp=1 + @10.53.0.7 axfr >dig.out.ns7.test$n || tmp=1 grep "^;" dig.out.ns7.test$n | cat_i digcomp dig.out.ns7.test$n dig.out.ns1.test$n || tmp=1 @@ -250,30 +250,29 @@ digcomp dig.out.ns7.test$n dig.out.ns1.test$n || tmp=1 test -f ns7/sec.bk || tmp=1 test -f ns7/sec.bk.jnl || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that a multi-message uncompressable zone transfers ($n)" -$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA > axfr.out -if test $(wc -l < axfr.out) != 2 -then - echo_i "failed" - status=$((status+1)) +$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out +if test $(wc -l /dev/null rndc_reload ns4 10.53.0.4 wait_for_soa() ( - $DIGCMD nil. SOA > dig.out.ns4.test$n - grep SOA dig.out.ns4.test$n > /dev/null + $DIGCMD nil. SOA >dig.out.ns4.test$n + grep SOA dig.out.ns4.test$n >/dev/null ) retry_quiet 10 wait_for_soa -nextpart ns4/named.run | grep "Transfer status: success" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: success" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'initial AXFR' >/dev/null || { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "unsigned transfer ($n)" -sendcmd < ans5/unsigned +sendcmd /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'unsigned AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "bad keydata ($n)" -sendcmd < ans5/badkeydata +sendcmd /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: tsig verify failure" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'bad keydata AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "partially-signed transfer ($n)" -sendcmd < ans5/partial +sendcmd /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'partially signed AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "unknown key ($n)" -sendcmd < ans5/unknownkey +sendcmd /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'unknown key AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "incorrect key ($n)" -sendcmd < ans5/wrongkey +sendcmd /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "bad question section ($n)" -sendcmd < ans5/wrongname +sendcmd /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "question name mismatch" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'wrong question AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "bad message id ($n)" -sendcmd < ans5/badmessageid +sendcmd /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "unexpected message id" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'bad message id' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "mismatched SOA ($n)" -sendcmd < ans5/soamismatch +sendcmd /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: FORMERR" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'SOA mismatch AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "check that we ask for and get a EDNS EXPIRE response ($n)" # force a refresh query $RNDCCMD 10.53.0.7 refresh edns-expire 2>&1 | sed 's/^/ns7 /' | cat_i @@ -472,57 +471,57 @@ sleep 10 # there may be multiple log entries so get the last one. expire=$(awk '/edns-expire\/IN: got EDNS EXPIRE of/ { x=$9 } END { print x }' ns7/named.run) test ${expire:-0} -gt 0 -a ${expire:-0} -lt 1814400 || { - echo_i "failed (expire=${expire:-0})" - status=$((status+1)) + echo_i "failed (expire=${expire:-0})" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "test smaller transfer TCP message size ($n)" $DIG $DIGOPTS example. @10.53.0.8 axfr \ - -y key1.:1234abcd8765 > dig.out.msgsize.test$n || status=1 + -y key1.:1234abcd8765 >dig.out.msgsize.test$n || status=1 -bytes=$(wc -c < dig.out.msgsize.test$n) +bytes=$(wc -c dig.out.1.test$n -grep "status: NOERROR," dig.out.1.test$n > /dev/null || tmp=1 +$DIG -p ${PORT} txt mapped @10.53.0.3 >dig.out.1.test$n +grep "status: NOERROR," dig.out.1.test$n >/dev/null || tmp=1 stop_server ns3 start_server --noclean --restart --port ${PORT} ns3 -check_mapped () { - $DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.2.test$n - grep "status: NOERROR," dig.out.2.test$n > /dev/null || return 1 - $DIG -p ${PORT} axfr mapped @10.53.0.3 > dig.out.3.test$n - digcomp knowngood.mapped dig.out.3.test$n || return 1 - return 0 +check_mapped() { + $DIG -p ${PORT} txt mapped @10.53.0.3 >dig.out.2.test$n + grep "status: NOERROR," dig.out.2.test$n >/dev/null || return 1 + $DIG -p ${PORT} axfr mapped @10.53.0.3 >dig.out.3.test$n + digcomp knowngood.mapped dig.out.3.test$n || return 1 + return 0 } retry_quiet 10 check_mapped || tmp=1 [ "$tmp" -ne 0 ] && echo_i "failed" -status=$((status+tmp)) +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "test that a zone with too many records is rejected (AXFR) ($n)" tmp=0 grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "test that a zone with too many records is rejected (IXFR) ($n)" tmp=0 -nextpart ns6/named.run > /dev/null -$NSUPDATE << EOF +nextpart ns6/named.run >/dev/null +$NSUPDATE < dig.out.ns3.test$n - grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || return 0 - return 1 + $DIG $DIGOPTS +noedns +stat -b 10.53.0.2 @10.53.0.3 xfer-stats. AXFR >dig.out.ns3.test$n + grep "; Transfer failed" dig.out.ns3.test$n >/dev/null || return 0 + return 1 ) if retry_quiet 10 wait_for_xfer; then - get_dig_xfer_stats dig.out.ns3.test$n > stats.dig - diff axfr-stats.good stats.dig || tmp=1 + get_dig_xfer_stats dig.out.ns3.test$n >stats.dig + diff axfr-stats.good stats.dig || tmp=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) # Note: in the next two tests, we use ns3 logs for checking both incoming and # outgoing transfer statistics as ns3 is both a secondary server (for ns1) and a # primary server (for dig queries from the previous test) for "xfer-stats". -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether named calculates incoming AXFR statistics correctly ($n)" tmp=0 -get_named_xfer_stats ns3/named.run 10.53.0.1 xfer-stats "Transfer completed" > stats.incoming +get_named_xfer_stats ns3/named.run 10.53.0.1 xfer-stats "Transfer completed" >stats.incoming diff axfr-stats.good stats.incoming || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether named calculates outgoing AXFR statistics correctly ($n)" tmp=0 check_xfer_stats() { - get_named_xfer_stats ns3/named.run 10.53.0.2 xfer-stats "AXFR ended" > stats.outgoing - diff axfr-stats.good stats.outgoing > /dev/null + get_named_xfer_stats ns3/named.run 10.53.0.2 xfer-stats "AXFR ended" >stats.outgoing + diff axfr-stats.good stats.outgoing >/dev/null } retry_quiet 10 check_xfer_stats || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "test that transfer-source uses port option correctly ($n)" tmp=0 -grep "10.53.0.3#${EXTRAPORT1} (primary): query 'primary/SOA/IN' approved" ns6/named.run > /dev/null || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +grep "10.53.0.3#${EXTRAPORT1} (primary): query 'primary/SOA/IN' approved" ns6/named.run >/dev/null || tmp=1 +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) wait_for_message() ( - nextpartpeek ns6/named.run > wait_for_message.$n - grep -F "$1" wait_for_message.$n >/dev/null + nextpartpeek ns6/named.run >wait_for_message.$n + grep -F "$1" wait_for_message.$n >/dev/null ) -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "test max-transfer-time-in with 1 second timeout ($n)" stop_server ns1 copy_setports ns1/named2.conf.in ns1/named.conf @@ -599,11 +598,11 @@ sleep 1 $RNDCCMD 10.53.0.6 retransfer axfr-max-transfer-time 2>&1 | sed 's/^/ns6 /' | cat_i tmp=0 retry_quiet 10 wait_for_message "maximum transfer time exceeded: timed out" || tmp=1 -status=$((status+tmp)) +status=$((status + tmp)) -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "test max-transfer-idle-in with 50 seconds timeout ($n)" stop_server ns1 copy_setports ns1/named3.conf.in ns1/named.conf @@ -614,14 +613,14 @@ $RNDCCMD 10.53.0.6 retransfer axfr-max-idle-time 2>&1 | sed 's/^/ns6 /' | cat_i tmp=0 retry_quiet 60 wait_for_message "maximum idle time exceeded: timed out" || tmp=1 if [ $tmp -eq 0 ]; then - now=$(date +%s) - diff=$((now - start)) - # we expect a timeout in 50 seconds - test $diff -lt 50 && tmp=1 - test $diff -ge 59 && tmp=1 - if test $tmp != 0 ; then echo_i "unexpected diff value: ${diff}"; fi + now=$(date +%s) + diff=$((now - start)) + # we expect a timeout in 50 seconds + test $diff -lt 50 && tmp=1 + test $diff -ge 59 && tmp=1 + if test $tmp != 0; then echo_i "unexpected diff value: ${diff}"; fi fi -status=$((status+tmp)) +status=$((status + tmp)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/xferquota/ns2/named.conf.in b/bin/tests/system/xferquota/ns2/named.conf.in index f21938e..a82fa44 100644 --- a/bin/tests/system/xferquota/ns2/named.conf.in +++ b/bin/tests/system/xferquota/ns2/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "changing." { diff --git a/bin/tests/system/xferquota/tests.sh b/bin/tests/system/xferquota/tests.sh index 46dfba0..4f4eed1 100755 --- a/bin/tests/system/xferquota/tests.sh +++ b/bin/tests/system/xferquota/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # # Perform tests @@ -25,35 +25,35 @@ RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" count=0 ticks=0 while [ $count != 300 ]; do - if [ $ticks = 1 ]; then - echo_i "Changing test zone..." - cp -f ns1/changing2.db ns1/changing.db - kill -HUP $(cat ns1/named.pid) - fi - sleep 1 - ticks=$((ticks + 1)) - seconds=$((ticks * 1)) - if [ $ticks = 360 ]; then - echo_i "Took too long to load zones" - exit 1 - fi - count=$(cat ns2/zone*.bk | grep xyzzy | wc -l) - echo_i "Have $count zones up in $seconds seconds" + if [ $ticks = 1 ]; then + echo_i "Changing test zone..." + cp -f ns1/changing2.db ns1/changing.db + kill -HUP $(cat ns1/named.pid) + fi + sleep 1 + ticks=$((ticks + 1)) + seconds=$((ticks * 1)) + if [ $ticks = 360 ]; then + echo_i "Took too long to load zones" + exit 1 + fi + count=$(cat ns2/zone*.bk | grep xyzzy | wc -l) + echo_i "Have $count zones up in $seconds seconds" done status=0 -$DIG $DIGOPTS zone000099.example. @10.53.0.1 axfr > dig.out.ns1 || status=1 +$DIG $DIGOPTS zone000099.example. @10.53.0.1 axfr >dig.out.ns1 || status=1 -$DIG $DIGOPTS zone000099.example. @10.53.0.2 axfr > dig.out.ns2 || status=1 +$DIG $DIGOPTS zone000099.example. @10.53.0.2 axfr >dig.out.ns2 || status=1 digcomp dig.out.ns1 dig.out.ns2 || status=1 sleep 15 -$DIG $DIGOPTS a.changing. @10.53.0.1 a > dig.out.ns1 || status=1 +$DIG $DIGOPTS a.changing. @10.53.0.1 a >dig.out.ns1 || status=1 -$DIG $DIGOPTS a.changing. @10.53.0.2 a > dig.out.ns2 || status=1 +$DIG $DIGOPTS a.changing. @10.53.0.2 a >dig.out.ns2 || status=1 digcomp dig.out.ns1 dig.out.ns2 || status=1 diff --git a/bin/tests/system/zero/prereq.sh b/bin/tests/system/zero/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/zero/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/zero/setup.sh b/bin/tests/system/zero/setup.sh index bf58ee5..794f6a9 100644 --- a/bin/tests/system/zero/setup.sh +++ b/bin/tests/system/zero/setup.sh @@ -18,4 +18,4 @@ copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 4 | sed -e 's/^$TTL 3600$/$TTL 0 ; force TTL to zero/' -e 's/86400.IN SOA/0 SOA/' > ns2/example.db +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 4 | sed -e 's/^$TTL 3600$/$TTL 0 ; force TTL to zero/' -e 's/86400.IN SOA/0 SOA/' >ns2/example.db diff --git a/bin/tests/system/zero/tests.sh b/bin/tests/system/zero/tests.sh index f5e2038..006552f 100644 --- a/bin/tests/system/zero/tests.sh +++ b/bin/tests/system/zero/tests.sh @@ -17,107 +17,135 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" -p "${PORT}" "$@" + "$DIG" -p "${PORT}" "$@" } wait_for_pid() ( - for pid in "$@"; do - kill -0 "$pid" 2>/dev/null && return 1 - done - return 0 + for pid in "$@"; do + kill -0 "$pid" 2>/dev/null && return 1 + done + return 0 ) status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "check lookups against TTL=0 records ($n)" i=0 ret=0 passes=10 -dig_with_opts @10.53.0.2 axfr example | grep -v "^ds0" | \ -awk '$2 == "0" { print "-q", $1, $4; print "-q", "zzz"$1, $4;}' > query.list +dig_with_opts @10.53.0.2 axfr example | grep -v "^ds0" \ + | awk '$2 == "0" { print "-q", $1, $4; print "-q", "zzz"$1, $4;}' >query.list # add 1/5 second per query -timeout=$(($(wc -l < query.list) / 5)) -while [ $i -lt $passes ] -do - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.1.test$n" 2>&1) & pid1="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.2.test$n" 2>&1) & pid2="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.3.test$n" 2>&1) & pid3="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.4.test$n" 2>&1) & pid4="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.5.test$n" 2>&1) & pid5="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.6.test$n" 2>&1) & pid6="$!" - - retry_quiet "$timeout" wait_for_pid "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" || { echo_i "wait_for_pid failed"; ret=1; } - kill -TERM "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" 2>/dev/null || true - - wait "$pid1" || { echo_i "wait $pid1 (dig.out$i.1.test$n) failed with $?"; ret=1; } - wait "$pid2" || { echo_i "wait $pid2 (dig.out$i.2.test$n) failed with $?"; ret=1; } - wait "$pid3" || { echo_i "wait $pid3 (dig.out$i.3.test$n) failed with $?"; ret=1; } - wait "$pid4" || { echo_i "wait $pid4 (dig.out$i.4.test$n) failed with $?"; ret=1; } - wait "$pid5" || { echo_i "wait $pid5 (dig.out$i.5.test$n) failed with $?"; ret=1; } - wait "$pid6" || { echo_i "wait $pid6 (dig.out$i.6.test$n) failed with $?"; ret=1; } - - grep "status: SERVFAIL" "dig.out$i.1.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.2.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.3.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.4.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.5.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.6.test$n" > /dev/null && ret=1 - [ $ret = 1 ] && break - i=$((i+1)) - echo_i "successfully completed pass $i of $passes" +timeout=$(($(wc -l "dig.out$i.1.test$n" 2>&1) & + pid1="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.2.test$n" 2>&1) & + pid2="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.3.test$n" 2>&1) & + pid3="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.4.test$n" 2>&1) & + pid4="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.5.test$n" 2>&1) & + pid5="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.6.test$n" 2>&1) & + pid6="$!" + + retry_quiet "$timeout" wait_for_pid "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" || { + echo_i "wait_for_pid failed" + ret=1 + } + kill -TERM "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" 2>/dev/null || true + + wait "$pid1" || { + echo_i "wait $pid1 (dig.out$i.1.test$n) failed with $?" + ret=1 + } + wait "$pid2" || { + echo_i "wait $pid2 (dig.out$i.2.test$n) failed with $?" + ret=1 + } + wait "$pid3" || { + echo_i "wait $pid3 (dig.out$i.3.test$n) failed with $?" + ret=1 + } + wait "$pid4" || { + echo_i "wait $pid4 (dig.out$i.4.test$n) failed with $?" + ret=1 + } + wait "$pid5" || { + echo_i "wait $pid5 (dig.out$i.5.test$n) failed with $?" + ret=1 + } + wait "$pid6" || { + echo_i "wait $pid6 (dig.out$i.6.test$n) failed with $?" + ret=1 + } + + grep "status: SERVFAIL" "dig.out$i.1.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.2.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.3.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.4.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.5.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.6.test$n" >/dev/null && ret=1 + [ $ret = 1 ] && break + i=$((i + 1)) + echo_i "successfully completed pass $i of $passes" done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) repeat_query() ( - i=0 - while [ "$i" -lt "$1" ]; do - dig_with_opts +short "@$2" "$3" | tee "dig.out$i.test$n" || return 1 - i=$((i+1)) - done + i=0 + while [ "$i" -lt "$1" ]; do + dig_with_opts +short "@$2" "$3" | tee "dig.out$i.test$n" || return 1 + i=$((i + 1)) + done ) count_unique() ( - repeat_query "$@" | sort -u | wc -l + repeat_query "$@" | sort -u | wc -l ) -n=$((n+1)) +n=$((n + 1)) echo_i "check repeated recursive lookups of non recurring TTL=0 responses get new values ($n)" ret=0 repeats=9 count=$(count_unique "$repeats" 10.53.0.3 foo.increment) -if [ "$count" -ne "$repeats" ] ; then echo_i "failed (count=$count, repeats=$repeats)"; ret=1; fi -status=$((status+ret)) +if [ "$count" -ne "$repeats" ]; then + echo_i "failed (count=$count, repeats=$repeats)" + ret=1 +fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check lookups against TTL=1 records ($n)" i=0 passes=10 ret=0 -while [ $i -lt $passes ] -do - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.1.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.2.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.3.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.4.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.5.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.6.test$n" || ret=1 - grep "status: SERVFAIL" "dig.out$i.1.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.2.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.3.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.4.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.5.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.6.test$n" > /dev/null && ret=1 - [ $ret = 1 ] && break - i=$((i+1)) - echo_i "successfully completed pass $i of $passes" - sleep 1 +while [ $i -lt $passes ]; do + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.1.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.2.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.3.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.4.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.5.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.6.test$n" || ret=1 + grep "status: SERVFAIL" "dig.out$i.1.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.2.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.3.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.4.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.5.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.6.test$n" >/dev/null && ret=1 + [ $ret = 1 ] && break + i=$((i + 1)) + echo_i "successfully completed pass $i of $passes" + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/zonechecks/setup.sh b/bin/tests/system/zonechecks/setup.sh index 76e8a19..ffefaf3 100644 --- a/bin/tests/system/zonechecks/setup.sh +++ b/bin/tests/system/zonechecks/setup.sh @@ -18,16 +18,16 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 > ns1/primary.db -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 > ns1/duplicate.db +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 >ns1/primary.db +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 >ns1/duplicate.db cp bigserial.db ns1/ cd ns1 touch primary.db.signed -echo '$INCLUDE "primary.db.signed"' >> primary.db -$KEYGEN -a ${DEFAULT_ALGORITHM} -q primary.example > /dev/null 2>&1 -$KEYGEN -a ${DEFAULT_ALGORITHM} -qfk primary.example > /dev/null 2>&1 -$SIGNER -SD -o primary.example primary.db > /dev/null \ - 2> signer.err || cat signer.err -echo '$INCLUDE "soa.db"' > reload.db -echo '@ 0 NS .' >> reload.db -echo '@ 0 SOA . . 1 0 0 0 0' > soa.db +echo '$INCLUDE "primary.db.signed"' >>primary.db +$KEYGEN -a ${DEFAULT_ALGORITHM} -q primary.example >/dev/null 2>&1 +$KEYGEN -a ${DEFAULT_ALGORITHM} -qfk primary.example >/dev/null 2>&1 +$SIGNER -SD -o primary.example primary.db >/dev/null \ + 2>signer.err || cat signer.err +echo '$INCLUDE "soa.db"' >reload.db +echo '@ 0 NS .' >>reload.db +echo '@ 0 SOA . . 1 0 0 0 0' >soa.db diff --git a/bin/tests/system/zonechecks/tests.sh b/bin/tests/system/zonechecks/tests.sh index 958bfed..5d6b8a2 100644 --- a/bin/tests/system/zonechecks/tests.sh +++ b/bin/tests/system/zonechecks/tests.sh @@ -16,164 +16,163 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 # echo_i "checking that we detect a NS which refers to a CNAME" -if $CHECKZONE . cname.db > cname.out 2>&1 -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE . cname.db >cname.out 2>&1; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "is a CNAME" cname.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "is a CNAME" cname.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which is below a DNAME" -if $CHECKZONE . dname.db > dname.out 2>&1 -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE . dname.db >dname.out 2>&1; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "is below a DNAME" dname.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "is below a DNAME" dname.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which has no address records (A/AAAA)" -if $CHECKZONE . noaddress.db > noaddress.out -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE . noaddress.db >noaddress.out; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "has no address records" noaddress.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "has no address records" noaddress.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which has no records" -if $CHECKZONE . nxdomain.db > nxdomain.out -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE . nxdomain.db >nxdomain.out; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "has no address records" noaddress.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "has no address records" noaddress.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which looks like a A record (fail)" -if $CHECKZONE -n fail . a.db > a.out 2>&1 -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE -n fail . a.db >a.out 2>&1; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "appears to be an address" a.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "appears to be an address" a.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which looks like a A record (warn=default)" -if $CHECKZONE . a.db > a.out 2>&1 -then - if grep "appears to be an address" a.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi +if $CHECKZONE . a.db >a.out 2>&1; then + if grep "appears to be an address" a.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi else - echo_i "failed (status)"; status=$((status + 1)) + echo_i "failed (status)" + status=$((status + 1)) fi # echo_i "checking that we detect a NS which looks like a A record (ignore)" -if $CHECKZONE -n ignore . a.db > a.out 2>&1 -then - if grep "appears to be an address" a.out > /dev/null - then - echo_i "failed (message)"; status=$((status + 1)) - else - : - fi +if $CHECKZONE -n ignore . a.db >a.out 2>&1; then + if grep "appears to be an address" a.out >/dev/null; then + echo_i "failed (message)" + status=$((status + 1)) + else + : + fi else - echo_i "failed (status)"; status=$((status + 1)) + echo_i "failed (status)" + status=$((status + 1)) fi # echo_i "checking that we detect a NS which looks like a AAAA record (fail)" -if $CHECKZONE -n fail . aaaa.db > aaaa.out 2>&1 -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE -n fail . aaaa.db >aaaa.out 2>&1; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "appears to be an address" aaaa.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "appears to be an address" aaaa.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which looks like a AAAA record (warn=default)" -if $CHECKZONE . aaaa.db > aaaa.out 2>&1 -then - if grep "appears to be an address" aaaa.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi +if $CHECKZONE . aaaa.db >aaaa.out 2>&1; then + if grep "appears to be an address" aaaa.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi else - echo_i "failed (status)"; status=$((status + 1)) + echo_i "failed (status)" + status=$((status + 1)) fi # echo_i "checking that we detect a NS which looks like a AAAA record (ignore)" -if $CHECKZONE -n ignore . aaaa.db > aaaa.out 2>&1 -then - if grep "appears to be an address" aaaa.out > /dev/null - then - echo_i "failed (message)"; status=$((status + 1)) - else - : - fi +if $CHECKZONE -n ignore . aaaa.db >aaaa.out 2>&1; then + if grep "appears to be an address" aaaa.out >/dev/null; then + echo_i "failed (message)" + status=$((status + 1)) + else + : + fi else - echo_i "failed (status)"; status=$((status + 1)) + echo_i "failed (status)" + status=$((status + 1)) fi # echo_i "checking 'rdnc zonestatus' output" ret=0 -for i in 0 1 2 3 4 5 6 7 8 9 -do - $RNDCCMD 10.53.0.1 zonestatus primary.example > rndc.out.pri 2>&1 - grep "zone not loaded" rndc.out.pri > /dev/null || break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $RNDCCMD 10.53.0.1 zonestatus primary.example >rndc.out.pri 2>&1 + grep "zone not loaded" rndc.out.pri >/dev/null || break + sleep 1 done checkfor() { - grep "$1" $2 > /dev/null || { - ret=1; - echo_i "missing string '$1' from '$2'" - } + grep "$1" $2 >/dev/null || { + ret=1 + echo_i "missing string '$1' from '$2'" + } } checkfor "name: primary.example" rndc.out.pri checkfor "type: primary" rndc.out.pri @@ -189,11 +188,10 @@ checkfor "next resign node: " rndc.out.pri checkfor "next resign time: " rndc.out.pri checkfor "dynamic: yes" rndc.out.pri checkfor "frozen: no" rndc.out.pri -for i in 0 1 2 3 4 5 6 7 8 9 -do - $RNDCCMD 10.53.0.2 zonestatus primary.example > rndc.out.sec 2>&1 - grep "zone not loaded" rndc.out.sec > /dev/null || break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $RNDCCMD 10.53.0.2 zonestatus primary.example >rndc.out.sec 2>&1 + grep "zone not loaded" rndc.out.sec >/dev/null || break + sleep 1 done checkfor "name: primary.example" rndc.out.sec checkfor "type: secondary" rndc.out.sec @@ -203,34 +201,31 @@ checkfor "nodes: " rndc.out.sec checkfor "next refresh: " rndc.out.sec checkfor "expires: " rndc.out.sec checkfor "secure: yes" rndc.out.sec -for i in 0 1 2 3 4 5 6 7 8 9 -do - $RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.prereload 2>&1 - grep "zone not loaded" rndc.out.prereload > /dev/null || break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $RNDCCMD 10.53.0.1 zonestatus reload.example >rndc.out.prereload 2>&1 + grep "zone not loaded" rndc.out.prereload >/dev/null || break + sleep 1 done checkfor "files: reload.db, soa.db$" rndc.out.prereload -echo "@ 0 SOA . . 2 0 0 0 0" > ns1/soa.db +echo "@ 0 SOA . . 2 0 0 0 0" >ns1/soa.db $RNDCCMD 10.53.0.1 reload reload.example | sed 's/^/ns1 /' | cat_i -for i in 0 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS reload.example SOA @10.53.0.1 > dig.out - grep " 2 0 0 0 0" dig.out >/dev/null && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS reload.example SOA @10.53.0.1 >dig.out + grep " 2 0 0 0 0" dig.out >/dev/null && break + sleep 1 done -$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.postreload 2>&1 +$RNDCCMD 10.53.0.1 zonestatus reload.example >rndc.out.postreload 2>&1 checkfor "files: reload.db, soa.db$" rndc.out.postreload sleep 1 -echo "@ 0 SOA . . 3 0 0 0 0" > ns1/reload.db -echo "@ 0 NS ." >> ns1/reload.db +echo "@ 0 SOA . . 3 0 0 0 0" >ns1/reload.db +echo "@ 0 NS ." >>ns1/reload.db rndc_reload ns1 10.53.0.1 reload.example -for i in 0 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS reload.example SOA @10.53.0.1 > dig.out - grep " 3 0 0 0 0" dig.out >/dev/null && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS reload.example SOA @10.53.0.1 >dig.out + grep " 3 0 0 0 0" dig.out >/dev/null && break + sleep 1 done -$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.removeinclude 2>&1 +$RNDCCMD 10.53.0.1 zonestatus reload.example >rndc.out.removeinclude 2>&1 checkfor "files: reload.db$" rndc.out.removeinclude if [ $ret != 0 ]; then echo_i "failed"; fi @@ -238,18 +233,18 @@ status=$((status + ret)) echo_i "checking 'rdnc zonestatus' with duplicated zone name" ret=0 -$RNDCCMD 10.53.0.1 zonestatus duplicate.example > rndc.out.duplicate 2>&1 && ret=1 +$RNDCCMD 10.53.0.1 zonestatus duplicate.example >rndc.out.duplicate 2>&1 && ret=1 checkfor "zone 'duplicate.example' was found in multiple views" rndc.out.duplicate -$RNDCCMD 10.53.0.1 zonestatus duplicate.example in primary > rndc.out.duplicate 2>&1 || ret=1 +$RNDCCMD 10.53.0.1 zonestatus duplicate.example in primary >rndc.out.duplicate 2>&1 || ret=1 checkfor "name: duplicate.example" rndc.out.duplicate -$RNDCCMD 10.53.0.1 zonestatus nosuchzone.example > rndc.out.duplicate 2>&1 && ret=1 +$RNDCCMD 10.53.0.1 zonestatus nosuchzone.example >rndc.out.duplicate 2>&1 && ret=1 checkfor "no matching zone 'nosuchzone.example' in any view" rndc.out.duplicate if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking 'rdnc zonestatus' with big serial value" ret=0 -$RNDCCMD 10.53.0.1 zonestatus bigserial.example > rndc.out.bigserial 2>&1 +$RNDCCMD 10.53.0.1 zonestatus bigserial.example >rndc.out.bigserial 2>&1 checkfor "serial: 3003113544" rndc.out.bigserial if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/wire_test.c b/bin/tests/wire_test.c index 5b079ce..b21f5f0 100644 --- a/bin/tests/wire_test.c +++ b/bin/tests/wire_test.c @@ -287,7 +287,7 @@ process_message(isc_buffer_t *source) { } if (dorender) { - unsigned char b2[64 * 1024]; + unsigned char b2[65535]; isc_buffer_t buffer; dns_compress_t cctx; diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in index aa0a14b..fb3ae04 100644 --- a/bin/tools/Makefile.in +++ b/bin/tools/Makefile.in @@ -112,11 +112,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/tools/dnstap-read.c b/bin/tools/dnstap-read.c index f6abeeb..06dd561 100644 --- a/bin/tools/dnstap-read.c +++ b/bin/tools/dnstap-read.c @@ -327,7 +327,6 @@ int main(int argc, char *argv[]) { isc_result_t result; dns_message_t *message = NULL; - isc_buffer_t *b = NULL; dns_dtdata_t *dt = NULL; dns_dthandle_t *handle = NULL; int rv = 0, ch; @@ -380,17 +379,8 @@ main(int argc, char *argv[]) { input.base = data; input.length = datalen; - if (b != NULL) { - isc_buffer_free(&b); - } - isc_buffer_allocate(mctx, &b, 2048); - if (b == NULL) { - fatal("out of memory"); - } - result = dns_dt_parse(mctx, &input, &dt); if (result != ISC_R_SUCCESS) { - isc_buffer_free(&b); continue; } @@ -419,9 +409,6 @@ cleanup: if (message != NULL) { dns_message_detach(&message); } - if (b != NULL) { - isc_buffer_free(&b); - } isc_mem_destroy(&mctx); exit(rv); diff --git a/configure b/configure index 5933ce1..b84d8ef 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for BIND 9.18.19. +# Generated by GNU Autoconf 2.71 for BIND 9.18.24. # # Report bugs to . # @@ -622,8 +622,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='BIND' PACKAGE_TARNAME='bind' -PACKAGE_VERSION='9.18.19' -PACKAGE_STRING='BIND 9.18.19' +PACKAGE_VERSION='9.18.24' +PACKAGE_STRING='BIND 9.18.24' PACKAGE_BUGREPORT='https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug' PACKAGE_URL='https://www.isc.org/downloads/' @@ -739,8 +739,6 @@ MAXMINDDB_PREFIX MAXMINDDB_LIBS MAXMINDDB_CFLAGS XSLTPROC -HAVE_PYMOD_DNS_FALSE -HAVE_PYMOD_DNS_TRUE HAVE_PYTEST_FALSE HAVE_PYTEST_TRUE PYTEST @@ -755,16 +753,6 @@ PYTHON_PREFIX PYTHON_PLATFORM PYTHON_VERSION PYTHON -HAVE_PERLMOD_TIME_HIRES_FALSE -HAVE_PERLMOD_TIME_HIRES_TRUE -HAVE_PERLMOD_NET_DNS_NAMESERVER_FALSE -HAVE_PERLMOD_NET_DNS_NAMESERVER_TRUE -HAVE_PERLMOD_NET_DNS_FALSE -HAVE_PERLMOD_NET_DNS_TRUE -HAVE_PERLMOD_FILE_FETCH_FALSE -HAVE_PERLMOD_FILE_FETCH_TRUE -HAVE_PERLMOD_DIGEST_HMAC_FALSE -HAVE_PERLMOD_DIGEST_HMAC_TRUE HAVE_PERL_FALSE HAVE_PERL_TRUE PERL @@ -1558,7 +1546,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures BIND 9.18.19 to adapt to many kinds of systems. +\`configure' configures BIND 9.18.24 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1630,7 +1618,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of BIND 9.18.19:";; + short | recursive ) echo "Configuration of BIND 9.18.24:";; esac cat <<\_ACEOF @@ -1856,7 +1844,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -BIND configure 9.18.19 +BIND configure 9.18.24 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2264,7 +2252,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by BIND $as_me 9.18.19, which was +It was created by BIND $as_me 9.18.24, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3030,7 +3018,7 @@ printf "%s\n" "#define PACKAGE_VERSION_MAJOR \"9\"" >>confdefs.h printf "%s\n" "#define PACKAGE_VERSION_MINOR \"18\"" >>confdefs.h -printf "%s\n" "#define PACKAGE_VERSION_PATCH \"19\"" >>confdefs.h +printf "%s\n" "#define PACKAGE_VERSION_PATCH \"24\"" >>confdefs.h printf "%s\n" "#define PACKAGE_VERSION_EXTRA \"\"" >>confdefs.h @@ -3039,7 +3027,7 @@ printf "%s\n" "#define PACKAGE_VERSION_EXTRA \"\"" >>confdefs.h printf "%s\n" "#define PACKAGE_DESCRIPTION \" (Extended Support Version)\"" >>confdefs.h -printf "%s\n" "#define PACKAGE_SRCID \"c78cd36\"" >>confdefs.h +printf "%s\n" "#define PACKAGE_SRCID \"6d7674f\"" >>confdefs.h bind_CONFIGARGS="${ac_configure_args:-default}" @@ -3685,7 +3673,7 @@ fi # Define the identity of the package. PACKAGE='bind' - VERSION='9.18.19' + VERSION='9.18.24' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -17207,146 +17195,6 @@ else fi - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for perl module: Digest::HMAC" >&5 -printf %s "checking for perl module: Digest::HMAC... " >&6; } - $PERL "-MDigest::HMAC" -e exit >/dev/null 2>&1 - if test $? -eq 0 -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -printf "%s\n" "yes" >&6; } - eval HAVE_PERLMOD_DIGEST__HMAC=yes - - -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } - eval HAVE_PERLMOD_DIGEST__HMAC=no - - -fi - - if test "$HAVE_PERLMOD_DIGEST__HMAC" = "yes"; then - HAVE_PERLMOD_DIGEST_HMAC_TRUE= - HAVE_PERLMOD_DIGEST_HMAC_FALSE='#' -else - HAVE_PERLMOD_DIGEST_HMAC_TRUE='#' - HAVE_PERLMOD_DIGEST_HMAC_FALSE= -fi - - - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for perl module: File::Fetch" >&5 -printf %s "checking for perl module: File::Fetch... " >&6; } - $PERL "-MFile::Fetch" -e exit >/dev/null 2>&1 - if test $? -eq 0 -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -printf "%s\n" "yes" >&6; } - eval HAVE_PERLMOD_FILE__FETCH=yes - - -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } - eval HAVE_PERLMOD_FILE__FETCH=no - - -fi - - if test "$HAVE_PERLMOD_FILE__FETCH" = "yes"; then - HAVE_PERLMOD_FILE_FETCH_TRUE= - HAVE_PERLMOD_FILE_FETCH_FALSE='#' -else - HAVE_PERLMOD_FILE_FETCH_TRUE='#' - HAVE_PERLMOD_FILE_FETCH_FALSE= -fi - - - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for perl module: Net::DNS" >&5 -printf %s "checking for perl module: Net::DNS... " >&6; } - $PERL "-MNet::DNS" -e exit >/dev/null 2>&1 - if test $? -eq 0 -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -printf "%s\n" "yes" >&6; } - eval HAVE_PERLMOD_NET__DNS=yes - - -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } - eval HAVE_PERLMOD_NET__DNS=no - - -fi - - if test "$HAVE_PERLMOD_NET__DNS" = "yes"; then - HAVE_PERLMOD_NET_DNS_TRUE= - HAVE_PERLMOD_NET_DNS_FALSE='#' -else - HAVE_PERLMOD_NET_DNS_TRUE='#' - HAVE_PERLMOD_NET_DNS_FALSE= -fi - - - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for perl module: Net::DNS::Nameserver" >&5 -printf %s "checking for perl module: Net::DNS::Nameserver... " >&6; } - $PERL "-MNet::DNS::Nameserver" -e exit >/dev/null 2>&1 - if test $? -eq 0 -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -printf "%s\n" "yes" >&6; } - eval HAVE_PERLMOD_NET__DNS__NAMESERVER=yes - - -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } - eval HAVE_PERLMOD_NET__DNS__NAMESERVER=no - - -fi - - if test "$HAVE_PERLMOD_NET__DNS__NAMESERVER" = "yes"; then - HAVE_PERLMOD_NET_DNS_NAMESERVER_TRUE= - HAVE_PERLMOD_NET_DNS_NAMESERVER_FALSE='#' -else - HAVE_PERLMOD_NET_DNS_NAMESERVER_TRUE='#' - HAVE_PERLMOD_NET_DNS_NAMESERVER_FALSE= -fi - - - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for perl module: Time::HiRes" >&5 -printf %s "checking for perl module: Time::HiRes... " >&6; } - $PERL "-MTime::HiRes" -e exit >/dev/null 2>&1 - if test $? -eq 0 -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -printf "%s\n" "yes" >&6; } - eval HAVE_PERLMOD_TIME__HIRES=yes - - -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } - eval HAVE_PERLMOD_TIME__HIRES=no - - -fi - - if test "$HAVE_PERLMOD_TIME__HIRES" = "yes"; then - HAVE_PERLMOD_TIME_HIRES_TRUE= - HAVE_PERLMOD_TIME_HIRES_FALSE='#' -else - HAVE_PERLMOD_TIME_HIRES_TRUE='#' - HAVE_PERLMOD_TIME_HIRES_FALSE= -fi - - # # Python is optional, it is used only by some of the system test scripts. # @@ -17834,34 +17682,6 @@ else fi - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for python module: dns" >&5 -printf %s "checking for python module: dns... " >&6; } - $PYTHON -c "import dns" >/dev/null 2>&1 - if test $? -eq 0 -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -printf "%s\n" "yes" >&6; } - eval HAVE_PYMOD_DNS=yes - - -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } - eval HAVE_PYMOD_DNS=no - - -fi - - if test "$HAVE_PYMOD_DNS" = "yes"; then - HAVE_PYMOD_DNS_TRUE= - HAVE_PYMOD_DNS_FALSE='#' -else - HAVE_PYMOD_DNS_TRUE='#' - HAVE_PYMOD_DNS_FALSE= -fi - - # # xsltproc is optional, it is used only by system test scripts. # @@ -28187,26 +28007,6 @@ if test -z "${HAVE_PERL_TRUE}" && test -z "${HAVE_PERL_FALSE}"; then as_fn_error $? "conditional \"HAVE_PERL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${HAVE_PERLMOD_DIGEST_HMAC_TRUE}" && test -z "${HAVE_PERLMOD_DIGEST_HMAC_FALSE}"; then - as_fn_error $? "conditional \"HAVE_PERLMOD_DIGEST_HMAC\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi -if test -z "${HAVE_PERLMOD_FILE_FETCH_TRUE}" && test -z "${HAVE_PERLMOD_FILE_FETCH_FALSE}"; then - as_fn_error $? "conditional \"HAVE_PERLMOD_FILE_FETCH\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi -if test -z "${HAVE_PERLMOD_NET_DNS_TRUE}" && test -z "${HAVE_PERLMOD_NET_DNS_FALSE}"; then - as_fn_error $? "conditional \"HAVE_PERLMOD_NET_DNS\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi -if test -z "${HAVE_PERLMOD_NET_DNS_NAMESERVER_TRUE}" && test -z "${HAVE_PERLMOD_NET_DNS_NAMESERVER_FALSE}"; then - as_fn_error $? "conditional \"HAVE_PERLMOD_NET_DNS_NAMESERVER\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi -if test -z "${HAVE_PERLMOD_TIME_HIRES_TRUE}" && test -z "${HAVE_PERLMOD_TIME_HIRES_FALSE}"; then - as_fn_error $? "conditional \"HAVE_PERLMOD_TIME_HIRES\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${HAVE_PYTHON_TRUE}" && test -z "${HAVE_PYTHON_FALSE}"; then as_fn_error $? "conditional \"HAVE_PYTHON\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -28215,10 +28015,6 @@ if test -z "${HAVE_PYTEST_TRUE}" && test -z "${HAVE_PYTEST_FALSE}"; then as_fn_error $? "conditional \"HAVE_PYTEST\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${HAVE_PYMOD_DNS_TRUE}" && test -z "${HAVE_PYMOD_DNS_FALSE}"; then - as_fn_error $? "conditional \"HAVE_PYMOD_DNS\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${HAVE_GEOIP2_TRUE}" && test -z "${HAVE_GEOIP2_FALSE}"; then as_fn_error $? "conditional \"HAVE_GEOIP2\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -28661,7 +28457,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by BIND $as_me 9.18.19, which was +This file was extended by BIND $as_me 9.18.24, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -28730,7 +28526,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -BIND config.status 9.18.19 +BIND config.status 9.18.24 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index dc61f79..8aa7a90 100644 --- a/configure.ac +++ b/configure.ac @@ -16,7 +16,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 18)dnl -m4_define([bind_VERSION_PATCH], 19)dnl +m4_define([bind_VERSION_PATCH], 24)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Extended Support Version)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl @@ -237,26 +237,6 @@ AC_PATH_PROGS([PERL], [perl5 perl]) AC_SUBST([PERL]) AM_CONDITIONAL([HAVE_PERL], [test -n "$PERL"]) -AX_PERL_MODULE([Digest::HMAC]) -AM_CONDITIONAL([HAVE_PERLMOD_DIGEST_HMAC], - [test "$HAVE_PERLMOD_DIGEST__HMAC" = "yes"]) - -AX_PERL_MODULE([File::Fetch]) -AM_CONDITIONAL([HAVE_PERLMOD_FILE_FETCH], - [test "$HAVE_PERLMOD_FILE__FETCH" = "yes"]) - -AX_PERL_MODULE([Net::DNS]) -AM_CONDITIONAL([HAVE_PERLMOD_NET_DNS], - [test "$HAVE_PERLMOD_NET__DNS" = "yes"]) - -AX_PERL_MODULE([Net::DNS::Nameserver]) -AM_CONDITIONAL([HAVE_PERLMOD_NET_DNS_NAMESERVER], - [test "$HAVE_PERLMOD_NET__DNS__NAMESERVER" = "yes"]) - -AX_PERL_MODULE([Time::HiRes]) -AM_CONDITIONAL([HAVE_PERLMOD_TIME_HIRES], - [test "$HAVE_PERLMOD_TIME__HIRES" = "yes"]) - # # Python is optional, it is used only by some of the system test scripts. # @@ -269,9 +249,6 @@ AS_IF([test -z "$PYTEST"], AC_SUBST([PYTEST]) AM_CONDITIONAL([HAVE_PYTEST], [test -n "$PYTEST"]) -AX_PYTHON_MODULE([dns]) -AM_CONDITIONAL([HAVE_PYMOD_DNS], [test "$HAVE_PYMOD_DNS" = "yes"]) - # # xsltproc is optional, it is used only by system test scripts. # diff --git a/contrib/dlz/modules/common/dlz_dbi.c b/contrib/dlz/modules/common/dlz_dbi.c index 88ff632..d8e1909 100644 --- a/contrib/dlz/modules/common/dlz_dbi.c +++ b/contrib/dlz/modules/common/dlz_dbi.c @@ -474,7 +474,7 @@ get_parameter_value(const char *input, const char *key) { for (i = 0; i < 255; i++) { value[i] = keystart[keylen + i]; - if (isspace(value[i]) || value[i] == '\0') { + if (isspace((unsigned char)value[i]) || value[i] == '\0') { value[i] = '\0'; break; } diff --git a/contrib/scripts/zone-edit.sh.in b/contrib/scripts/zone-edit.sh.in index 2596ef8..92f8052 100644 --- a/contrib/scripts/zone-edit.sh.in +++ b/contrib/scripts/zone-edit.sh.in @@ -24,129 +24,121 @@ checkzone=${bindir}/named-checkzone nsupdate=${bindir}/nsupdate case $# in -0) echo "Usage: zone-edit [dig options] [ -- nsupdate options ]"; exit 0 ;; + 0) + echo "Usage: zone-edit [dig options] [ -- nsupdate options ]" + exit 0 + ;; esac # What kind of echo are we using? -try=`echo -n ""` -if test "X$try" = "X-n " -then - echo_arg="" - bsc="\\c" +try=$(echo -n "") +if test "X$try" = "X-n "; then + echo_arg="" + bsc="\\c" else - echo_arg="-n" - bsc="" + echo_arg="-n" + bsc="" fi zone="${1}" shift digopts= -while test $# -ne 0 -do - case "${1}" in +while test $# -ne 0; do + case "${1}" in --) - shift - break - ;; + shift + break + ;; *) - digopts="$digopts $1" - shift - ;; - esac + digopts="$digopts $1" + shift + ;; + esac done -${dig} axfr "$zone" $digopts | -awk '$4 == "RRSIG" || $4 == "NSEC" || $4 == "NSEC3" || $4 == "NSEC3PARAM" { next; } { print; }' > ${dir}/old +${dig} axfr "$zone" $digopts \ + | awk '$4 == "RRSIG" || $4 == "NSEC" || $4 == "NSEC3" || $4 == "NSEC3PARAM" { next; } { print; }' >${dir}/old -if test -s ${dir}/old -then - ${checkzone} -q -D "$zone" ${dir}/old > ${dir}/ooo +if test -s ${dir}/old; then + ${checkzone} -q -D "$zone" ${dir}/old >${dir}/ooo fi -if test -s ${dir}/ooo -then - cp ${dir}/ooo ${dir}/new - while : - do - if ${VISUAL:-${EDITOR:-/bin/ed}} ${dir}/new - then - if ${checkzone} -q -D "$zone" ${dir}/new > ${dir}/nnn - then - sort ${dir}/ooo > ${dir}/s1 - sort ${dir}/nnn > ${dir}/s2 - comm -23 ${dir}/s1 ${dir}/s2 | - sed 's/^/update delete /' > ${dir}/ccc - comm -13 ${dir}/s1 ${dir}/s2 | - sed 's/^/update add /' >> ${dir}/ccc - if test -s ${dir}/ccc - then - cat ${dir}/ccc | more - while : - do - echo ${echo_arg} "Update (u), Abort (a), Redo (r), Modify (m), Display (d) : $bsc" - read ans - case "$ans" in - u) - ( - echo zone "$zone" - cat ${dir}/ccc - echo send - ) | ${nsupdate} "$@" - break 2 - ;; - a) - break 2 - ;; - d) - cat ${dir}/ccc | more - ;; - r) - cp ${dir}/ooo ${dir}/new - break - ;; - m) - break - ;; - esac - done - else - while : - do - echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc" - read ans - case "$ans" in - a) - break 2 - ;; - r) - cp ${dir}/ooo ${dir}/new - break - ;; - m) - break - ;; - esac - done - fi - else - while : - do - echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc" - read ans - case "$ans" in - a) - break 2 - ;; - r) - cp ${dir}/ooo ${dir}/new - break - ;; - m) - break - ;; - esac - done - fi +if test -s ${dir}/ooo; then + cp ${dir}/ooo ${dir}/new + while :; do + if ${VISUAL:-${EDITOR:-/bin/ed}} ${dir}/new; then + if ${checkzone} -q -D "$zone" ${dir}/new >${dir}/nnn; then + sort ${dir}/ooo >${dir}/s1 + sort ${dir}/nnn >${dir}/s2 + comm -23 ${dir}/s1 ${dir}/s2 \ + | sed 's/^/update delete /' >${dir}/ccc + comm -13 ${dir}/s1 ${dir}/s2 \ + | sed 's/^/update add /' >>${dir}/ccc + if test -s ${dir}/ccc; then + cat ${dir}/ccc | more + while :; do + echo ${echo_arg} "Update (u), Abort (a), Redo (r), Modify (m), Display (d) : $bsc" + read ans + case "$ans" in + u) + ( + echo zone "$zone" + cat ${dir}/ccc + echo send + ) | ${nsupdate} "$@" + break 2 + ;; + a) + break 2 + ;; + d) + cat ${dir}/ccc | more + ;; + r) + cp ${dir}/ooo ${dir}/new + break + ;; + m) + break + ;; + esac + done + else + while :; do + echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc" + read ans + case "$ans" in + a) + break 2 + ;; + r) + cp ${dir}/ooo ${dir}/new + break + ;; + m) + break + ;; + esac + done fi - done + else + while :; do + echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc" + read ans + case "$ans" in + a) + break 2 + ;; + r) + cp ${dir}/ooo ${dir}/new + break + ;; + m) + break + ;; + esac + done + fi + fi + done fi diff --git a/doc/Makefile.in b/doc/Makefile.in index fb888e1..1b81048 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -102,11 +102,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in index 0626f95..5fca779 100644 --- a/doc/arm/Makefile.in +++ b/doc/arm/Makefile.in @@ -102,11 +102,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/arm/conf.py b/doc/arm/conf.py index 6224f0f..8e209be 100644 --- a/doc/arm/conf.py +++ b/doc/arm/conf.py @@ -40,6 +40,44 @@ except ImportError: GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/" +KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/" + + +# Custom Sphinx role enabling automatic hyperlinking to security advisory in +# ISC Knowledgebase +class CVERefRole(ReferenceRole): + def __init__(self, base_url: str) -> None: + self.base_url = base_url + super().__init__() + + def run(self) -> Tuple[List[Node], List[system_message]]: + cve_identifier = "(CVE-%s)" % self.target + + target_id = "index-%s" % self.env.new_serialno("index") + entries = [ + ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None) + ] + + index = addnodes.index(entries=entries) + target = nodes.target("", "", ids=[target_id]) + self.inliner.document.note_explicit_target(target) + + try: + refuri = self.base_url + "cve-%s" % self.target + reference = nodes.reference( + "", "", internal=False, refuri=refuri, classes=["cve"] + ) + if self.has_explicit_title: + reference += nodes.strong(self.title, self.title) + else: + reference += nodes.strong(cve_identifier, cve_identifier) + except ValueError: + error_text = "invalid ISC Knowledgebase identifier %s" % self.target + msg = self.inliner.reporter.error(error_text, line=self.lineno) + prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) + return [prb], [msg] + + return [index, target, reference], [] # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. @@ -84,6 +122,7 @@ class GitLabRefRole(ReferenceRole): def setup(app): + roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL)) roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL)) app.add_crossref_type("iscman", "iscman", "pair: %s; manual page") diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 4a9e930..a4a9754 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -35,6 +35,11 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst +.. include:: ../notes/notes-9.18.24.rst +.. include:: ../notes/notes-9.18.23.rst +.. include:: ../notes/notes-9.18.22.rst +.. include:: ../notes/notes-9.18.21.rst +.. include:: ../notes/notes-9.18.20.rst .. include:: ../notes/notes-9.18.19.rst .. include:: ../notes/notes-9.18.18.rst .. include:: ../notes/notes-9.18.17.rst diff --git a/doc/arm/platforms.inc.rst b/doc/arm/platforms.inc.rst index c3f6242..3c0fc01 100644 --- a/doc/arm/platforms.inc.rst +++ b/doc/arm/platforms.inc.rst @@ -46,15 +46,13 @@ Current versions of BIND 9 are fully supported and regularly tested on the following systems: - Debian 10, 11, 12 -- Ubuntu LTS 18.04, 20.04, 22.04 -- Fedora 38 +- Ubuntu LTS 20.04, 22.04 +- Fedora 39 - Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9 -- FreeBSD 12.4, 13.2 -- OpenBSD 7.3 -- Alpine Linux 3.18 +- FreeBSD 12.4, 13.2, 14.0 +- Alpine Linux 3.19 -The amd64, i386, armhf, and arm64 CPU architectures are all fully -supported. +The amd64 CPU architecture is fully supported and regularly tested. Best-Effort ~~~~~~~~~~~ @@ -68,6 +66,7 @@ regularly by ISC. - macOS 10.12+ - Solaris 11 - NetBSD +- OpenBSD - Other Linux distributions still supported by their vendors, such as: - Ubuntu 20.10+ @@ -75,7 +74,7 @@ regularly by ISC. - Arch Linux - OpenWRT/LEDE 17.01+ -- Other CPU architectures (mips, mipsel, sparc, …) +- Other CPU architectures (arm, arm64, mips64, ppc64, s390x) Community-Maintained ~~~~~~~~~~~~~~~~~~~~ @@ -95,6 +94,8 @@ supported platforms. - Debian 8 Jessie, 9 Stretch - FreeBSD 10.x, 11.x +- Less common CPU architectures (i386, i686, mips, mipsel, sparc, ppc, and others) + Unsupported Platforms --------------------- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 02f111e..e1b8228 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3164,7 +3164,7 @@ for details on how to specify IP address lists. :rfc:`1034` to use case-insensitive name comparisons when checking for matching domain names. - If left undefined, the ACL defaults to ``none``: case-insensitive + If left undefined, the ACL defaults to ``none``: case-sensitive compression is used for all clients. If the ACL is defined and matches a client, case is ignored when compressing domain names in DNS responses sent to that client. @@ -4370,18 +4370,22 @@ Tuning has no effect, the value of :any:`max-cache-ttl` will be ``0`` in such case. .. namedconf:statement:: resolver-nonbackoff-tries - :tags: server + :tags: deprecated. :short: Specifies the number of retries before exponential backoff. - This specifies how many retries occur before exponential backoff kicks in. The - default is ``3``. + This specifies how many retries occur before exponential backoff kicks in. + The default is ``3``. + + This option is deprecated and will be removed in a future release. .. namedconf:statement:: resolver-retry-interval - :tags: server, query + :tags: deprecated :short: Sets the base retry interval (in milliseconds). This sets the base retry interval in milliseconds. The default is ``800``. + This option is deprecated and will be removed in a future release. + .. namedconf:statement:: sig-validity-interval :tags: dnssec :short: Specifies the maximum number of days that RRSIGs generated by :iscman:`named` are valid. diff --git a/doc/arm/requirements.txt b/doc/arm/requirements.txt index 4dd6796..b811174 100644 --- a/doc/arm/requirements.txt +++ b/doc/arm/requirements.txt @@ -1,5 +1,5 @@ # Make Read the Docs use the exact same package versions as in # registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64 -Sphinx==6.2.1 -docutils==0.18.1 -sphinx_rtd_theme==1.2.2 +Sphinx==7.2.6 +docutils==0.20.1 +sphinx_rtd_theme==2.0.0 diff --git a/doc/arm/security.inc.rst b/doc/arm/security.inc.rst index 2936432..878fa37 100644 --- a/doc/arm/security.inc.rst +++ b/doc/arm/security.inc.rst @@ -14,6 +14,56 @@ Security Configurations ======================= +Security Assumptions +-------------------- +BIND 9's design assumes that access to the objects listed below is limited only to +trusted parties. An incorrect deployment, which does not follow rules set by this +section, cannot be the basis for CVE assignment or special security-sensitive +handling of issues. + +Unauthorized access can potentially disclose sensitive data, slow down server +operation, etc. Unauthorized, unexpected, or incorrect writes to listed objects +can potentically cause crashes, incorrect data handling, or corruption. + +- All files stored on disk - including zone files, configuration files, key + files, temporary files, etc. +- Clients communicating via :any:`controls` socket using configured keys +- Access to :any:`statistics-channels` from untrusted clients +- Sockets used for :any:`update-policy` type `external` + +Certain aspects of the DNS protocol are left unspecified, such as the handling of +responses from DNS servers which do not fully conform to the DNS protocol. For +such a situation, BIND implements its own safety checks and limits which are +subject to change as the protocol and deployment evolve. + +Authoritative Servers +~~~~~~~~~~~~~~~~~~~~~ +By default, zones use intentionally lenient limits (unlimited size, long +transfer timeouts, etc.). These defaults can be misused by the source of data +(zone transfers or UPDATEs) to exhaust resources on the receiving side. + +The impact of malicious zone changes can be limited, to an extent, using +configuration options listed in sections :ref:`server_resource_limits` and +:ref:`zone_transfers`. Limits should also be applied to zones where malicious clients may potentially be authorized to use :ref:`dynamic_update`. + +DNS Resolvers +~~~~~~~~~~~~~ +By definition, DNS resolvers act as traffic amplifiers; +during normal operation, a DNS resolver can legitimately generate more outgoing +traffic (counted in packets or bytes) than the incoming client traffic that +triggered it. The DNS protocol specification does not currently specify limits +for this amplification, but BIND implements its own limits to balance +interoperability and safety. As a general rule, if a traffic amplification factor +for any given scenario is lower than 100 packets, ISC does not handle the given +scenario as a security issue. These limits are subject to change as DNS +deployment evolves. + +All DNS answers received by the DNS resolver are treated as untrusted input and are +subject to safety and correctness checks. However, protocol non-conformity +might cause unexpected behavior. If such unexpected behavior is limited to DNS +domains hosted on non-conformant servers, it is not deemed a security issue *in +BIND*. + .. _file_permissions: .. _access_Control_Lists: diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst index 7f13155..f0d0d9d 100644 --- a/doc/dnssec-guide/introduction.rst +++ b/doc/dnssec-guide/introduction.rst @@ -372,7 +372,7 @@ want to consider deploying DNSSEC: .. [#] The Office of Management and Budget (OMB) for the US government published `a memo in - 2008 `__, + 2008 `__, requesting all ``.gov`` subdomains to be DNSSEC-signed by December 2009. This explains why ``.gov`` is the most-deployed DNSSEC domain currently, with `around 90% of subdomains diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst index 98696bb..07ab349 100644 --- a/doc/dnssec-guide/validation.rst +++ b/doc/dnssec-guide/validation.rst @@ -717,7 +717,7 @@ process. Thereafter, BIND uses the managed keys database Explicit management of keys was common in the early days of DNSSEC, when neither the root zone nor many top-level domains were signed. Since -then, `over 90% `__ of +then, `over 90% `__ of the top-level domains have been signed, including all the largest ones. Unless you have a particular need to manage keys yourself, it is best to use the BIND defaults and let the software manage the root key. diff --git a/doc/man/Makefile.in b/doc/man/Makefile.in index a853924..8f22df5 100644 --- a/doc/man/Makefile.in +++ b/doc/man/Makefile.in @@ -108,11 +108,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/man/arpaname.1in b/doc/man/arpaname.1in index e9b6515..8022272 100644 --- a/doc/man/arpaname.1in +++ b/doc/man/arpaname.1in @@ -43,6 +43,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/ddns-confgen.8in b/doc/man/ddns-confgen.8in index e2a963d..aad94c9 100644 --- a/doc/man/ddns-confgen.8in +++ b/doc/man/ddns-confgen.8in @@ -107,6 +107,6 @@ This option cannot be used with the \fI\%\-s\fP option. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/delv.1in b/doc/man/delv.1in index 05d626c..8bb69ec 100644 --- a/doc/man/delv.1in +++ b/doc/man/delv.1in @@ -406,6 +406,6 @@ This option prints response data in YAML format. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dig.1in b/doc/man/dig.1in index 62154ab..70e5761 100644 --- a/doc/man/dig.1in +++ b/doc/man/dig.1in @@ -921,6 +921,6 @@ There are probably too many query options. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-cds.1in b/doc/man/dnssec-cds.1in index 143253f..4760d73 100644 --- a/doc/man/dnssec-cds.1in +++ b/doc/man/dnssec-cds.1in @@ -251,6 +251,6 @@ Reference Manual, \fI\%RFC 7344\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-dsfromkey.1in b/doc/man/dnssec-dsfromkey.1in index 5a76afa..879ea3f 100644 --- a/doc/man/dnssec-dsfromkey.1in +++ b/doc/man/dnssec-dsfromkey.1in @@ -172,6 +172,6 @@ A keyfile error may return \(dqfile not found,\(dq even if the file exists. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-importkey.1in b/doc/man/dnssec-importkey.1in index a15a496..98ab17b 100644 --- a/doc/man/dnssec-importkey.1in +++ b/doc/man/dnssec-importkey.1in @@ -147,6 +147,6 @@ or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as generated by .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-keyfromlabel.1in b/doc/man/dnssec-keyfromlabel.1in index 92c3b7d..099c221 100644 --- a/doc/man/dnssec-keyfromlabel.1in +++ b/doc/man/dnssec-keyfromlabel.1in @@ -314,6 +314,6 @@ security reasons, this file does not have general read permission. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-keygen.1in b/doc/man/dnssec-keygen.1in index e5f3034..8a919f8 100644 --- a/doc/man/dnssec-keygen.1in +++ b/doc/man/dnssec-keygen.1in @@ -384,6 +384,6 @@ To generate a matching key\-signing key, issue the command: .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-revoke.1in b/doc/man/dnssec-revoke.1in index edb0c5f..004bbd0 100644 --- a/doc/man/dnssec-revoke.1in +++ b/doc/man/dnssec-revoke.1in @@ -92,6 +92,6 @@ revoke the key. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-settime.1in b/doc/man/dnssec-settime.1in index b0862d9..a805dfa 100644 --- a/doc/man/dnssec-settime.1in +++ b/doc/man/dnssec-settime.1in @@ -291,6 +291,6 @@ metadata, use \fBall\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-signzone.1in b/doc/man/dnssec-signzone.1in index c60431b..7dc25a9 100644 --- a/doc/man/dnssec-signzone.1in +++ b/doc/man/dnssec-signzone.1in @@ -510,6 +510,6 @@ db.example.com.signed .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-verify.1in b/doc/man/dnssec-verify.1in index baccdf2..01894a8 100644 --- a/doc/man/dnssec-verify.1in +++ b/doc/man/dnssec-verify.1in @@ -123,6 +123,6 @@ This option indicates the file containing the zone to be signed. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnstap-read.1in b/doc/man/dnstap-read.1in index e122c34..045be06 100644 --- a/doc/man/dnstap-read.1in +++ b/doc/man/dnstap-read.1in @@ -68,6 +68,6 @@ This option prints \fBdnstap\fP data in a detailed YAML format. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/filter-a.8in b/doc/man/filter-a.8in index c67ae70..e1cd52d 100644 --- a/doc/man/filter-a.8in +++ b/doc/man/filter-a.8in @@ -101,6 +101,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/filter-aaaa.8in b/doc/man/filter-aaaa.8in index ad6269a..7a83ca8 100644 --- a/doc/man/filter-aaaa.8in +++ b/doc/man/filter-aaaa.8in @@ -105,6 +105,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/host.1in b/doc/man/host.1in index c261da2..28ec6fb 100644 --- a/doc/man/host.1in +++ b/doc/man/host.1in @@ -215,6 +215,6 @@ when \fBhost\fP runs. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/mdig.1in b/doc/man/mdig.1in index c3b6a3f..57f15ad 100644 --- a/doc/man/mdig.1in +++ b/doc/man/mdig.1in @@ -431,6 +431,6 @@ This flag is off by default. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-checkconf.1in b/doc/man/named-checkconf.1in index 9c7e1e5..6f63f32 100644 --- a/doc/man/named-checkconf.1in +++ b/doc/man/named-checkconf.1in @@ -123,6 +123,6 @@ and 0 otherwise. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-checkzone.1in b/doc/man/named-checkzone.1in index b2f50d1..36ef3be 100644 --- a/doc/man/named-checkzone.1in +++ b/doc/man/named-checkzone.1in @@ -251,6 +251,6 @@ Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-compilezone.1in b/doc/man/named-compilezone.1in index 47842ae..03de0f2 100644 --- a/doc/man/named-compilezone.1in +++ b/doc/man/named-compilezone.1in @@ -253,6 +253,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-journalprint.1in b/doc/man/named-journalprint.1in index 14b9e6f..7bb1bca 100644 --- a/doc/man/named-journalprint.1in +++ b/doc/man/named-journalprint.1in @@ -74,6 +74,6 @@ bug in that release.) Note that these options \fImust not\fP be used while .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-nzd2nzf.1in b/doc/man/named-nzd2nzf.1in index b39acb4..1f04f95 100644 --- a/doc/man/named-nzd2nzf.1in +++ b/doc/man/named-nzd2nzf.1in @@ -52,6 +52,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-rrchecker.1in b/doc/man/named-rrchecker.1in index 39196e0..258ef0a 100644 --- a/doc/man/named-rrchecker.1in +++ b/doc/man/named-rrchecker.1in @@ -73,6 +73,6 @@ and private type mnemonics, respectively. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named.8in b/doc/man/named.8in index b33c7db..9f542b7 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -294,6 +294,6 @@ The default process\-id file. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index c5619dc..f3e37b7 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -309,9 +309,9 @@ options { request\-nsid ; require\-server\-cookie ; reserved\-sockets ; // deprecated - resolver\-nonbackoff\-tries ; + resolver\-nonbackoff\-tries ; // deprecated resolver\-query\-timeout ; - resolver\-retry\-interval ; + resolver\-retry\-interval ; // deprecated response\-padding { ; ... } block\-size ; response\-policy { zone [ add\-soa ] [ log ] [ max\-policy\-ttl ] [ min\-update\-interval ] [ policy ( cname | disabled | drop | given | no\-op | nodata | nxdomain | passthru | tcp\-only ) ] [ recursive\-only ] [ nsip\-enable ] [ nsdname\-enable ]; ... } [ add\-soa ] [ break\-dnssec ] [ max\-policy\-ttl ] [ min\-update\-interval ] [ min\-ns\-dots ] [ nsip\-wait\-recurse ] [ nsdname\-wait\-recurse ] [ qname\-wait\-recurse ] [ recursive\-only ] [ nsip\-enable ] [ nsdname\-enable ] [ dnsrps\-enable ] [ dnsrps\-options { } ]; reuseport ; @@ -362,7 +362,7 @@ options { transfers\-in ; transfers\-out ; transfers\-per\-ns ; - trust\-anchor\-telemetry ; // experimental + trust\-anchor\-telemetry ; try\-tcp\-refresh ; udp\-receive\-buffer ; udp\-send\-buffer ; @@ -589,9 +589,9 @@ view [ ] { request\-ixfr ; request\-nsid ; require\-server\-cookie ; - resolver\-nonbackoff\-tries ; + resolver\-nonbackoff\-tries ; // deprecated resolver\-query\-timeout ; - resolver\-retry\-interval ; + resolver\-retry\-interval ; // deprecated response\-padding { ; ... } block\-size ; response\-policy { zone [ add\-soa ] [ log ] [ max\-policy\-ttl ] [ min\-update\-interval ] [ policy ( cname | disabled | drop | given | no\-op | nodata | nxdomain | passthru | tcp\-only ) ] [ recursive\-only ] [ nsip\-enable ] [ nsdname\-enable ]; ... } [ add\-soa ] [ break\-dnssec ] [ max\-policy\-ttl ] [ min\-update\-interval ] [ min\-ns\-dots ] [ nsip\-wait\-recurse ] [ nsdname\-wait\-recurse ] [ qname\-wait\-recurse ] [ recursive\-only ] [ nsip\-enable ] [ nsdname\-enable ] [ dnsrps\-enable ] [ dnsrps\-options { } ]; root\-delegation\-only [ exclude { ; ... } ]; // deprecated @@ -639,7 +639,7 @@ view [ ] { transfer\-format ( many\-answers | one\-answer ); transfer\-source ( | * ) ; transfer\-source\-v6 ( | * ) ; - trust\-anchor\-telemetry ; // experimental + trust\-anchor\-telemetry ; trust\-anchors { ( static\-key | initial\-key | static\-ds | initial\-ds ) ; ... }; // may occur multiple times trusted\-keys { ; ... }; // may occur multiple times, deprecated try\-tcp\-refresh ; @@ -1007,6 +1007,6 @@ zone [ ] { .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nsec3hash.1in b/doc/man/nsec3hash.1in index 4d1bc42..4abaa1d 100644 --- a/doc/man/nsec3hash.1in +++ b/doc/man/nsec3hash.1in @@ -81,6 +81,6 @@ BIND 9 Administrator Reference Manual, \fI\%RFC 5155\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nslookup.1in b/doc/man/nslookup.1in index 25bd5dd..e7c184a 100644 --- a/doc/man/nslookup.1in +++ b/doc/man/nslookup.1in @@ -220,6 +220,6 @@ when \fBnslookup\fP runs, or when the standard output is not a tty. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nsupdate.1in b/doc/man/nsupdate.1in index b80f329..21a3da3 100644 --- a/doc/man/nsupdate.1in +++ b/doc/man/nsupdate.1in @@ -432,6 +432,6 @@ operations, and may change in future releases. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc-confgen.8in b/doc/man/rndc-confgen.8in index fa20381..b93591e 100644 --- a/doc/man/rndc-confgen.8in +++ b/doc/man/rndc-confgen.8in @@ -136,6 +136,6 @@ To print a sample \fI\%rndc.conf\fP file and the corresponding \fBcontrols\fP an .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc.8in b/doc/man/rndc.8in index 7361778..5f62cc1 100644 --- a/doc/man/rndc.8in +++ b/doc/man/rndc.8in @@ -467,6 +467,7 @@ This command reloads the configuration file and zones. .UNINDENT .sp If a zone is specified, this command reloads only the given zone. +If no zone is specified, the reloading happens asynchronously. .UNINDENT .INDENT 0.0 .TP @@ -648,7 +649,8 @@ completed. After a zone is thawed, dynamic updates are no longer refused. If the zone has changed and the \fBixfr\-from\-differences\fP option is in use, the journal file is updated to reflect changes in the zone. Otherwise, if the zone has changed, any existing -journal file is removed. +journal file is removed. If no zone is specified, the reloading happens +asynchronously. .sp See also \fI\%rndc freeze\fP\&. .UNINDENT @@ -722,6 +724,6 @@ Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc.conf.5in b/doc/man/rndc.conf.5in index 33fd93c..49e51a2 100644 --- a/doc/man/rndc.conf.5in +++ b/doc/man/rndc.conf.5in @@ -191,6 +191,6 @@ details. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/tsig-keygen.8in b/doc/man/tsig-keygen.8in index c97ad29..04e69a6 100644 --- a/doc/man/tsig-keygen.8in +++ b/doc/man/tsig-keygen.8in @@ -61,6 +61,6 @@ This option prints a short summary of options and arguments. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in index da99f62..146d21c 100644 --- a/doc/misc/Makefile.in +++ b/doc/misc/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/misc/options b/doc/misc/options index e19261f..da28477 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -252,9 +252,9 @@ options { request-nsid ; require-server-cookie ; reserved-sockets ; // deprecated - resolver-nonbackoff-tries ; + resolver-nonbackoff-tries ; // deprecated resolver-query-timeout ; - resolver-retry-interval ; + resolver-retry-interval ; // deprecated response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ nsdname-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; reuseport ; @@ -305,7 +305,7 @@ options { transfers-in ; transfers-out ; transfers-per-ns ; - trust-anchor-telemetry ; // experimental + trust-anchor-telemetry ; try-tcp-refresh ; udp-receive-buffer ; udp-send-buffer ; @@ -532,9 +532,9 @@ view [ ] { request-ixfr ; request-nsid ; require-server-cookie ; - resolver-nonbackoff-tries ; + resolver-nonbackoff-tries ; // deprecated resolver-query-timeout ; - resolver-retry-interval ; + resolver-retry-interval ; // deprecated response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ nsdname-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; root-delegation-only [ exclude { ; ... } ]; // deprecated @@ -582,7 +582,7 @@ view [ ] { transfer-format ( many-answers | one-answer ); transfer-source ( | * ) ; transfer-source-v6 ( | * ) ; - trust-anchor-telemetry ; // experimental + trust-anchor-telemetry ; trust-anchors { ( static-key | initial-key | static-ds | initial-ds ) ; ... }; // may occur multiple times trusted-keys { ; ... }; // may occur multiple times, deprecated try-tcp-refresh ; diff --git a/doc/notes/notes-9.18.1.rst b/doc/notes/notes-9.18.1.rst index f76369b..f0cfe77 100644 --- a/doc/notes/notes-9.18.1.rst +++ b/doc/notes/notes-9.18.1.rst @@ -17,7 +17,7 @@ Security Fixes - The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records - outside the configured bailiwick. (CVE-2021-25220) + outside the configured bailiwick. :cve:`2021-25220` ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and @@ -26,18 +26,18 @@ Security Fixes - TCP connections with :any:`keep-response-order` enabled could leave the TCP sockets in the ``CLOSE_WAIT`` state when the client did not - properly shut down the connection. (CVE-2022-0396) :gl:`#3112` + properly shut down the connection. :cve:`2022-0396` :gl:`#3112` - Lookups involving a DNAME could trigger an assertion failure when :any:`synth-from-dnssec` was enabled (which is the default). - (CVE-2022-0635) + :cve:`2022-0635` ISC would like to thank Vincent Levigneron from AFNIC for bringing this vulnerability to our attention. :gl:`#3158` - When chasing DS records, a timed-out or artificially delayed fetch could cause ``named`` to crash while resuming a DS lookup. - (CVE-2022-0667) :gl:`#3129` + :cve:`2022-0667` :gl:`#3129` Feature Changes ~~~~~~~~~~~~~~~ diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst index 3e44dc2..77ee344 100644 --- a/doc/notes/notes-9.18.11.rst +++ b/doc/notes/notes-9.18.11.rst @@ -19,14 +19,14 @@ Security Fixes available memory. This flaw was addressed by adding a new :any:`update-quota` option that controls the maximum number of outstanding DNS UPDATE messages that :iscman:`named` can hold in a - queue at any given time (default: 100). (CVE-2022-3094) + queue at any given time (default: 100). :cve:`2022-3094` ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. :gl:`#3523` - :iscman:`named` could crash with an assertion failure when an RRSIG query was received and :any:`stale-answer-client-timeout` was set to a - non-zero value. This has been fixed. (CVE-2022-3736) + non-zero value. This has been fixed. :cve:`2022-3736` ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to @@ -36,7 +36,7 @@ Security Fixes :any:`stale-answer-client-timeout` option set to any value greater than ``0`` could crash with an assertion failure, when the :any:`recursive-clients` soft quota was reached. This has been fixed. - (CVE-2022-3924) + :cve:`2022-3924` ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. :gl:`#3619` diff --git a/doc/notes/notes-9.18.16.rst b/doc/notes/notes-9.18.16.rst index 9ed090c..d1350c1 100644 --- a/doc/notes/notes-9.18.16.rst +++ b/doc/notes/notes-9.18.16.rst @@ -17,7 +17,7 @@ Security Fixes - The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured :any:`max-cache-size` limit. - (CVE-2023-2828) + :cve:`2023-2828` ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, @@ -27,7 +27,7 @@ Security Fixes - A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for :iscman:`named` to enter an infinite callback - loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) + loop and crash due to stack overflow. This has been fixed. :cve:`2023-2911` :gl:`#4089` New Features diff --git a/doc/notes/notes-9.18.19.rst b/doc/notes/notes-9.18.19.rst index 3d3c513..9c3ebd8 100644 --- a/doc/notes/notes-9.18.19.rst +++ b/doc/notes/notes-9.18.19.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing :iscman:`named` to terminate unexpectedly. - This has been fixed. (CVE-2023-3341) + This has been fixed. :cve:`2023-3341` ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. :gl:`#4152` @@ -26,7 +26,7 @@ Security Fixes - A flaw in the networking code handling DNS-over-TLS queries could cause :iscman:`named` to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been - fixed. (CVE-2023-4236) + fixed. :cve:`2023-4236` ISC would like to thank Robert Story from USC/ISI Root Server Operations for bringing this vulnerability to our attention. diff --git a/doc/notes/notes-9.18.20.rst b/doc/notes/notes-9.18.20.rst new file mode 100644 index 0000000..a1c24f5 --- /dev/null +++ b/doc/notes/notes-9.18.20.rst @@ -0,0 +1,44 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.20 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The IP addresses for B.ROOT-SERVERS.NET have been updated to + 170.247.170.2 and 2801:1b8:10::b. :gl:`#4101` + +Bug Fixes +~~~~~~~~~ + +- If the unsigned version of an inline-signed zone contained DNSSEC + records, it was incorrectly scheduled for resigning. This has been + fixed. :gl:`#4350` + +- Looking up stale data from the cache did not take local authoritative + data into account. This has been fixed. :gl:`#4355` + +- An assertion failure was triggered when :any:`lock-file` was used at + the same time as the :option:`named -X` command-line option. This has + been fixed. :gl:`#4386` + +- The :any:`lock-file` file was being removed when it should not have + been, making the statement ineffective when :iscman:`named` was + started three or more times. This has been fixed. :gl:`#4387` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.21.rst b/doc/notes/notes-9.18.21.rst new file mode 100644 index 0000000..12876d8 --- /dev/null +++ b/doc/notes/notes-9.18.21.rst @@ -0,0 +1,31 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.21 +---------------------- + +Removed Features +~~~~~~~~~~~~~~~~ + +- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm + aes;``) has been deprecated and will be removed in a future release. + Please use the current default, SipHash-2-4, instead. :gl:`#4421` + +- The :any:`resolver-nonbackoff-tries` and :any:`resolver-retry-interval` + statements have been deprecated. Using them now causes a warning to be + logged. :gl:`#4405` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.22.rst b/doc/notes/notes-9.18.22.rst new file mode 100644 index 0000000..77f374c --- /dev/null +++ b/doc/notes/notes-9.18.22.rst @@ -0,0 +1,19 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.22 +---------------------- + +.. note:: + + The BIND 9.18.22 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. ISC + would like to acknowledge the assistance of Curtis Tuplin of SaskTel. diff --git a/doc/notes/notes-9.18.23.rst b/doc/notes/notes-9.18.23.rst new file mode 100644 index 0000000..7f95b80 --- /dev/null +++ b/doc/notes/notes-9.18.23.rst @@ -0,0 +1,20 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.23 +---------------------- + +.. note:: + + The BIND 9.18.23 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. ISC + would like to acknowledge the assistance of Vinzenz Vogel and Daniel + Stirnimann of SWITCH. diff --git a/doc/notes/notes-9.18.24.rst b/doc/notes/notes-9.18.24.rst new file mode 100644 index 0000000..3e3f1c2 --- /dev/null +++ b/doc/notes/notes-9.18.24.rst @@ -0,0 +1,65 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.24 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Validating DNS messages containing a lot of DNSSEC signatures could + cause excessive CPU load, leading to a denial-of-service condition. + This has been fixed. :cve:`2023-50387` + + ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, + and Michael Waidner from the German National Research Center for + Applied Cybersecurity ATHENE for bringing this vulnerability to our + attention. :gl:`#4424` + +- Preparing an NSEC3 closest encloser proof could cause excessive CPU + load, leading to a denial-of-service condition. This has been fixed. + :cve:`2023-50868` :gl:`#4459` + +- Parsing DNS messages with many different names could cause excessive + CPU load. This has been fixed. :cve:`2023-4408` + + ISC would like to thank Shoham Danino from Reichman University, Anat + Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv + University, and Yuval Shavitt from Tel-Aviv University for bringing + this vulnerability to our attention. :gl:`#4234` + +- Specific queries could cause :iscman:`named` to crash with an + assertion failure when :any:`nxdomain-redirect` was enabled. This has + been fixed. :cve:`2023-5517` :gl:`#4281` + +- A bad interaction between DNS64 and serve-stale could cause + :iscman:`named` to crash with an assertion failure, when both of these + features were enabled. This has been fixed. :cve:`2023-5679` + :gl:`#4334` + +- Under certain circumstances, the DNS-over-TLS client code incorrectly + attempted to process more than one DNS message at a time, which could + cause :iscman:`named` to crash with an assertion failure. This has + been fixed. :gl:`#4487` + +Bug Fixes +~~~~~~~~~ + +- The counters exported via the statistics channel were changed back to + 64-bit signed values; they were being inadvertently truncated to + unsigned 32-bit values since BIND 9.15.0. :gl:`#4467` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.3.rst b/doc/notes/notes-9.18.3.rst index 09952c9..8ed2be6 100644 --- a/doc/notes/notes-9.18.3.rst +++ b/doc/notes/notes-9.18.3.rst @@ -20,7 +20,7 @@ Security Fixes DNS-over-HTTPS (DoH) clients. This has been fixed. ISC would like to thank Thomas Amgarten from arcade solutions ag for - bringing this vulnerability to our attention. (CVE-2022-1183) + bringing this vulnerability to our attention. :cve:`2022-1183` :gl:`#3216` Known Issues diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst index dade98e..5d46acd 100644 --- a/doc/notes/notes-9.18.7.rst +++ b/doc/notes/notes-9.18.7.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of :iscman:`named` running as a - recursive resolver. This has been fixed. (CVE-2022-2795) + recursive resolver. This has been fixed. :cve:`2022-2795` ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing @@ -27,20 +27,20 @@ Security Fixes - When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. - (CVE-2022-2881) :gl:`#3493` + :cve:`2022-2881` :gl:`#3493` - Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with - OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` + OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491` - :iscman:`named` running as a resolver with the :any:`stale-answer-client-timeout` option set to ``0`` could crash with an assertion failure, when there was a stale CNAME in the cache - for the incoming query. This has been fixed. (CVE-2022-3080) + for the incoming query. This has been fixed. :cve:`2022-3080` :gl:`#3517` - Memory leaks were fixed that could be externally triggered in the - DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178` :gl:`#3487` Feature Changes diff --git a/fuzz/Makefile.in b/fuzz/Makefile.in index 96cfe07..637d9ec 100644 --- a/fuzz/Makefile.in +++ b/fuzz/Makefile.in @@ -107,11 +107,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/fuzz/dns_message_checksig.c b/fuzz/dns_message_checksig.c index dfbd18e..74eaf9c 100644 --- a/fuzz/dns_message_checksig.c +++ b/fuzz/dns_message_checksig.c @@ -478,7 +478,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (setquerytsig) { isc_buffer_t b; unsigned char hmacname[] = HMACSHA256; - unsigned char hmac[32] = { + unsigned char hmacvalue[32] = { 0x22, 0x4d, 0x58, 0x07, 0x64, 0x8d, 0x14, 0x00, 0x9d, 0x8e, 0xfc, 0x1c, 0xd0, 0x49, 0x55, 0xe9, 0xcc, 0x90, 0x21, 0x87, 0x3b, 0x5f, 0xaf, 0x5c, @@ -496,7 +496,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { isc_buffer_putuint16(&b, 300); /* Fudge */ isc_buffer_putuint16(&b, 32); /* Mac Length */ /* Mac */ - isc_buffer_putmem(&b, hmac, 32); + isc_buffer_putmem(&b, hmacvalue, 32); isc_buffer_putuint16(&b, 7674); /* Original Id */ isc_buffer_putuint16(&b, 0); /* Error */ isc_buffer_putuint16(&b, 0); /* Other len */ diff --git a/lib/Makefile.in b/lib/Makefile.in index 9a6f85c..9e568e5 100644 --- a/lib/Makefile.in +++ b/lib/Makefile.in @@ -102,11 +102,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in index cf12ed5..a7bef71 100644 --- a/lib/bind9/Makefile.in +++ b/lib/bind9/Makefile.in @@ -105,11 +105,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 695090e..1c850d8 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1608,6 +1608,10 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, (void)cfg_map_get(options, "cookie-algorithm", &obj); if (obj != NULL) { ccalg = cfg_obj_asstring(obj); + if (strcasecmp(ccalg, "aes") == 0) { + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "cookie-algorithm 'aes' is deprecated"); + } } obj = NULL; diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index 7d71f13..a17d2a0 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -147,11 +147,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/lib/dns/adb.c b/lib/dns/adb.c index 449fe34..72390f2 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -448,8 +448,8 @@ enum { * These are currently used on simple unsigned ints, so they are * not really associated with any particular type. */ -#define WANT_INET(x) (((x)&DNS_ADBFIND_INET) != 0) -#define WANT_INET6(x) (((x)&DNS_ADBFIND_INET6) != 0) +#define WANT_INET(x) (((x) & DNS_ADBFIND_INET) != 0) +#define WANT_INET6(x) (((x) & DNS_ADBFIND_INET6) != 0) #define EXPIRE_OK(exp, now) ((exp == INT_MAX) || (exp < now)) @@ -458,12 +458,12 @@ enum { * glue, and compare this to the appropriate bits set in o, to see if * this is ok. */ -#define GLUE_OK(nf, o) (!NAME_GLUEOK(nf) || (((o)&DNS_ADBFIND_GLUEOK) != 0)) -#define HINT_OK(nf, o) (!NAME_HINTOK(nf) || (((o)&DNS_ADBFIND_HINTOK) != 0)) +#define GLUE_OK(nf, o) (!NAME_GLUEOK(nf) || (((o) & DNS_ADBFIND_GLUEOK) != 0)) +#define HINT_OK(nf, o) (!NAME_HINTOK(nf) || (((o) & DNS_ADBFIND_HINTOK) != 0)) #define GLUEHINT_OK(nf, o) (GLUE_OK(nf, o) || HINT_OK(nf, o)) #define STARTATZONE_MATCHES(nf, o) \ (((nf)->flags & DNS_ADBFIND_STARTATZONE) == \ - ((o)&DNS_ADBFIND_STARTATZONE)) + ((o) & DNS_ADBFIND_STARTATZONE)) #define ENTER_LEVEL ISC_LOG_DEBUG(50) #define EXIT_LEVEL ENTER_LEVEL diff --git a/lib/dns/catz.c b/lib/dns/catz.c index b18459e..a872701 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -881,6 +881,13 @@ dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name, LOCK(&catzs->lock); + /* + * This function is called only during a (re)configuration, while + * 'catzs->zones' can become NULL only during shutdown. + */ + INSIST(catzs->zones != NULL); + INSIST(!atomic_load(&catzs->shuttingdown)); + result = dns_catz_new_zone(catzs, &catz, name); if (result != ISC_R_SUCCESS) { goto cleanup; @@ -919,6 +926,10 @@ dns_catz_get_zone(dns_catz_zones_t *catzs, const dns_name_t *name) { REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC)); LOCK(&catzs->lock); + if (catzs->zones == NULL) { + UNLOCK(&catzs->lock); + return (NULL); + } result = isc_ht_find(catzs->zones, name->ndata, name->length, (void **)&found); UNLOCK(&catzs->lock); @@ -2299,6 +2310,11 @@ dns__catz_update_cb(void *data) { */ dns_name_toregion(&updb->origin, &r); LOCK(&catzs->lock); + if (catzs->zones == NULL) { + UNLOCK(&catzs->lock); + result = ISC_R_SHUTTINGDOWN; + goto exit; + } result = isc_ht_find(catzs->zones, r.base, r.length, (void **)&oldcatz); is_active = (result == ISC_R_SUCCESS && oldcatz->active); UNLOCK(&catzs->lock); diff --git a/lib/dns/diff.c b/lib/dns/diff.c index 52f5aca..9daf16e 100644 --- a/lib/dns/diff.c +++ b/lib/dns/diff.c @@ -241,6 +241,22 @@ setownercase(dns_rdataset_t *rdataset, const dns_name_t *name) { } } +static const char * +optotext(dns_diffop_t op) { + switch (op) { + case DNS_DIFFOP_ADD: + return ("add"); + case DNS_DIFFOP_ADDRESIGN: + return ("add-resign"); + case DNS_DIFFOP_DEL: + return ("del"); + case DNS_DIFFOP_DELRESIGN: + return ("del-resign"); + default: + return ("unknown"); + } +} + static isc_result_t diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, bool warn) { dns_difftuple_t *t; @@ -270,6 +286,7 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, bool warn) { while (t != NULL && dns_name_equal(&t->name, name)) { dns_rdatatype_t type, covers; + dns_rdataclass_t rdclass; dns_diffop_t op; dns_rdatalist_t rdl; dns_rdataset_t rds; @@ -278,6 +295,7 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, bool warn) { op = t->op; type = t->rdata.type; + rdclass = t->rdata.rdclass; covers = rdata_covers(&t->rdata); /* @@ -440,6 +458,22 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, bool warn) { dns_rdataset_disassociate(&ardataset); } } else { + if (result == DNS_R_NOTEXACT) { + dns_name_format(name, namebuf, + sizeof(namebuf)); + dns_rdatatype_format(type, typebuf, + sizeof(typebuf)); + dns_rdataclass_format(rdclass, classbuf, + sizeof(classbuf)); + isc_log_write( + DIFF_COMMON_LOGARGS, + ISC_LOG_ERROR, + "dns_diff_apply: %s/%s/%s: %s " + "%s", + namebuf, typebuf, classbuf, + optotext(op), + isc_result_totext(result)); + } if (dns_rdataset_isassociated(&ardataset)) { dns_rdataset_disassociate(&ardataset); } diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index f04ae2f..0658c69 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -164,7 +164,8 @@ computeid(dst_key_t *key); static isc_result_t frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, - isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp); + isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata, + dst_key_t **keyp); static isc_result_t algorithm_status(unsigned int alg); @@ -753,6 +754,13 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) { isc_result_t dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass, isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) { + return (dst_key_fromdns_ex(name, rdclass, source, mctx, false, keyp)); +} + +isc_result_t +dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass, + isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata, + dst_key_t **keyp) { uint8_t alg, proto; uint32_t flags, extflags; dst_key_t *key = NULL; @@ -783,7 +791,7 @@ dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass, } result = frombuffer(name, alg, flags, proto, rdclass, source, mctx, - &key); + no_rdata, &key); if (result != ISC_R_SUCCESS) { return (result); } @@ -804,7 +812,7 @@ dst_key_frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags, REQUIRE(dst_initialized); result = frombuffer(name, alg, flags, protocol, rdclass, source, mctx, - &key); + false, &key); if (result != ISC_R_SUCCESS) { return (result); } @@ -1647,7 +1655,7 @@ dst_key_read_public(const char *filename, int type, isc_mem_t *mctx, isc_token_t token; isc_result_t ret; dns_rdata_t rdata = DNS_RDATA_INIT; - unsigned int opt = ISC_LEXOPT_DNSMULTILINE; + unsigned int opt = ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE; dns_rdataclass_t rdclass = dns_rdataclass_in; isc_lexspecials_t specials; uint32_t ttl = 0; @@ -2351,7 +2359,8 @@ computeid(dst_key_t *key) { static isc_result_t frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, - isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) { + isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata, + dst_key_t **keyp) { dst_key_t *key; isc_result_t ret; @@ -2376,10 +2385,12 @@ frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags, return (DST_R_UNSUPPORTEDALG); } - ret = key->func->fromdns(key, source); - if (ret != ISC_R_SUCCESS) { - dst_key_free(&key); - return (ret); + if (!no_rdata) { + ret = key->func->fromdns(key, source); + if (ret != ISC_R_SUCCESS) { + dst_key_free(&key); + return (ret); + } } } diff --git a/lib/dns/include/dns/catz.h b/lib/dns/include/dns/catz.h index 1401380..ab5c614 100644 --- a/lib/dns/include/dns/catz.h +++ b/lib/dns/include/dns/catz.h @@ -13,10 +13,7 @@ #pragma once -/* - * Define this for reference count tracing in the unit - */ -#undef DNS_CATZ_TRACE +/* Add -DDNS_CATZ_TRACE=1 to CFLAGS for detailed reference tracing */ #include #include @@ -314,7 +311,8 @@ isc_result_t dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name, dns_catz_zone_t **catzp); /*%< - * Allocate a new catz named 'name' and put it in 'catzs' collection. + * Allocate a new catz named 'name' and put it in 'catzs' collection. This + * function is safe to call only during a (re)configuration. * * Requires: * \li 'catzs' is a valid dns_catz_zones_t. diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h index 96be0f4..ad377f0 100644 --- a/lib/dns/include/dns/dispatch.h +++ b/lib/dns/include/dns/dispatch.h @@ -58,7 +58,7 @@ #include -#undef DNS_DISPATCH_TRACE +/* Add -DDNS_DISPATCH_TRACE=1 to CFLAGS for detailed reference tracing */ ISC_LANG_BEGINDECLS diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index b5d9a5a..f15884a 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -597,7 +597,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, * *\li 'cctx' be valid. * - *\li 'buffer' is a valid buffer. + *\li 'buffer' is a valid buffer with length less than 65536. * * Side Effects: * @@ -856,44 +856,6 @@ dns_message_findtype(const dns_name_t *name, dns_rdatatype_t type, *\li #ISC_R_NOTFOUND -- the desired type does not exist. */ -isc_result_t -dns_message_find(const dns_name_t *name, dns_rdataclass_t rdclass, - dns_rdatatype_t type, dns_rdatatype_t covers, - dns_rdataset_t **rdataset); -/*%< - * Search the name for the specified rdclass and type. If it is found, - * *rdataset is filled in with a pointer to that rdataset. - * - * Requires: - *\li if '**rdataset' is non-NULL, *rdataset needs to be NULL. - * - *\li 'type' be a valid type, and NOT dns_rdatatype_any. - * - *\li If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type. - * Otherwise it should be 0. - * - * Returns: - *\li #ISC_R_SUCCESS -- all is well. - *\li #ISC_R_NOTFOUND -- the desired type does not exist. - */ - -void -dns_message_movename(dns_message_t *msg, dns_name_t *name, - dns_section_t fromsection, dns_section_t tosection); -/*%< - * Move a name from one section to another. - * - * Requires: - * - *\li 'msg' be valid. - * - *\li 'name' must be a name already in 'fromsection'. - * - *\li 'fromsection' must be a valid section. - * - *\li 'tosection' must be a valid section. - */ - void dns_message_addname(dns_message_t *msg, dns_name_t *name, dns_section_t section); diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h index a758c4d..199856a 100644 --- a/lib/dns/include/dns/name.h +++ b/lib/dns/include/dns/name.h @@ -68,6 +68,7 @@ #include #include +#include #include #include #include /* Required for storage size of dns_label_t. */ @@ -111,6 +112,7 @@ struct dns_name { isc_buffer_t *buffer; ISC_LINK(dns_name_t) link; ISC_LIST(dns_rdataset_t) list; + isc_ht_t *ht; }; #define DNS_NAME_MAGIC ISC_MAGIC('D', 'N', 'S', 'n') @@ -166,30 +168,24 @@ extern const dns_name_t *dns_wildcardname; * unsigned char offsets[] = { 0, 6 }; * dns_name_t value = DNS_NAME_INITABSOLUTE(data, offsets); */ -#define DNS_NAME_INITNONABSOLUTE(A, B) \ - { \ - DNS_NAME_MAGIC, A, (sizeof(A) - 1), sizeof(B), \ - DNS_NAMEATTR_READONLY, B, NULL, \ - { (void *)-1, (void *)-1 }, { \ - NULL, NULL \ - } \ +#define DNS_NAME_INITNONABSOLUTE(A, B) \ + { \ + DNS_NAME_MAGIC, A, (sizeof(A) - 1), sizeof(B), \ + DNS_NAMEATTR_READONLY, B, NULL, \ + { (void *)-1, (void *)-1 }, { NULL, NULL }, NULL \ } -#define DNS_NAME_INITABSOLUTE(A, B) \ - { \ - DNS_NAME_MAGIC, A, sizeof(A), sizeof(B), \ - DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, B, \ - NULL, { (void *)-1, (void *)-1 }, { \ - NULL, NULL \ - } \ +#define DNS_NAME_INITABSOLUTE(A, B) \ + { \ + DNS_NAME_MAGIC, A, sizeof(A), sizeof(B), \ + DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, B, \ + NULL, { (void *)-1, (void *)-1 }, { NULL, NULL }, NULL \ } -#define DNS_NAME_INITEMPTY \ - { \ - DNS_NAME_MAGIC, NULL, 0, 0, 0, NULL, NULL, \ - { (void *)-1, (void *)-1 }, { \ - NULL, NULL \ - } \ +#define DNS_NAME_INITEMPTY \ + { \ + DNS_NAME_MAGIC, NULL, 0, 0, 0, NULL, NULL, \ + { (void *)-1, (void *)-1 }, { NULL, NULL }, NULL \ } /*% @@ -1330,6 +1326,7 @@ ISC_LANG_ENDDECLS _n->buffer = NULL; \ ISC_LINK_INIT(_n, link); \ ISC_LIST_INIT(_n->list); \ + _n->ht = NULL; \ } while (0) #define DNS_NAME_RESET(n) \ diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h index 3b62e12..40bf09e 100644 --- a/lib/dns/include/dns/rbt.h +++ b/lib/dns/include/dns/rbt.h @@ -124,6 +124,12 @@ struct dns_rbtnode { */ ISC_LINK(dns_rbtnode_t) deadlink; + /*% + * This linked list is used to store nodes from which tree pruning can + * be started. + */ + ISC_LINK(dns_rbtnode_t) prunelink; + /*@{*/ /*! * These values are used in the RBT DB implementation. The appropriate @@ -992,4 +998,11 @@ dns__rbtnode_namelen(dns_rbtnode_t *node); * Returns the length of the full name of the node. Used only internally * and in unit tests. */ + +unsigned int +dns__rbtnode_getsize(dns_rbtnode_t *node); +/* + * Return allocated size for a node. + */ + ISC_LANG_ENDDECLS diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h index 364ad92..5885681 100644 --- a/lib/dns/include/dns/rpz.h +++ b/lib/dns/include/dns/rpz.h @@ -13,10 +13,7 @@ #pragma once -/* - * Define this for reference count tracing in the unit - */ -#undef DNS_RPZ_TRACE +/* Add -DDNS_RPZ_TRACE=1 to CFLAGS for detailed reference tracing */ #include #include diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h index 683f870..3ea3956 100644 --- a/lib/dns/include/dns/stats.h +++ b/lib/dns/include/dns/stats.h @@ -493,7 +493,7 @@ extern const char *dns_statscounter_names[]; /*%< * Conversion macros among dns_rdatatype_t, attributes and isc_statscounter_t. */ -#define DNS_RDATASTATSTYPE_BASE(type) ((dns_rdatatype_t)((type)&0xFFFF)) +#define DNS_RDATASTATSTYPE_BASE(type) ((dns_rdatatype_t)((type) & 0xFFFF)) #define DNS_RDATASTATSTYPE_ATTR(type) ((type) >> 16) #define DNS_RDATASTATSTYPE_VALUE(b, a) (((a) << 16) | (b)) diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index 383dcb4..352a60a 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -148,6 +148,7 @@ struct dns_validator { unsigned int depth; unsigned int authcount; unsigned int authfail; + bool failed; isc_stdtime_t start; }; diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index ca292b0..f845e9b 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -482,6 +482,10 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory); */ isc_result_t +dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass, + isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata, + dst_key_t **keyp); +isc_result_t dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass, isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp); /*%< diff --git a/lib/dns/master.c b/lib/dns/master.c index 97b9343..c785022 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -88,7 +88,7 @@ #define DNS_MASTER_LHS 2048 #define DNS_MASTER_RHS MINTSIZ -#define CHECKNAMESFAIL(x) (((x)&DNS_MASTER_CHECKNAMESFAIL) != 0) +#define CHECKNAMESFAIL(x) (((x) & DNS_MASTER_CHECKNAMESFAIL) != 0) typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t; diff --git a/lib/dns/message.c b/lib/dns/message.c index 1b983d9..8654e92 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -22,6 +22,8 @@ #include #include +#include +#include #include #include #include @@ -493,9 +495,11 @@ msgresetsigs(dns_message_t *msg, bool replying) { } else { dns_rdataset_disassociate(msg->tsig); isc_mempool_put(msg->rdspool, msg->tsig); + msg->tsig = NULL; if (msg->querytsig != NULL) { dns_rdataset_disassociate(msg->querytsig); isc_mempool_put(msg->rdspool, msg->querytsig); + msg->querytsig = NULL; } } dns_message_puttempname(msg, &msg->tsigname); @@ -790,6 +794,18 @@ dns_message_detach(dns_message_t **messagep) { } } +static isc_result_t +name_hash_add(isc_ht_t *ht, dns_name_t *name, dns_name_t **foundp) { + isc_result_t result = isc_ht_find(ht, name->ndata, name->length, + (void **)foundp); + if (result == ISC_R_SUCCESS) { + return (ISC_R_EXISTS); + } + result = isc_ht_add(ht, name->ndata, name->length, (void *)name); + INSIST(result == ISC_R_SUCCESS); + return (ISC_R_SUCCESS); +} + static isc_result_t findname(dns_name_t **foundname, const dns_name_t *target, dns_namelist_t *section) { @@ -809,29 +825,26 @@ findname(dns_name_t **foundname, const dns_name_t *target, return (ISC_R_NOTFOUND); } -isc_result_t -dns_message_find(const dns_name_t *name, dns_rdataclass_t rdclass, - dns_rdatatype_t type, dns_rdatatype_t covers, - dns_rdataset_t **rdataset) { - dns_rdataset_t *curr; - - REQUIRE(name != NULL); - REQUIRE(rdataset == NULL || *rdataset == NULL); - - for (curr = ISC_LIST_TAIL(name->list); curr != NULL; - curr = ISC_LIST_PREV(curr, link)) - { - if (curr->rdclass == rdclass && curr->type == type && - curr->covers == covers) - { - if (rdataset != NULL) { - *rdataset = curr; - } - return (ISC_R_SUCCESS); - } - } +typedef struct __attribute__((__packed__)) rds_key { + dns_rdataclass_t rdclass; + dns_rdatatype_t type; + dns_rdatatype_t covers; +} rds_key_t; - return (ISC_R_NOTFOUND); +static isc_result_t +rds_hash_add(isc_ht_t *ht, dns_rdataset_t *rds, dns_rdataset_t **foundp) { + rds_key_t key = { .rdclass = rds->rdclass, + .type = rds->type, + .covers = rds->covers }; + isc_result_t result = isc_ht_find(ht, (const unsigned char *)&key, + sizeof(key), (void **)foundp); + if (result == ISC_R_SUCCESS) { + return (ISC_R_EXISTS); + } + result = isc_ht_add(ht, (const unsigned char *)&key, sizeof(key), + (void *)rds); + INSIST(result == ISC_R_SUCCESS); + return (ISC_R_SUCCESS); } isc_result_t @@ -958,6 +971,18 @@ getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, } \ } while (0) +static void +cleanup_name_hashmaps(dns_namelist_t *section) { + dns_name_t *name = NULL; + for (name = ISC_LIST_HEAD(*section); name != NULL; + name = ISC_LIST_NEXT(name, link)) + { + if (name->ht != NULL) { + isc_ht_destroy(&name->ht); + } + } +} + static isc_result_t getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, unsigned int options) { @@ -967,13 +992,19 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, dns_name_t *name2 = NULL; dns_rdataset_t *rdataset = NULL; dns_rdatalist_t *rdatalist = NULL; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; dns_rdatatype_t rdtype; dns_rdataclass_t rdclass; dns_namelist_t *section = &msg->sections[DNS_SECTION_QUESTION]; bool best_effort = ((options & DNS_MESSAGEPARSE_BESTEFFORT) != 0); bool seen_problem = false; bool free_name = false; + bool free_ht = false; + isc_ht_t *name_map = NULL; + + if (msg->counts[DNS_SECTION_QUESTION] > 1) { + isc_ht_init(&name_map, msg->mctx, 1, ISC_HT_CASE_INSENSITIVE); + } for (count = 0; count < msg->counts[DNS_SECTION_QUESTION]; count++) { name = NULL; @@ -994,13 +1025,19 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, goto cleanup; } + /* If there is only one QNAME, skip the duplicity checks */ + if (name_map == NULL) { + result = ISC_R_SUCCESS; + goto skip_name_check; + } + /* * Run through the section, looking to see if this name * is already there. If it is found, put back the allocated * name since we no longer need it, and set our name pointer * to point to the name we found. */ - result = findname(&name2, name, section); + result = name_hash_add(name_map, name, &name2); /* * If it is the first name in the section, accept it. @@ -1012,19 +1049,25 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, * this should be legal or not. In either case we no longer * need this name pointer. */ - if (result != ISC_R_SUCCESS) { + skip_name_check: + switch (result) { + case ISC_R_SUCCESS: if (!ISC_LIST_EMPTY(*section)) { DO_ERROR(DNS_R_FORMERR); } ISC_LIST_APPEND(*section, name, link); - free_name = false; - } else { + break; + case ISC_R_EXISTS: dns_message_puttempname(msg, &name); name = name2; name2 = NULL; - free_name = false; + break; + default: + UNREACHABLE(); } + free_name = false; + /* * Get type and class. */ @@ -1054,14 +1097,6 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, msg->tkey = 1; } - /* - * Can't ask the same question twice. - */ - result = dns_message_find(name, rdclass, rdtype, 0, NULL); - if (result == ISC_R_SUCCESS) { - DO_ERROR(DNS_R_FORMERR); - } - /* * Allocate a new rdatalist. */ @@ -1071,6 +1106,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, goto cleanup; } rdataset = isc_mempool_get(msg->rdspool); + dns_rdataset_init(rdataset); /* * Convert rdatalist to rdataset, and attach the latter to @@ -1078,8 +1114,6 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, */ rdatalist->type = rdtype; rdatalist->rdclass = rdclass; - - dns_rdataset_init(rdataset); result = dns_rdatalist_tordataset(rdatalist, rdataset); if (result != ISC_R_SUCCESS) { goto cleanup; @@ -1087,24 +1121,66 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, rdataset->attributes |= DNS_RDATASETATTR_QUESTION; + /* + * Skip the duplicity check for first rdataset + */ + if (ISC_LIST_EMPTY(name->list)) { + result = ISC_R_SUCCESS; + goto skip_rds_check; + } + + /* + * Can't ask the same question twice. + */ + if (name->ht == NULL) { + isc_ht_init(&name->ht, msg->mctx, 1, + ISC_HT_CASE_SENSITIVE); + free_ht = true; + + INSIST(ISC_LIST_HEAD(name->list) == + ISC_LIST_TAIL(name->list)); + + dns_rdataset_t *old_rdataset = + ISC_LIST_HEAD(name->list); + + result = rds_hash_add(name->ht, old_rdataset, NULL); + + INSIST(result == ISC_R_SUCCESS); + } + result = rds_hash_add(name->ht, rdataset, NULL); + if (result == ISC_R_EXISTS) { + DO_ERROR(DNS_R_FORMERR); + } + + skip_rds_check: ISC_LIST_APPEND(name->list, rdataset, link); + rdataset = NULL; } if (seen_problem) { - return (DNS_R_RECOVERABLE); + result = DNS_R_RECOVERABLE; } - return (ISC_R_SUCCESS); cleanup: if (rdataset != NULL) { - INSIST(!dns_rdataset_isassociated(rdataset)); + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } isc_mempool_put(msg->rdspool, rdataset); } if (free_name) { dns_message_puttempname(msg, &name); } + if (free_ht) { + cleanup_name_hashmaps(section); + } + + if (name_map != NULL) { + isc_ht_destroy(&name_map); + } + return (result); } @@ -1184,17 +1260,24 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, dns_name_t *name = NULL; dns_name_t *name2 = NULL; dns_rdataset_t *rdataset = NULL; + dns_rdataset_t *found_rdataset = NULL; dns_rdatalist_t *rdatalist = NULL; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; dns_rdatatype_t rdtype, covers; dns_rdataclass_t rdclass; dns_rdata_t *rdata = NULL; dns_ttl_t ttl; dns_namelist_t *section = &msg->sections[sectionid]; - bool free_name = false, free_rdataset = false, seen_problem = false; + bool free_name = false, seen_problem = false; + bool free_ht = false; bool preserve_order = ((options & DNS_MESSAGEPARSE_PRESERVEORDER) != 0); bool best_effort = ((options & DNS_MESSAGEPARSE_BESTEFFORT) != 0); bool isedns, issigzero, istsig; + isc_ht_t *name_map = NULL; + + if (msg->counts[sectionid] > 1) { + isc_ht_init(&name_map, msg->mctx, 1, ISC_HT_CASE_INSENSITIVE); + } for (count = 0; count < msg->counts[sectionid]; count++) { int recstart = source->current; @@ -1202,10 +1285,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, skip_name_search = false; skip_type_search = false; - free_rdataset = false; isedns = false; issigzero = false; istsig = false; + found_rdataset = NULL; name = NULL; result = dns_message_gettempname(msg, &name); @@ -1245,8 +1328,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, if (msg->rdclass_set == 0 && rdtype != dns_rdatatype_opt && /* class is UDP SIZE */ rdtype != dns_rdatatype_tsig && /* class is ANY */ - rdtype != dns_rdatatype_tkey) - { /* class is undefined */ + rdtype != dns_rdatatype_tkey) /* class is undefined */ + { msg->rdclass = rdclass; msg->rdclass_set = 1; } @@ -1353,10 +1436,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, * Then put the meta-class back into the finished rdata. */ rdata = newrdata(msg); - if (rdata == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup; - } if (msg->opcode == dns_opcode_update && update(sectionid, rdclass)) { @@ -1445,34 +1524,62 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, free_name = false; } } else { + if (name_map == NULL) { + result = ISC_R_SUCCESS; + goto skip_name_check; + } + /* * Run through the section, looking to see if this name * is already there. If it is found, put back the * allocated name since we no longer need it, and set * our name pointer to point to the name we found. */ - result = findname(&name2, name, section); + result = name_hash_add(name_map, name, &name2); /* * If it is a new name, append to the section. */ - if (result == ISC_R_SUCCESS) { + skip_name_check: + switch (result) { + case ISC_R_SUCCESS: + ISC_LIST_APPEND(*section, name, link); + break; + case ISC_R_EXISTS: dns_message_puttempname(msg, &name); name = name2; - } else { - ISC_LIST_APPEND(*section, name, link); + name2 = NULL; + break; + default: + UNREACHABLE(); } free_name = false; } + rdatalist = newrdatalist(msg); + rdatalist->type = rdtype; + rdatalist->covers = covers; + rdatalist->rdclass = rdclass; + rdatalist->ttl = ttl; + + dns_message_gettemprdataset(msg, &rdataset); + RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == + ISC_R_SUCCESS); + dns_rdataset_setownercase(rdataset, name); + rdatalist = NULL; + /* * Search name for the particular type and class. * Skip this stage if in update mode or this is a meta-type. */ - if (preserve_order || msg->opcode == dns_opcode_update || - skip_type_search) + if (isedns || istsig || issigzero) { + /* Skip adding the rdataset to the tables */ + } else if (preserve_order || msg->opcode == dns_opcode_update || + skip_type_search) { - result = ISC_R_NOTFOUND; + result = ISC_R_SUCCESS; + + ISC_LIST_APPEND(name->list, rdataset, link); } else { /* * If this is a type that can only occur in @@ -1482,59 +1589,71 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, DO_ERROR(DNS_R_FORMERR); } - rdataset = NULL; - result = dns_message_find(name, rdclass, rdtype, covers, - &rdataset); - } - - /* - * If we found an rdataset that matches, we need to - * append this rdata to that set. If we did not, we need - * to create a new rdatalist, store the important bits there, - * convert it to an rdataset, and link the latter to the name. - * Yuck. When appending, make certain that the type isn't - * a singleton type, such as SOA or CNAME. - * - * Note that this check will be bypassed when preserving order, - * the opcode is an update, or the type search is skipped. - */ - if (result == ISC_R_SUCCESS) { - if (dns_rdatatype_issingleton(rdtype)) { - dns_rdata_t *first; - dns_rdatalist_fromrdataset(rdataset, - &rdatalist); - first = ISC_LIST_HEAD(rdatalist->rdata); - INSIST(first != NULL); - if (dns_rdata_compare(rdata, first) != 0) { - DO_ERROR(DNS_R_FORMERR); - } + if (ISC_LIST_EMPTY(name->list)) { + result = ISC_R_SUCCESS; + goto skip_rds_check; } - } - if (result == ISC_R_NOTFOUND) { - rdataset = isc_mempool_get(msg->rdspool); - free_rdataset = true; + if (name->ht == NULL) { + isc_ht_init(&name->ht, msg->mctx, 1, + ISC_HT_CASE_SENSITIVE); + free_ht = true; - rdatalist = newrdatalist(msg); - if (rdatalist == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup; + INSIST(ISC_LIST_HEAD(name->list) == + ISC_LIST_TAIL(name->list)); + + dns_rdataset_t *old_rdataset = + ISC_LIST_HEAD(name->list); + + result = rds_hash_add(name->ht, old_rdataset, + NULL); + + INSIST(result == ISC_R_SUCCESS); } + found_rdataset = NULL; + result = rds_hash_add(name->ht, rdataset, + &found_rdataset); - rdatalist->type = rdtype; - rdatalist->covers = covers; - rdatalist->rdclass = rdclass; - rdatalist->ttl = ttl; + /* + * If we found an rdataset that matches, we need to + * append this rdata to that set. If we did not, we + * need to create a new rdatalist, store the important + * bits there, convert it to an rdataset, and link the + * latter to the name. Yuck. When appending, make + * certain that the type isn't a singleton type, such as + * SOA or CNAME. + * + * Note that this check will be bypassed when preserving + * order, the opcode is an update, or the type search is + * skipped. + */ + skip_rds_check: + switch (result) { + case ISC_R_EXISTS: + /* Free the rdataset we used as the key */ + dns_rdataset_disassociate(rdataset); + isc_mempool_put(msg->rdspool, rdataset); + result = ISC_R_SUCCESS; + rdataset = found_rdataset; - dns_rdataset_init(rdataset); - RUNTIME_CHECK( - dns_rdatalist_tordataset(rdatalist, rdataset) == - ISC_R_SUCCESS); - dns_rdataset_setownercase(rdataset, name); + if (!dns_rdatatype_issingleton(rdtype)) { + break; + } - if (!isedns && !istsig && !issigzero) { + dns_rdatalist_fromrdataset(rdataset, + &rdatalist); + dns_rdata_t *first = + ISC_LIST_HEAD(rdatalist->rdata); + INSIST(first != NULL); + if (dns_rdata_compare(rdata, first) != 0) { + DO_ERROR(DNS_R_FORMERR); + } + break; + case ISC_R_SUCCESS: ISC_LIST_APPEND(name->list, rdataset, link); - free_rdataset = false; + break; + default: + UNREACHABLE(); } } @@ -1569,8 +1688,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, dns_rcode_t ercode; msg->opt = rdataset; - rdataset = NULL; - free_rdataset = false; ercode = (dns_rcode_t)((msg->opt->ttl & DNS_MESSAGE_EDNSRCODE_MASK) >> 20); @@ -1581,8 +1698,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, msg->sig0 = rdataset; msg->sig0name = name; msg->sigstart = recstart; - rdataset = NULL; - free_rdataset = false; free_name = false; } else if (istsig) { msg->tsig = rdataset; @@ -1592,22 +1707,17 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, * Windows doesn't like TSIG names to be compressed. */ msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS; - rdataset = NULL; - free_rdataset = false; free_name = false; } + rdataset = NULL; if (seen_problem) { if (free_name) { dns_message_puttempname(msg, &name); } - if (free_rdataset) { - isc_mempool_put(msg->rdspool, rdataset); - } - free_name = free_rdataset = false; + free_name = false; } INSIST(!free_name); - INSIST(!free_rdataset); } /* @@ -1625,16 +1735,24 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, } if (seen_problem) { - return (DNS_R_RECOVERABLE); + result = DNS_R_RECOVERABLE; } - return (ISC_R_SUCCESS); cleanup: + if (rdataset != NULL && rdataset != found_rdataset) { + dns_rdataset_disassociate(rdataset); + isc_mempool_put(msg->rdspool, rdataset); + } if (free_name) { dns_message_puttempname(msg, &name); } - if (free_rdataset) { - isc_mempool_put(msg->rdspool, rdataset); + + if (free_ht) { + cleanup_name_hashmaps(section); + } + + if (name_map != NULL) { + isc_ht_destroy(&name_map); } return (result); @@ -1774,6 +1892,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, REQUIRE(DNS_MESSAGE_VALID(msg)); REQUIRE(buffer != NULL); + REQUIRE(isc_buffer_length(buffer) < 65536); REQUIRE(msg->buffer == NULL); REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER); @@ -2451,7 +2570,7 @@ dns_message_findname(dns_message_t *msg, dns_section_t section, const dns_name_t *target, dns_rdatatype_t type, dns_rdatatype_t covers, dns_name_t **name, dns_rdataset_t **rdataset) { - dns_name_t *foundname; + dns_name_t *foundname = NULL; isc_result_t result; /* @@ -2498,22 +2617,6 @@ dns_message_findname(dns_message_t *msg, dns_section_t section, return (result); } -void -dns_message_movename(dns_message_t *msg, dns_name_t *name, - dns_section_t fromsection, dns_section_t tosection) { - REQUIRE(msg != NULL); - REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER); - REQUIRE(name != NULL); - REQUIRE(VALID_NAMED_SECTION(fromsection)); - REQUIRE(VALID_NAMED_SECTION(tosection)); - - /* - * Unlink the name from the old section - */ - ISC_LIST_UNLINK(msg->sections[fromsection], name, link); - ISC_LIST_APPEND(msg->sections[tosection], name, link); -} - void dns_message_addname(dns_message_t *msg, dns_name_t *name, dns_section_t section) { @@ -2590,6 +2693,10 @@ dns_message_puttempname(dns_message_t *msg, dns_name_t **itemp) { REQUIRE(!ISC_LINK_LINKED(item, link)); REQUIRE(ISC_LIST_HEAD(item->list) == NULL); + if (item->ht != NULL) { + isc_ht_destroy(&item->ht); + } + /* * we need to check this in case dns_name_dup() was used. */ diff --git a/lib/dns/name.c b/lib/dns/name.c index 8a258a2..90044ba 100644 --- a/lib/dns/name.c +++ b/lib/dns/name.c @@ -188,6 +188,7 @@ dns_name_invalidate(dns_name_t *name) { name->offsets = NULL; name->buffer = NULL; ISC_LINK_INIT(name, link); + INSIST(name->ht == NULL); } bool diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c index 9247ac1..941574d 100644 --- a/lib/dns/ncache.c +++ b/lib/dns/ncache.c @@ -754,7 +754,7 @@ dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found, raw += 2; sigregion.base = raw; dns_rdata_reset(&rdata); - dns_rdata_fromregion(&rdata, rdataset->rdclass, rdataset->type, + dns_rdata_fromregion(&rdata, ncacherdataset->rdclass, type, &sigregion); (void)dns_rdata_tostruct(&rdata, &rrsig, NULL); rdataset->covers = rrsig.covered; diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index b9fc699..5785cc1 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -48,10 +48,10 @@ goto failure; \ } while (0) -#define OPTOUT(x) (((x)&DNS_NSEC3FLAG_OPTOUT) != 0) -#define CREATE(x) (((x)&DNS_NSEC3FLAG_CREATE) != 0) -#define INITIAL(x) (((x)&DNS_NSEC3FLAG_INITIAL) != 0) -#define REMOVE(x) (((x)&DNS_NSEC3FLAG_REMOVE) != 0) +#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0) +#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0) +#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0) +#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) isc_result_t dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, @@ -1138,12 +1138,6 @@ dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver, dns_rdata_t private = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); - - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, - rdataset.ttl, &rdata, &tuple)); - CHECK(do_one_tuple(&tuple, db, ver, diff)); - INSIST(tuple == NULL); - dns_nsec3param_toprivate(&rdata, &private, privatetype, buf, sizeof(buf)); buf[2] = DNS_NSEC3FLAG_REMOVE; diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index dc7382c..1a0bb0f 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -1135,9 +1135,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 const BIGNUM *ex = NULL; ENGINE *ep = NULL; + const char *engine = NULL; #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ isc_mem_t *mctx = NULL; - const char *engine = NULL, *label = NULL; + const char *label = NULL; EVP_PKEY *pkey = NULL; BIGNUM *n = NULL, *e = NULL, *d = NULL; BIGNUM *p = NULL, *q = NULL; @@ -1175,9 +1176,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 case TAG_RSA_ENGINE: engine = (char *)priv.elements[i].data; break; +#endif case TAG_RSA_LABEL: label = (char *)priv.elements[i].data; break; @@ -1229,7 +1232,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { pkey = NULL; DST_RET(ISC_R_SUCCESS); #else /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - UNUSED(engine); DST_RET(DST_R_NOENGINE); #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ } diff --git a/lib/dns/private.c b/lib/dns/private.c index 56573b3..4157e82 100644 --- a/lib/dns/private.c +++ b/lib/dns/private.c @@ -39,10 +39,10 @@ * been requested to be built otherwise a NSEC chain needs to be built. */ -#define REMOVE(x) (((x)&DNS_NSEC3FLAG_REMOVE) != 0) -#define CREATE(x) (((x)&DNS_NSEC3FLAG_CREATE) != 0) -#define INITIAL(x) (((x)&DNS_NSEC3FLAG_INITIAL) != 0) -#define NONSEC(x) (((x)&DNS_NSEC3FLAG_NONSEC) != 0) +#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) +#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0) +#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0) +#define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0) #define CHECK(x) \ do { \ diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c index 57dcd54..29f19c8 100644 --- a/lib/dns/rbt.c +++ b/lib/dns/rbt.c @@ -302,6 +302,13 @@ dns__rbtnode_namelen(dns_rbtnode_t *node) { return (len); } +unsigned int +dns__rbtnode_getsize(dns_rbtnode_t *node) { + REQUIRE(DNS_RBTNODE_VALID(node)); + + return (NODE_SIZE(node)); +} + /* * Initialize a red/black tree of trees. */ @@ -1569,6 +1576,7 @@ create_node(isc_mem_t *mctx, const dns_name_t *name, dns_rbtnode_t **nodep) { HASHVAL(node) = 0; ISC_LINK_INIT(node, deadlink); + ISC_LINK_INIT(node, prunelink); LOCKNUM(node) = 0; WILD(node) = 0; diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 5d36466..b09d97f 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -82,7 +82,7 @@ typedef uint32_t rbtdb_serial_t; typedef uint32_t rbtdb_rdatatype_t; -#define RBTDB_RDATATYPE_BASE(type) ((dns_rdatatype_t)((type)&0xFFFF)) +#define RBTDB_RDATATYPE_BASE(type) ((dns_rdatatype_t)((type) & 0xFFFF)) #define RBTDB_RDATATYPE_EXT(type) ((dns_rdatatype_t)((type) >> 16)) #define RBTDB_RDATATYPE_VALUE(base, ext) \ ((rbtdb_rdatatype_t)(((uint32_t)ext) << 16) | \ @@ -477,12 +477,27 @@ struct dns_rbtdb { */ rdatasetheaderlist_t *rdatasets; + /* + * Start point % node_lock_count for next LRU cleanup. + */ + atomic_uint lru_sweep; + + /* + * When performing LRU cleaning limit cleaning to headers that were + * last used at or before this. + */ + atomic_uint last_used; + /*% * Temporary storage for stale cache nodes and dynamically deleted * nodes that await being cleaned up. */ rbtnodelist_t *deadnodes; + /* List of nodes from which recursive tree pruning can be started from. + * Locked by tree_lock. */ + rbtnodelist_t prunenodes; + /* * Heaps. These are used for TTL based expiry in a cache, * or for zone resigning in a zone DB. hmctx is the memory @@ -561,8 +576,7 @@ static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked, expire_t reason); static void -overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize, - bool tree_locked); +overmem_purge(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked); static void resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader); static void @@ -993,6 +1007,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) { unsigned int i; isc_result_t result; char buf[DNS_NAME_FORMATSIZE]; + dns_rbtnode_t *node = NULL; dns_rbt_t **treep; isc_time_t start; @@ -1018,8 +1033,6 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) { * the overhead of unlinking all nodes here should be negligible. */ for (i = 0; i < rbtdb->node_lock_count; i++) { - dns_rbtnode_t *node; - node = ISC_LIST_HEAD(rbtdb->deadnodes[i]); while (node != NULL) { ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink); @@ -1027,6 +1040,12 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) { } } + node = ISC_LIST_HEAD(rbtdb->prunenodes); + while (node != NULL) { + ISC_LIST_UNLINK(rbtdb->prunenodes, node, prunelink); + node = ISC_LIST_HEAD(rbtdb->prunenodes); + } + if (event == NULL) { rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0; } @@ -1832,19 +1851,32 @@ is_leaf(dns_rbtnode_t *node) { node->left == NULL && node->right == NULL); } +/*% + * The tree lock must be held when this function is called as it reads and + * updates rbtdb->prunenodes. + */ static void send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, isc_rwlocktype_t locktype) { - isc_event_t *ev; - dns_db_t *db; + bool pruning_queued = (ISC_LIST_HEAD(rbtdb->prunenodes) != NULL); + + INSIST(locktype == isc_rwlocktype_write); - ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE, - prune_tree, node, sizeof(isc_event_t)); new_reference(rbtdb, node, locktype); - db = NULL; - attach((dns_db_t *)rbtdb, &db); - ev->ev_sender = db; - isc_task_send(rbtdb->task, &ev); + INSIST(!ISC_LINK_LINKED(node, prunelink)); + ISC_LIST_APPEND(rbtdb->prunenodes, node, prunelink); + + if (!pruning_queued) { + isc_event_t *ev = NULL; + dns_db_t *db = NULL; + + attach((dns_db_t *)rbtdb, &db); + + ev = isc_event_allocate(rbtdb->common.mctx, NULL, + DNS_EVENT_RBTPRUNE, prune_tree, db, + sizeof(isc_event_t)); + isc_task_send(rbtdb->task, &ev); + } } /*% @@ -2119,17 +2151,26 @@ restore_locks: } /* - * Prune the tree by recursively cleaning-up single leaves. In the worst - * case, the number of iteration is the number of tree levels, which is at - * most the maximum number of domain name labels, i.e, 127. In practice, this - * should be much smaller (only a few times), and even the worst case would be - * acceptable for a single event. + * Prune the tree by recursively cleaning up single leaves. Go through all + * nodes stored in the rbtdb->prunenodes list; for each of them, in the worst + * case, it will be necessary to traverse a number of tree levels equal to the + * maximum legal number of domain name labels (127); in practice, the number of + * tree levels to traverse will virtually always be much smaller (a few levels + * at most). While holding the tree lock throughout this entire operation is + * less than ideal, so is splitting the latter up by queueing a separate + * prune_tree() run for each node to start pruning from (as queueing requires + * allocating memory and can therefore potentially be exploited to exhaust + * available memory). Also note that actually freeing up the memory used by + * RBTDB nodes (which is what this function does) is essential to keeping cache + * memory use in check, so since the tree lock needs to be acquired anyway, + * freeing as many nodes as possible before the tree lock gets released is + * prudent. */ static void prune_tree(isc_task_t *task, isc_event_t *event) { - dns_rbtdb_t *rbtdb = event->ev_sender; - dns_rbtnode_t *node = event->ev_arg; - dns_rbtnode_t *parent; + dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)event->ev_arg; + dns_rbtnode_t *node = NULL; + dns_rbtnode_t *parent = NULL; unsigned int locknum; UNUSED(task); @@ -2137,44 +2178,60 @@ prune_tree(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); - locknum = node->locknum; - NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); - do { - parent = node->parent; - decrement_reference(rbtdb, node, 0, isc_rwlocktype_write, - isc_rwlocktype_write, true); - if (parent != NULL && parent->down == NULL) { - /* - * node was the only down child of the parent and has - * just been removed. We'll then need to examine the - * parent. Keep the lock if possible; otherwise, - * release the old lock and acquire one for the parent. - */ - if (parent->locknum != locknum) { - NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, - isc_rwlocktype_write); - locknum = parent->locknum; - NODE_LOCK(&rbtdb->node_locks[locknum].lock, - isc_rwlocktype_write); + while ((node = ISC_LIST_HEAD(rbtdb->prunenodes)) != NULL) { + locknum = node->locknum; + NODE_LOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + do { + if (ISC_LINK_LINKED(node, prunelink)) { + ISC_LIST_UNLINK(rbtdb->prunenodes, node, + prunelink); } - /* - * We need to gain a reference to the node before - * decrementing it in the next iteration. - */ - if (ISC_LINK_LINKED(parent, deadlink)) { - ISC_LIST_UNLINK(rbtdb->deadnodes[locknum], + parent = node->parent; + decrement_reference(rbtdb, node, 0, + isc_rwlocktype_write, + isc_rwlocktype_write, true); + + if (parent != NULL && parent->down == NULL) { + /* + * node was the only down child of the parent + * and has just been removed. We'll then need + * to examine the parent. Keep the lock if + * possible; otherwise, release the old lock and + * acquire one for the parent. + */ + if (parent->locknum != locknum) { + NODE_UNLOCK( + &rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + locknum = parent->locknum; + NODE_LOCK( + &rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + } + + /* + * We need to gain a reference to the node + * before decrementing it in the next iteration. + */ + if (ISC_LINK_LINKED(parent, deadlink)) { + ISC_LIST_UNLINK( + rbtdb->deadnodes[locknum], parent, deadlink); + } + new_reference(rbtdb, parent, + isc_rwlocktype_write); + } else { + parent = NULL; } - new_reference(rbtdb, parent, isc_rwlocktype_write); - } else { - parent = NULL; - } - node = parent; - } while (node != NULL); - NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); + node = parent; + } while (node != NULL); + NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + } RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); detach((dns_db_t **)&rbtdb); @@ -6444,6 +6501,9 @@ find_header: if (header->rdh_ttl > newheader->rdh_ttl) { set_ttl(rbtdb, header, newheader->rdh_ttl); } + if (header->last_used != now) { + update_header(rbtdb, header, now); + } if (header->noqname == NULL && newheader->noqname != NULL) { @@ -6496,6 +6556,9 @@ find_header: if (header->rdh_ttl > newheader->rdh_ttl) { set_ttl(rbtdb, header, newheader->rdh_ttl); } + if (header->last_used != now) { + update_header(rbtdb, header, now); + } if (header->noqname == NULL && newheader->noqname != NULL) { @@ -6523,6 +6586,9 @@ find_header: idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { if (ZEROTTL(newheader)) { + newheader->last_used = + atomic_load(&rbtdb->last_used) + + 1; ISC_LIST_APPEND(rbtdb->rdatasets[idx], newheader, link); } else { @@ -6564,6 +6630,9 @@ find_header: INSIST(rbtdb->heaps != NULL); isc_heap_insert(rbtdb->heaps[idx], newheader); if (ZEROTTL(newheader)) { + newheader->last_used = + atomic_load(&rbtdb->last_used) + + 1; ISC_LIST_APPEND(rbtdb->rdatasets[idx], newheader, link); } else { @@ -6969,8 +7038,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, } if (cache_is_overmem) { - overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), - tree_locked); + overmem_purge(rbtdb, newheader, tree_locked); } NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, @@ -8305,6 +8373,8 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, ISC_LIST_INIT(rbtdb->deadnodes[i]); } + ISC_LIST_INIT(rbtdb->prunenodes); + rbtdb->active = rbtdb->node_lock_count; for (i = 0; i < (int)(rbtdb->node_lock_count); i++) { @@ -9640,7 +9710,7 @@ rehash_bits(rbtdb_version_t *version, size_t newcount) { uint32_t newbits = oldbits; while (newcount >= HASHSIZE(newbits) && - newbits <= RBTDB_GLUE_TABLE_MAX_BITS) + newbits < RBTDB_GLUE_TABLE_MAX_BITS) { newbits += 1; } @@ -10147,7 +10217,10 @@ expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, size_t purged = 0; for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); - header != NULL && purged <= purgesize; header = header_prev) + header != NULL && + header->last_used <= atomic_load(&rbtdb->last_used) && + purged <= purgesize; + header = header_prev) { header_prev = ISC_LIST_PREV(header, link); /* @@ -10171,30 +10244,58 @@ expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, * entries under the overmem condition. To recover from this condition quickly, * we cleanup entries up to the size of newly added rdata (passed as purgesize). * - * This process is triggered while adding a new entry, and we specifically avoid - * purging entries in the same LRU bucket as the one to which the new entry will - * belong. Otherwise, we might purge entries of the same name of different RR - * types while adding RRsets from a single response (consider the case where - * we're adding A and AAAA glue records of the same NS name). + * The LRU lists tails are processed in LRU order to the nearest second. + * + * A write lock on the tree must be held. */ static void -overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize, +overmem_purge(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, bool tree_locked) { - unsigned int locknum; + uint32_t locknum_start = atomic_fetch_add(&rbtdb->lru_sweep, 1) % + rbtdb->node_lock_count; + uint32_t locknum = locknum_start; + /* Size of added data, possible node and possible ENT node. */ + size_t purgesize = rdataset_size(newheader) + + 2 * dns__rbtnode_getsize(newheader->node); size_t purged = 0; + isc_stdtime_t min_last_used = 0; + size_t max_passes = 8; - for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; - locknum != locknum_start && purged <= purgesize; - locknum = (locknum + 1) % rbtdb->node_lock_count) - { +again: + do { NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); purged += expire_lru_headers(rbtdb, locknum, purgesize - purged, tree_locked); + /* + * Work out the oldest remaining last_used values of the list + * tails as we walk across the array of lru lists. + */ + rdatasetheader_t *header = + ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); + if (header != NULL && + (min_last_used == 0 || header->last_used < min_last_used)) + { + min_last_used = header->last_used; + } NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); + locknum = (locknum + 1) % rbtdb->node_lock_count; + } while (locknum != locknum_start && purged <= purgesize); + + /* + * Update rbtdb->last_used if we have walked all the list tails and have + * not freed the required amount of memory. + */ + if (purged < purgesize) { + if (min_last_used != 0) { + atomic_store(&rbtdb->last_used, min_last_used); + if (max_passes-- > 0) { + goto again; + } + } } } diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index b7f9ed2..592b974 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -2059,7 +2059,7 @@ decvalue(char value) { * isascii() is valid for full range of int values, no need to * mask or cast. */ - if (!isascii(value)) { + if (!isascii((unsigned char)value)) { return (-1); } if ((s = strchr(decdigits, value)) == NULL) { diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 66bb1ac..60cac29 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -2139,10 +2139,13 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, INSIST(ISC_LIST_EMPTY(fctx->validators)); query = isc_mem_get(fctx->mctx, sizeof(*query)); - *query = (resquery_t){ .mctx = fctx->mctx, - .options = options, - .addrinfo = addrinfo, - .dispatchmgr = res->dispatchmgr }; + *query = (resquery_t){ + .mctx = fctx->mctx, + .options = options, + .addrinfo = addrinfo, + .dispatchmgr = res->dispatchmgr, + .link = ISC_LINK_INITIALIZER, + }; isc_refcount_init(&query->references, 1); @@ -2247,7 +2250,6 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, } fctx_attach(fctx, &query->fctx); - ISC_LINK_INIT(query, link); query->magic = QUERY_MAGIC; if ((query->options & DNS_FETCHOPT_TCP) == 0) { @@ -2291,6 +2293,13 @@ cleanup_udpfetch: } } + LOCK(&res->buckets[fctx->bucketnum].lock); + if (ISC_LINK_LINKED(query, link)) { + atomic_fetch_sub_release(&fctx->nqueries, 1); + ISC_LIST_UNLINK(fctx->queries, query, link); + } + UNLOCK(&res->buckets[fctx->bucketnum].lock); + cleanup_dispatch: fctx_detach(&query->fctx); @@ -2299,13 +2308,6 @@ cleanup_dispatch: } cleanup_query: - LOCK(&res->buckets[fctx->bucketnum].lock); - if (ISC_LINK_LINKED(query, link)) { - atomic_fetch_sub_release(&fctx->nqueries, 1); - ISC_LIST_UNLINK(fctx->queries, query, link); - } - UNLOCK(&res->buckets[fctx->bucketnum].lock); - query->magic = 0; dns_message_detach(&query->rmessage); isc_mem_put(fctx->mctx, query, sizeof(*query)); @@ -10406,8 +10408,8 @@ dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr, * Since we have a pool of tasks we bind them to task * queues to spread the load evenly */ - result = isc_task_create_bound(taskmgr, 0, - &res->buckets[i].task, i); + result = isc_task_create_bound( + taskmgr, 0, &res->buckets[i].task, ISC_NM_TASK_SLOW(i)); if (result != ISC_R_SUCCESS) { ntasks = i; isc_mutex_destroy(&res->buckets[i].lock); diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c index 9a61587..1b8b937 100644 --- a/lib/dns/rootns.c +++ b/lib/dns/rootns.c @@ -34,6 +34,9 @@ #include #include +/* + * Also update 'upcoming' when updating 'root_ns'. + */ static char root_ns[] = ";\n" "; Internet Root Nameservers\n" @@ -54,8 +57,8 @@ static char root_ns[] = ". 518400 IN NS M.ROOT-SERVERS.NET.\n" "A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4\n" "A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:BA3E::2:30\n" - "B.ROOT-SERVERS.NET. 3600000 IN A 199.9.14.201\n" - "B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:200::b\n" + "B.ROOT-SERVERS.NET. 3600000 IN A 170.247.170.2\n" + "B.ROOT-SERVERS.NET. 3600000 IN AAAA 2801:1b8:10::b\n" "C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12\n" "C.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2::c\n" "D.ROOT-SERVERS.NET. 3600000 IN A 199.7.91.13\n" @@ -79,6 +82,24 @@ static char root_ns[] = "M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33\n" "M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:DC3::35\n"; +static unsigned char b_data[] = "\001b\014root-servers\003net"; +static unsigned char b_offsets[] = { 0, 2, 15, 19 }; + +static struct upcoming { + const dns_name_t name; + dns_rdatatype_t type; + isc_stdtime_t time; +} upcoming[] = { { + .name = DNS_NAME_INITABSOLUTE(b_data, b_offsets), + .type = dns_rdatatype_a, + .time = 1701086400 /* November 27 2023, 12:00 UTC */ + }, + { + .name = DNS_NAME_INITABSOLUTE(b_data, b_offsets), + .type = dns_rdatatype_aaaa, + .time = 1701086400 /* November 27 2023, 12:00 UTC */ + } }; + static isc_result_t in_rootns(dns_rdataset_t *rootns, dns_name_t *name) { isc_result_t result; @@ -337,6 +358,18 @@ inrrset(dns_rdataset_t *rrset, dns_rdata_t *rdata) { return (false); } +static bool +changing(const dns_name_t *name, dns_rdatatype_t type, isc_stdtime_t now) { + for (size_t i = 0; i < ARRAY_SIZE(upcoming); i++) { + if (upcoming[i].time > now && upcoming[i].type == type && + dns_name_equal(&upcoming[i].name, name)) + { + return (true); + } + } + return (false); +} + /* * Check that the address RRsets match. * @@ -368,7 +401,9 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db, while (result == ISC_R_SUCCESS) { dns_rdata_reset(&rdata); dns_rdataset_current(&rootrrset, &rdata); - if (!inrrset(&hintrrset, &rdata)) { + if (!inrrset(&hintrrset, &rdata) && + !changing(name, dns_rdatatype_a, now)) + { report(view, name, true, &rdata); } result = dns_rdataset_next(&rootrrset); @@ -377,7 +412,9 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db, while (result == ISC_R_SUCCESS) { dns_rdata_reset(&rdata); dns_rdataset_current(&hintrrset, &rdata); - if (!inrrset(&rootrrset, &rdata)) { + if (!inrrset(&rootrrset, &rdata) && + !changing(name, dns_rdatatype_a, now)) + { report(view, name, false, &rdata); } result = dns_rdataset_next(&hintrrset); @@ -416,7 +453,9 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db, while (result == ISC_R_SUCCESS) { dns_rdata_reset(&rdata); dns_rdataset_current(&rootrrset, &rdata); - if (!inrrset(&hintrrset, &rdata)) { + if (!inrrset(&hintrrset, &rdata) && + !changing(name, dns_rdatatype_aaaa, now)) + { report(view, name, true, &rdata); } dns_rdata_reset(&rdata); @@ -426,7 +465,9 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db, while (result == ISC_R_SUCCESS) { dns_rdata_reset(&rdata); dns_rdataset_current(&hintrrset, &rdata); - if (!inrrset(&rootrrset, &rdata)) { + if (!inrrset(&rootrrset, &rdata) && + !changing(name, dns_rdatatype_aaaa, now)) + { report(view, name, false, &rdata); } dns_rdata_reset(&rdata); diff --git a/lib/dns/stats.c b/lib/dns/stats.c index 390a397..238efac 100644 --- a/lib/dns/stats.c +++ b/lib/dns/stats.c @@ -367,11 +367,12 @@ void dns_dnssecsignstats_increment(dns_stats_t *stats, dns_keytag_t id, uint8_t alg, dnssecsignstats_type_t operation) { uint32_t kval; - int num_keys = isc_stats_ncounters(stats->counters) / - dnssecsign_block_size; REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_dnssec); + int num_keys = isc_stats_ncounters(stats->counters) / + dnssecsign_block_size; + /* Shift algorithm in front of key tag, which is 16 bits */ kval = (uint32_t)(alg << 16 | id); @@ -414,11 +415,12 @@ dns_dnssecsignstats_increment(dns_stats_t *stats, dns_keytag_t id, uint8_t alg, void dns_dnssecsignstats_clear(dns_stats_t *stats, dns_keytag_t id, uint8_t alg) { uint32_t kval; - int num_keys = isc_stats_ncounters(stats->counters) / - dnssecsign_block_size; REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_dnssec); + int num_keys = isc_stats_ncounters(stats->counters) / + dnssecsign_block_size; + /* Shift algorithm in front of key tag, which is 16 bits */ kval = (uint32_t)(alg << 16 | id); diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 857ec4c..8f96008 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -1757,8 +1757,9 @@ isc_result_t dns_tsigkey_find(dns_tsigkey_t **tsigkey, const dns_name_t *name, const dns_name_t *algorithm, dns_tsig_keyring_t *ring) { dns_tsigkey_t *key; - isc_stdtime_t now; isc_result_t result; + isc_rwlocktype_t locktype = isc_rwlocktype_read; + isc_stdtime_t now; REQUIRE(tsigkey != NULL); REQUIRE(*tsigkey == NULL); @@ -1770,25 +1771,30 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, const dns_name_t *name, RWUNLOCK(&ring->lock, isc_rwlocktype_write); isc_stdtime_get(&now); - RWLOCK(&ring->lock, isc_rwlocktype_read); + +again: + RWLOCK(&ring->lock, locktype); key = NULL; result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key); if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) { - RWUNLOCK(&ring->lock, isc_rwlocktype_read); + RWUNLOCK(&ring->lock, locktype); return (ISC_R_NOTFOUND); } if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) { - RWUNLOCK(&ring->lock, isc_rwlocktype_read); + RWUNLOCK(&ring->lock, locktype); return (ISC_R_NOTFOUND); } if (key->inception != key->expire && isc_serial_lt(key->expire, now)) { /* * The key has expired. */ - RWUNLOCK(&ring->lock, isc_rwlocktype_read); - RWLOCK(&ring->lock, isc_rwlocktype_write); + if (locktype == isc_rwlocktype_read) { + RWUNLOCK(&ring->lock, locktype); + locktype = isc_rwlocktype_write; + goto again; + } remove_fromring(key); - RWUNLOCK(&ring->lock, isc_rwlocktype_write); + RWUNLOCK(&ring->lock, locktype); return (ISC_R_NOTFOUND); } #if 0 @@ -1803,7 +1809,7 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, const dns_name_t *name, } #endif /* if 0 */ isc_refcount_increment(&key->refs); - RWUNLOCK(&ring->lock, isc_rwlocktype_read); + RWUNLOCK(&ring->lock, locktype); adjust_lru(key); *tsigkey = key; return (ISC_R_SUCCESS); diff --git a/lib/dns/update.c b/lib/dns/update.c index 13fd05b..c3f162a 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1089,8 +1089,8 @@ static isc_result_t add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, - isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk, - bool keyset_kskonly) { + isc_stdtime_t now, isc_stdtime_t inception, isc_stdtime_t expire, + bool check_ksk, bool keyset_kskonly) { isc_result_t result; dns_dbnode_t *node = NULL; dns_kasp_t *kasp = dns_zone_getkasp(zone); @@ -1223,7 +1223,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, continue; } else if (zsk && !dst_key_is_signing(keys[i], DST_BOOL_ZSK, - inception, &when)) + now, &when)) { /* * This key is not active for zone-signing. @@ -1381,8 +1381,9 @@ static isc_result_t add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, bool cut, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, - isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk, - bool keyset_kskonly, unsigned int *sigs) { + isc_stdtime_t now, isc_stdtime_t inception, + isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly, + unsigned int *sigs) { isc_result_t result; dns_dbnode_t *node; dns_rdatasetiter_t *iter; @@ -1432,7 +1433,7 @@ add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, continue; } result = add_sigs(log, zone, db, ver, name, type, diff, keys, - nkeys, inception, expire, check_ksk, + nkeys, now, inception, expire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { goto cleanup_iterator; @@ -1481,7 +1482,7 @@ struct dns_update_state { dns_diff_t work; dst_key_t *zone_keys[DNS_MAXZONEKEYS]; unsigned int nkeys; - isc_stdtime_t inception, expire, soaexpire, keyexpire; + isc_stdtime_t now, inception, expire, soaexpire, keyexpire; dns_ttl_t nsecttl; bool check_ksk, keyset_kskonly, build_nsec3; enum { @@ -1527,7 +1528,6 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_difftuple_t *t, *next; bool flag, build_nsec; unsigned int i; - isc_stdtime_t now; dns_rdata_soa_t soa; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; @@ -1564,16 +1564,17 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, goto failure; } - isc_stdtime_get(&now); - state->inception = now - 3600; /* Allow for some clock skew. */ - state->expire = now + + isc_stdtime_get(&state->now); + state->inception = state->now - 3600; /* Allow for some clock + skew. */ + state->expire = state->now + dns__jitter_expire(zone, sigvalidityinterval); - state->soaexpire = now + sigvalidityinterval; + state->soaexpire = state->now + sigvalidityinterval; state->keyexpire = dns_zone_getkeyvalidityinterval(zone); if (state->keyexpire == 0) { state->keyexpire = state->expire; } else { - state->keyexpire += now; + state->keyexpire += state->now; } /* @@ -1689,8 +1690,8 @@ next_state: log, zone, db, newver, name, type, &state->sig_diff, state->zone_keys, state->nkeys, - state->inception, exp, - state->check_ksk, + state->now, state->inception, + exp, state->check_ksk, state->keyset_kskonly)); sigs++; } @@ -1892,9 +1893,10 @@ next_state: CHECK(add_exposed_sigs( log, zone, db, newver, name, cut, &state->sig_diff, state->zone_keys, - state->nkeys, state->inception, - state->expire, state->check_ksk, - state->keyset_kskonly, &sigs)); + state->nkeys, state->now, + state->inception, state->expire, + state->check_ksk, state->keyset_kskonly, + &sigs)); } unlink: ISC_LIST_UNLINK(state->affected.tuples, t, link); @@ -1970,8 +1972,8 @@ next_state: dns_rdatatype_nsec, &state->sig_diff, state->zone_keys, state->nkeys, - state->inception, state->expire, - state->check_ksk, + state->now, state->inception, + state->expire, state->check_ksk, state->keyset_kskonly)); sigs++; } else { @@ -2099,9 +2101,10 @@ next_state: CHECK(add_exposed_sigs( log, zone, db, newver, name, cut, &state->sig_diff, state->zone_keys, - state->nkeys, state->inception, - state->expire, state->check_ksk, - state->keyset_kskonly, &sigs)); + state->nkeys, state->now, + state->inception, state->expire, + state->check_ksk, state->keyset_kskonly, + &sigs)); CHECK(dns_nsec3_addnsec3sx( db, newver, name, state->nsecttl, unsecure, privatetype, @@ -2145,8 +2148,8 @@ next_state: dns_rdatatype_nsec3, &state->sig_diff, state->zone_keys, state->nkeys, - state->inception, state->expire, - state->check_ksk, + state->now, state->inception, + state->expire, state->check_ksk, state->keyset_kskonly)); sigs++; } else { diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 56a0ced..47c4813 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1104,8 +1104,8 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, * 'rdataset'. If found, build a dst_key_t for it and point val->key at * it. * - * If val->key is already non-NULL, locate it in the rdataset and then - * search past it for the *next* key that could have signed 'siginfo', then + * If val->key is already non-NULL, start searching from the next position in + * 'rdataset' to find the *next* key that could have signed 'siginfo', then * set val->key to that. * * Returns ISC_R_SUCCESS if a possible matching key has been found, @@ -1118,59 +1118,59 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) { isc_buffer_t b; dns_rdata_t rdata = DNS_RDATA_INIT; dst_key_t *oldkey = val->key; - bool foundold; + bool no_rdata = false; if (oldkey == NULL) { - foundold = true; + result = dns_rdataset_first(rdataset); } else { - foundold = false; + dst_key_free(&oldkey); val->key = NULL; + result = dns_rdataset_next(rdataset); } - - result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) { - goto failure; + goto done; } + do { dns_rdataset_current(rdataset, &rdata); isc_buffer_init(&b, rdata.data, rdata.length); isc_buffer_add(&b, rdata.length); INSIST(val->key == NULL); - result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b, - val->view->mctx, &val->key); + result = dst_key_fromdns_ex(&siginfo->signer, rdata.rdclass, &b, + val->view->mctx, no_rdata, + &val->key); if (result == ISC_R_SUCCESS) { if (siginfo->algorithm == (dns_secalg_t)dst_key_alg(val->key) && siginfo->keyid == (dns_keytag_t)dst_key_id(val->key) && + (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) == + 0 && dst_key_iszonekey(val->key)) { - if (foundold) { - /* - * This is the key we're looking for. - */ - return (ISC_R_SUCCESS); - } else if (dst_key_compare(oldkey, val->key)) { - foundold = true; - dst_key_free(&oldkey); + if (no_rdata) { + /* Retry with full key */ + dns_rdata_reset(&rdata); + dst_key_free(&val->key); + no_rdata = false; + continue; } + /* This is the key we're looking for. */ + goto done; } dst_key_free(&val->key); } dns_rdata_reset(&rdata); result = dns_rdataset_next(rdataset); + no_rdata = true; } while (result == ISC_R_SUCCESS); +done: if (result == ISC_R_NOMORE) { result = ISC_R_NOTFOUND; } -failure: - if (oldkey != NULL) { - dst_key_free(&oldkey); - } - return (result); } @@ -1589,20 +1589,9 @@ validate_answer(dns_validator_t *val, bool resume) { continue; } - do { - isc_result_t tresult; - vresult = verify(val, val->key, &rdata, - val->siginfo->keyid); - if (vresult == ISC_R_SUCCESS) { - break; - } - - tresult = select_signing_key(val, val->keyset); - if (tresult != ISC_R_SUCCESS) { - break; - } - } while (1); + vresult = verify(val, val->key, &rdata, val->siginfo->keyid); if (vresult != ISC_R_SUCCESS) { + val->failed = true; validator_log(val, ISC_LOG_DEBUG(3), "failed to verify rdataset"); } else { @@ -1639,9 +1628,13 @@ validate_answer(dns_validator_t *val, bool resume) { } else { validator_log(val, ISC_LOG_DEBUG(3), "verify failure: %s", - isc_result_totext(result)); + isc_result_totext(vresult)); resume = false; } + if (val->failed) { + result = ISC_R_NOMORE; + break; + } } if (result != ISC_R_NOMORE) { validator_log(val, ISC_LOG_DEBUG(3), diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 393b557..1aa982a 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -1143,7 +1143,24 @@ get_create_tlsctx(const dns_xfrin_ctx_t *xfr, isc_tlsctx_t **pctx, */ INSIST(found != NULL); isc_tlsctx_free(&tlsctx); - isc_tls_cert_store_free(&store); + /* + * The 'store' variable can be 'NULL' when remote server + * verification is not enabled (that is, when Strict or + * Mutual TLS are not used). + * + * The 'found_store' might be equal to 'store' as there + * is one-to-many relation between a store and + * per-transport TLS contexts. In that case, the call to + * 'isc_tlsctx_cache_find()' above could have returned a + * store via the 'found_store' variable, whose value we + * can assign to 'store' later. In that case, + * 'isc_tlsctx_cache_add()' will return the same value. + * When that happens, we should not free the store + * object, as it is managed by the TLS context cache. + */ + if (store != NULL && store != found_store) { + isc_tls_cert_store_free(&store); + } isc_tlsctx_client_session_cache_detach(&sess_cache); /* Let's return the data from the cache. */ *psess_cache = found_sess_cache; diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 4428e3d..729adcb 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -126,7 +126,7 @@ */ #define RANGE(a, min, max) (((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max))) -#define NSEC3REMOVE(x) (((x)&DNS_NSEC3FLAG_REMOVE) != 0) +#define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) /*% * Key flags @@ -3971,15 +3971,11 @@ set_resigntime(dns_zone_t *zone) { INSIST(LOCKED_ZONE(zone)); /* We only re-sign zones that can be dynamically updated */ - if (zone->update_disabled) { + if (!dns_zone_isdynamic(zone, false)) { return; } - if (!inline_secure(zone) && - (zone->type != dns_zone_primary || - (zone->ssutable == NULL && - (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl))))) - { + if (inline_raw(zone)) { return; } @@ -5330,7 +5326,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, is_dynamic = dns_zone_isdynamic(zone, false); if (zone->type == dns_zone_primary && !DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) && - is_dynamic && dns_db_issecure(db)) + is_dynamic && dns_db_issecure(db) && !inline_raw(zone)) { dns_name_t *name; dns_fixedname_t fixed; @@ -6931,8 +6927,9 @@ failure: static isc_result_t add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, - unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception, - isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly) { + unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t now, + isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk, + bool keyset_kskonly) { isc_result_t result; dns_dbnode_t *node = NULL; dns_stats_t *dnssecsignstats; @@ -7124,7 +7121,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, continue; } } else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK, - inception, &when)) + now, &when)) { /* * This key is not active for zone-signing. @@ -7343,7 +7340,7 @@ zone_resigninc(dns_zone_t *zone) { */ result = add_sigs(db, version, name, zone, covers, zonediff.diff, zone_keys, nkeys, zone->mctx, - inception, + now, inception, resign > (now - 300) ? expire : fullexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { @@ -7406,7 +7403,7 @@ zone_resigninc(dns_zone_t *zone) { * termination is sensible. */ result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, - zonediff.diff, zone_keys, nkeys, zone->mctx, + zonediff.diff, zone_keys, nkeys, zone->mctx, now, inception, soaexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, @@ -7642,10 +7639,11 @@ failure: static isc_result_t sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, dns_dbnode_t *node, dns_dbversion_t *version, bool build_nsec3, - bool build_nsec, dst_key_t *key, isc_stdtime_t inception, - isc_stdtime_t expire, dns_ttl_t nsecttl, bool is_ksk, bool is_zsk, - bool keyset_kskonly, bool is_bottom_of_zone, dns_diff_t *diff, - int32_t *signatures, isc_mem_t *mctx) { + bool build_nsec, dst_key_t *key, isc_stdtime_t now, + isc_stdtime_t inception, isc_stdtime_t expire, dns_ttl_t nsecttl, + bool is_ksk, bool is_zsk, bool keyset_kskonly, + bool is_bottom_of_zone, dns_diff_t *diff, int32_t *signatures, + isc_mem_t *mctx) { isc_result_t result; dns_rdatasetiter_t *iterator = NULL; dns_rdataset_t rdataset; @@ -7740,8 +7738,8 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, } } else if (!is_zsk) { goto next_rdataset; - } else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK, - inception, &when)) + } else if (is_zsk && + !dst_key_is_signing(key, DST_BOOL_ZSK, now, &when)) { /* Only applies to dnssec-policy. */ if (dns_zone_getkasp(zone) != NULL) { @@ -8344,8 +8342,8 @@ dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, } result = add_sigs(db, version, &tuple->name, zone, tuple->rdata.type, zonediff->diff, zone_keys, - nkeys, zone->mctx, inception, exp, check_ksk, - keyset_kskonly); + nkeys, zone->mctx, now, inception, exp, + check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "dns__zone_updatesigs:add_sigs -> %s", @@ -9119,7 +9117,7 @@ skip_removals: } result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, - zonediff.diff, zone_keys, nkeys, zone->mctx, + zonediff.diff, zone_keys, nkeys, zone->mctx, now, inception, soaexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, @@ -9659,16 +9657,7 @@ zone_sign(dns_zone_t *zone) { if (ALG(zone_keys[i]) == signing->algorithm && dst_key_id(zone_keys[i]) == signing->keyid) { - bool ksk = false; - isc_result_t ret = dst_key_getbool( - zone_keys[i], DST_BOOL_KSK, - &ksk); - if (ret != ISC_R_SUCCESS) { - ksk = KSK(zone_keys[i]); - } - if (ksk) { - dst_key_free(&zone_keys[i]); - } + dst_key_free(&zone_keys[i]); continue; } zone_keys[j] = zone_keys[i]; @@ -9848,8 +9837,8 @@ zone_sign(dns_zone_t *zone) { CHECK(sign_a_node( db, zone, name, node, version, build_nsec3, - build_nsec, zone_keys[i], inception, expire, - zone_nsecttl(zone), is_ksk, is_zsk, + build_nsec, zone_keys[i], now, inception, + expire, zone_nsecttl(zone), is_ksk, is_zsk, (both && keyset_kskonly), is_bottom_of_zone, zonediff.diff, &signatures, zone->mctx)); /* @@ -9984,7 +9973,7 @@ zone_sign(dns_zone_t *zone) { * termination is sensible. */ result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, - zonediff.diff, zone_keys, nkeys, zone->mctx, + zonediff.diff, zone_keys, nkeys, zone->mctx, now, inception, soaexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s", @@ -12705,14 +12694,14 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) { result = ISC_R_NOTIMPLEMENTED; goto cleanup_key; } - timeout = 15; + timeout = 5; if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY)) { timeout = 30; } - result = dns_request_create(notify->zone->view->requestmgr, message, - &src, ¬ify->dst, options, key, - timeout * 3, timeout, 2, notify->zone->task, - notify_done, notify, ¬ify->request); + result = dns_request_create( + notify->zone->view->requestmgr, message, &src, ¬ify->dst, + options, key, timeout * 3 + 1, timeout, 2, notify->zone->task, + notify_done, notify, ¬ify->request); if (result == ISC_R_SUCCESS) { if (isc_sockaddr_pf(¬ify->dst) == AF_INET) { inc_stats(notify->zone, @@ -14672,13 +14661,13 @@ again: } zone_iattach(zone, &dummy); - timeout = 15; + timeout = 5; if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) { timeout = 30; } result = dns_request_create( zone->view->requestmgr, message, &zone->sourceaddr, - &zone->primaryaddr, options, key, timeout * 3, timeout, 2, + &zone->primaryaddr, options, key, timeout * 3 + 1, timeout, 2, zone->task, refresh_callback, zone, &zone->request); if (result != ISC_R_SUCCESS) { zone_idetach(&dummy); @@ -14928,7 +14917,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { POST(result); goto cleanup; } - timeout = 15; + timeout = 5; if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) { timeout = 30; } @@ -14946,7 +14935,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { result = dns_request_create( zone->view->requestmgr, message, &zone->sourceaddr, - &zone->primaryaddr, DNS_REQUESTOPT_TCP, key, timeout * 3, + &zone->primaryaddr, DNS_REQUESTOPT_TCP, key, timeout * 3 + 1, timeout, 2, zone->task, stub_callback, cb_args, &zone->request); if (result != ISC_R_SUCCESS) { zone_debuglog(zone, me, 1, "dns_request_create() failed: %s", @@ -17666,6 +17655,12 @@ again: DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime); } + + /* + * Set loadtime. + */ + zone->loadtime = now; + if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) { char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")]; if (zone->tsigkey != NULL) { @@ -20490,7 +20485,7 @@ tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db, return (result); } result = add_sigs(db, ver, &zone->origin, zone, rrtype, - zonediff->diff, keys, nkeys, zone->mctx, + zonediff->diff, keys, nkeys, zone->mctx, now, inception, keyexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { @@ -21252,11 +21247,11 @@ checkds_send_toaddr(isc_task_t *task, isc_event_t *event) { dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3), "checkds: create request for DS query to %s", addrbuf); - timeout = 15; + timeout = 5; options |= DNS_REQUESTOPT_TCP; result = dns_request_create( checkds->zone->view->requestmgr, message, &src, &checkds->dst, - options, key, timeout * 3, timeout, 2, checkds->zone->task, + options, key, timeout * 3 + 1, timeout, 2, checkds->zone->task, checkds_done, checkds, &checkds->request); if (result != ISC_R_SUCCESS) { dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3), diff --git a/lib/irs/Makefile.in b/lib/irs/Makefile.in index 66b3575..b73a9b1 100644 --- a/lib/irs/Makefile.in +++ b/lib/irs/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in index 50ec06e..8b8d16b 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -132,11 +132,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/lib/isc/hmac.c b/lib/isc/hmac.c index bc35bef..4bce2c8 100644 --- a/lib/isc/hmac.c +++ b/lib/isc/hmac.c @@ -27,26 +27,26 @@ isc_hmac_t * isc_hmac_new(void) { - EVP_MD_CTX *hmac = EVP_MD_CTX_new(); - RUNTIME_CHECK(hmac != NULL); - return ((isc_hmac_t *)hmac); + EVP_MD_CTX *hmac_st = EVP_MD_CTX_new(); + RUNTIME_CHECK(hmac_st != NULL); + return ((isc_hmac_t *)hmac_st); } void -isc_hmac_free(isc_hmac_t *hmac) { - if (hmac == NULL) { +isc_hmac_free(isc_hmac_t *hmac_st) { + if (hmac_st == NULL) { return; } - EVP_MD_CTX_free((EVP_MD_CTX *)hmac); + EVP_MD_CTX_free((EVP_MD_CTX *)hmac_st); } isc_result_t -isc_hmac_init(isc_hmac_t *hmac, const void *key, const size_t keylen, +isc_hmac_init(isc_hmac_t *hmac_st, const void *key, const size_t keylen, const isc_md_type_t *md_type) { EVP_PKEY *pkey; - REQUIRE(hmac != NULL); + REQUIRE(hmac_st != NULL); REQUIRE(key != NULL); REQUIRE(keylen <= INT_MAX); @@ -60,7 +60,7 @@ isc_hmac_init(isc_hmac_t *hmac, const void *key, const size_t keylen, return (ISC_R_CRYPTOFAILURE); } - if (EVP_DigestSignInit(hmac, NULL, md_type, NULL, pkey) != 1) { + if (EVP_DigestSignInit(hmac_st, NULL, md_type, NULL, pkey) != 1) { EVP_PKEY_free(pkey); ERR_clear_error(); return (ISC_R_CRYPTOFAILURE); @@ -72,10 +72,10 @@ isc_hmac_init(isc_hmac_t *hmac, const void *key, const size_t keylen, } isc_result_t -isc_hmac_reset(isc_hmac_t *hmac) { - REQUIRE(hmac != NULL); +isc_hmac_reset(isc_hmac_t *hmac_st) { + REQUIRE(hmac_st != NULL); - if (EVP_MD_CTX_reset(hmac) != 1) { + if (EVP_MD_CTX_reset(hmac_st) != 1) { ERR_clear_error(); return (ISC_R_CRYPTOFAILURE); } @@ -84,14 +84,15 @@ isc_hmac_reset(isc_hmac_t *hmac) { } isc_result_t -isc_hmac_update(isc_hmac_t *hmac, const unsigned char *buf, const size_t len) { - REQUIRE(hmac != NULL); +isc_hmac_update(isc_hmac_t *hmac_st, const unsigned char *buf, + const size_t len) { + REQUIRE(hmac_st != NULL); if (buf == NULL || len == 0) { return (ISC_R_SUCCESS); } - if (EVP_DigestSignUpdate(hmac, buf, len) != 1) { + if (EVP_DigestSignUpdate(hmac_st, buf, len) != 1) { ERR_clear_error(); return (ISC_R_CRYPTOFAILURE); } @@ -100,15 +101,15 @@ isc_hmac_update(isc_hmac_t *hmac, const unsigned char *buf, const size_t len) { } isc_result_t -isc_hmac_final(isc_hmac_t *hmac, unsigned char *digest, +isc_hmac_final(isc_hmac_t *hmac_st, unsigned char *digest, unsigned int *digestlen) { - REQUIRE(hmac != NULL); + REQUIRE(hmac_st != NULL); REQUIRE(digest != NULL); REQUIRE(digestlen != NULL); size_t len = *digestlen; - if (EVP_DigestSignFinal(hmac, digest, &len) != 1) { + if (EVP_DigestSignFinal(hmac_st, digest, &len) != 1) { ERR_clear_error(); return (ISC_R_CRYPTOFAILURE); } @@ -119,24 +120,24 @@ isc_hmac_final(isc_hmac_t *hmac, unsigned char *digest, } const isc_md_type_t * -isc_hmac_get_md_type(isc_hmac_t *hmac) { - REQUIRE(hmac != NULL); +isc_hmac_get_md_type(isc_hmac_t *hmac_st) { + REQUIRE(hmac_st != NULL); - return (EVP_MD_CTX_get0_md(hmac)); + return (EVP_MD_CTX_get0_md(hmac_st)); } size_t -isc_hmac_get_size(isc_hmac_t *hmac) { - REQUIRE(hmac != NULL); +isc_hmac_get_size(isc_hmac_t *hmac_st) { + REQUIRE(hmac_st != NULL); - return ((size_t)EVP_MD_CTX_size(hmac)); + return ((size_t)EVP_MD_CTX_size(hmac_st)); } int -isc_hmac_get_block_size(isc_hmac_t *hmac) { - REQUIRE(hmac != NULL); +isc_hmac_get_block_size(isc_hmac_t *hmac_st) { + REQUIRE(hmac_st != NULL); - return (EVP_MD_CTX_block_size(hmac)); + return (EVP_MD_CTX_block_size(hmac_st)); } isc_result_t @@ -144,24 +145,24 @@ isc_hmac(const isc_md_type_t *type, const void *key, const size_t keylen, const unsigned char *buf, const size_t len, unsigned char *digest, unsigned int *digestlen) { isc_result_t res; - isc_hmac_t *hmac = isc_hmac_new(); + isc_hmac_t *hmac_st = isc_hmac_new(); - res = isc_hmac_init(hmac, key, keylen, type); + res = isc_hmac_init(hmac_st, key, keylen, type); if (res != ISC_R_SUCCESS) { goto end; } - res = isc_hmac_update(hmac, buf, len); + res = isc_hmac_update(hmac_st, buf, len); if (res != ISC_R_SUCCESS) { goto end; } - res = isc_hmac_final(hmac, digest, digestlen); + res = isc_hmac_final(hmac_st, digest, digestlen); if (res != ISC_R_SUCCESS) { goto end; } end: - isc_hmac_free(hmac); + isc_hmac_free(hmac_st); return (res); } diff --git a/lib/isc/ht.c b/lib/isc/ht.c index eaf2b3c..e11050f 100644 --- a/lib/isc/ht.c +++ b/lib/isc/ht.c @@ -93,11 +93,54 @@ maybe_rehash(isc_ht_t *ht, size_t newcount); static isc_result_t isc__ht_iter_next(isc_ht_iter_t *it); +static uint8_t maptolower[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, + 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, + 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, + 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, + 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, + 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83, + 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, + 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, + 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3, + 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, + 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, + 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, + 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, + 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, + 0xfc, 0xfd, 0xfe, 0xff +}; + +static int +memcasecmp(const void *vs1, const void *vs2, size_t len) { + uint8_t const *s1 = vs1; + uint8_t const *s2 = vs2; + for (size_t i = 0; i < len; i++) { + uint8_t u1 = s1[i]; + uint8_t u2 = s2[i]; + int U1 = maptolower[u1]; + int U2 = maptolower[u2]; + int diff = U1 - U2; + if (diff) { + return diff; + } + } + return 0; +} + static bool isc__ht_node_match(isc_ht_node_t *node, const uint32_t hashval, - const uint8_t *key, uint32_t keysize) { + const uint8_t *key, uint32_t keysize, bool case_sensitive) { return (node->hashval == hashval && node->keysize == keysize && - memcmp(node->key, key, keysize) == 0); + (case_sensitive ? (memcmp(node->key, key, keysize) == 0) + : (memcasecmp(node->key, key, keysize) == 0))); } static uint32_t @@ -341,7 +384,9 @@ nexttable: for (isc_ht_node_t *node = ht->table[findex][hash]; node != NULL; node = node->next) { - if (isc__ht_node_match(node, hashval, key, keysize)) { + if (isc__ht_node_match(node, hashval, key, keysize, + ht->case_sensitive)) + { return (node); } } @@ -390,7 +435,9 @@ isc__ht_delete(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize, for (isc_ht_node_t *node = ht->table[idx][hash]; node != NULL; prev = node, node = node->next) { - if (isc__ht_node_match(node, hashval, key, keysize)) { + if (isc__ht_node_match(node, hashval, key, keysize, + ht->case_sensitive)) + { if (prev == NULL) { ht->table[idx][hash] = node->next; } else { diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c index b15cc45..a93f9e1 100644 --- a/lib/isc/httpd.c +++ b/lib/isc/httpd.c @@ -340,8 +340,10 @@ value_match(const struct phr_header *header, const char *match) { limit = header->value_len - match_len + 1; for (size_t i = 0; i < limit; i++) { - if (isspace(header->value[i])) { - while (i < limit && isspace(header->value[i])) { + if (isspace((unsigned char)header->value[i])) { + while (i < limit && + isspace((unsigned char)header->value[i])) + { i++; } continue; diff --git a/lib/isc/include/isc/endian.h b/lib/isc/include/isc/endian.h index be91b1d..2590415 100644 --- a/lib/isc/include/isc/endian.h +++ b/lib/isc/include/isc/endian.h @@ -86,29 +86,29 @@ #include #ifndef bswap_16 -#define bswap_16(x) \ - ((uint16_t)((((uint16_t)(x)&0xff00) >> 8) | \ - (((uint16_t)(x)&0x00ff) << 8))) +#define bswap_16(x) \ + ((uint16_t)((((uint16_t)(x) & 0xff00) >> 8) | \ + (((uint16_t)(x) & 0x00ff) << 8))) #endif /* !bswap_16 */ #ifndef bswap_32 -#define bswap_32(x) \ - ((uint32_t)((((uint32_t)(x)&0xff000000) >> 24) | \ - (((uint32_t)(x)&0x00ff0000) >> 8) | \ - (((uint32_t)(x)&0x0000ff00) << 8) | \ - (((uint32_t)(x)&0x000000ff) << 24))) +#define bswap_32(x) \ + ((uint32_t)((((uint32_t)(x) & 0xff000000) >> 24) | \ + (((uint32_t)(x) & 0x00ff0000) >> 8) | \ + (((uint32_t)(x) & 0x0000ff00) << 8) | \ + (((uint32_t)(x) & 0x000000ff) << 24))) #endif /* !bswap_32 */ #ifndef bswap_64 -#define bswap_64(x) \ - ((uint64_t)((((uint64_t)(x)&0xff00000000000000ULL) >> 56) | \ - (((uint64_t)(x)&0x00ff000000000000ULL) >> 40) | \ - (((uint64_t)(x)&0x0000ff0000000000ULL) >> 24) | \ - (((uint64_t)(x)&0x000000ff00000000ULL) >> 8) | \ - (((uint64_t)(x)&0x00000000ff000000ULL) << 8) | \ - (((uint64_t)(x)&0x0000000000ff0000ULL) << 24) | \ - (((uint64_t)(x)&0x000000000000ff00ULL) << 40) | \ - (((uint64_t)(x)&0x00000000000000ffULL) << 56))) +#define bswap_64(x) \ + ((uint64_t)((((uint64_t)(x) & 0xff00000000000000ULL) >> 56) | \ + (((uint64_t)(x) & 0x00ff000000000000ULL) >> 40) | \ + (((uint64_t)(x) & 0x0000ff0000000000ULL) >> 24) | \ + (((uint64_t)(x) & 0x000000ff00000000ULL) >> 8) | \ + (((uint64_t)(x) & 0x00000000ff000000ULL) << 8) | \ + (((uint64_t)(x) & 0x0000000000ff0000ULL) << 24) | \ + (((uint64_t)(x) & 0x000000000000ff00ULL) << 40) | \ + (((uint64_t)(x) & 0x00000000000000ffULL) << 56))) #endif /* !bswap_64 */ #ifndef htobe16 diff --git a/lib/isc/include/isc/net.h b/lib/isc/include/isc/net.h index 1a3ce63..077f66e 100644 --- a/lib/isc/include/isc/net.h +++ b/lib/isc/include/isc/net.h @@ -192,10 +192,10 @@ /*% Is IP address multicast? */ #define ISC_IPADDR_ISMULTICAST(i) \ - (((uint32_t)(i)&ISC__IPADDR(0xf0000000)) == ISC__IPADDR(0xe0000000)) + (((uint32_t)(i) & ISC__IPADDR(0xf0000000)) == ISC__IPADDR(0xe0000000)) #define ISC_IPADDR_ISEXPERIMENTAL(i) \ - (((uint32_t)(i)&ISC__IPADDR(0xf0000000)) == ISC__IPADDR(0xf0000000)) + (((uint32_t)(i) & ISC__IPADDR(0xf0000000)) == ISC__IPADDR(0xf0000000)) /*** *** Functions. diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h index eff33f6..d42cfe9 100644 --- a/lib/isc/include/isc/netmgr.h +++ b/lib/isc/include/isc/netmgr.h @@ -750,6 +750,9 @@ isc_nm_verify_tls_peer_result_string(const isc_nmhandle_t *handle); * \li 'handle' is a valid netmgr handle object. */ +#define ISC_NM_TASK_SLOW_OFFSET -2 +#define ISC_NM_TASK_SLOW(i) (ISC_NM_TASK_SLOW_OFFSET - 1 - i) + void isc_nm_task_enqueue(isc_nm_t *mgr, isc_task_t *task, int threadid); /*%< diff --git a/lib/isc/include/isc/radix.h b/lib/isc/include/isc/radix.h index 9a91118..b385e12 100644 --- a/lib/isc/include/isc/radix.h +++ b/lib/isc/include/isc/radix.h @@ -192,7 +192,7 @@ isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func); */ #define RADIX_MAXBITS 128 -#define RADIX_NBIT(x) (0x80 >> ((x)&0x7f)) +#define RADIX_NBIT(x) (0x80 >> ((x) & 0x7f)) #define RADIX_NBYTE(x) ((x) >> 3) #define RADIX_WALK(Xhead, Xnode) \ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h index 7e0fc02..dc76a87 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h @@ -13,6 +13,7 @@ #pragma once +#include #include /*! \file isc/types.h @@ -74,10 +75,11 @@ typedef struct isc_rwlock isc_rwlock_t; /*%< Read Write Lock */ typedef struct isc_sockaddr isc_sockaddr_t; /*%< Socket Address */ typedef ISC_LIST(isc_sockaddr_t) isc_sockaddrlist_t; /*%< Socket Address List * */ -typedef struct isc_stats isc_stats_t; /*%< Statistics */ -typedef int_fast64_t isc_statscounter_t; -typedef struct isc_symtab isc_symtab_t; /*%< Symbol Table */ -typedef struct isc_task isc_task_t; /*%< Task */ +typedef struct isc_stats isc_stats_t; /*%< Statistics */ +typedef int_fast64_t isc_statscounter_t; +typedef atomic_int_fast64_t isc_atomic_statscounter_t; +typedef struct isc_symtab isc_symtab_t; /*%< Symbol Table */ +typedef struct isc_task isc_task_t; /*%< Task */ typedef ISC_LIST(isc_task_t) isc_tasklist_t; /*%< Task List */ typedef struct isc_taskmgr isc_taskmgr_t; /*%< Task Manager */ typedef struct isc_textregion isc_textregion_t; /*%< Text Region */ diff --git a/lib/isc/mem.c b/lib/isc/mem.c index 61a66f6..6560833 100644 --- a/lib/isc/mem.c +++ b/lib/isc/mem.c @@ -1906,3 +1906,14 @@ isc__mem_printactive(isc_mem_t *ctx, FILE *file) { UNUSED(file); #endif /* if ISC_MEM_TRACKLINES */ } + +void * +isc__mem_alloc_noctx(size_t size) { + return mallocx(size, 0); +} + +void +isc__mem_free_noctx(void *ptr, size_t size) { + ADJUST_ZERO_ALLOCATION_SIZE(size); + sdallocx(ptr, size, 0); +} diff --git a/lib/isc/mem_p.h b/lib/isc/mem_p.h index 611a025..d95bfc3 100644 --- a/lib/isc/mem_p.h +++ b/lib/isc/mem_p.h @@ -26,6 +26,17 @@ isc__mem_printactive(isc_mem_t *mctx, FILE *file); * a single memory context. */ +void * +isc__mem_alloc_noctx(size_t size); +void +isc__mem_free_noctx(void *ptr, size_t size); +/*%< + * Allocate memory that is not associated with an isc_mem memory context. + * + * For use purely in the isc_trampoline unit, to avoid the need of copying + * multiple #ifdef lines from lib/isc/mem.c to lib/isc/trampoline.c. + */ + void isc__mem_checkdestroyed(void); diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c index c674d83..a170d2f 100644 --- a/lib/isc/netaddr.c +++ b/lib/isc/netaddr.c @@ -424,7 +424,7 @@ isc_netaddr_issitelocal(const isc_netaddr_t *na) { } #define ISC_IPADDR_ISNETZERO(i) \ - (((uint32_t)(i)&ISC__IPADDR(0xff000000)) == ISC__IPADDR(0x00000000)) + (((uint32_t)(i) & ISC__IPADDR(0xff000000)) == ISC__IPADDR(0x00000000)) bool isc_netaddr_isnetzero(const isc_netaddr_t *na) { diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c index f2d3e2d..2220edf 100644 --- a/lib/isc/netmgr/http.c +++ b/lib/isc/netmgr/http.c @@ -2493,6 +2493,7 @@ isc_nm_listenhttp(isc_nm_t *mgr, isc_sockaddr_t *iface, int backlog, isc_nmsocket_t *sock = NULL; isc_result_t result; + REQUIRE(VALID_NM(mgr)); REQUIRE(!ISC_LIST_EMPTY(eps->handlers)); REQUIRE(!ISC_LIST_EMPTY(eps->handler_cbargs)); REQUIRE(atomic_load(&eps->in_use) == false); @@ -2968,7 +2969,7 @@ isc__nm_http_set_max_streams(isc_nmsocket_t *listener, void isc_nm_http_set_endpoints(isc_nmsocket_t *listener, isc_nm_http_endpoints_t *eps) { - size_t nworkers; + size_t nlisteners; REQUIRE(VALID_NMSOCK(listener)); REQUIRE(listener->type == isc_nm_httplistener); @@ -2976,8 +2977,8 @@ isc_nm_http_set_endpoints(isc_nmsocket_t *listener, atomic_store(&eps->in_use, true); - nworkers = (size_t)listener->mgr->nworkers; - for (size_t i = 0; i < nworkers; i++) { + nlisteners = (size_t)listener->mgr->nlisteners; + for (size_t i = 0; i < nlisteners; i++) { isc__netievent__http_eps_t *ievent = isc__nm_get_netievent_httpendpoints(listener->mgr, listener, eps); @@ -3002,20 +3003,20 @@ isc__nm_async_httpendpoints(isc__networker_t *worker, isc__netievent_t *ev0) { static void http_init_listener_endpoints(isc_nmsocket_t *listener, isc_nm_http_endpoints_t *epset) { - size_t nworkers; + size_t nlisteners; REQUIRE(VALID_NMSOCK(listener)); REQUIRE(VALID_NM(listener->mgr)); REQUIRE(VALID_HTTP_ENDPOINTS(epset)); - nworkers = (size_t)listener->mgr->nworkers; - INSIST(nworkers > 0); + nlisteners = (size_t)listener->mgr->nlisteners; + INSIST(nlisteners > 0); listener->h2.listener_endpoints = isc_mem_get(listener->mgr->mctx, - sizeof(isc_nm_http_endpoints_t *) * nworkers); - listener->h2.n_listener_endpoints = nworkers; - for (size_t i = 0; i < nworkers; i++) { + sizeof(isc_nm_http_endpoints_t *) * nlisteners); + listener->h2.n_listener_endpoints = nlisteners; + for (size_t i = 0; i < nlisteners; i++) { listener->h2.listener_endpoints[i] = NULL; isc_nm_http_endpoints_attach( epset, &listener->h2.listener_endpoints[i]); diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h index 364a933..6aca9ab 100644 --- a/lib/isc/netmgr/netmgr-int.h +++ b/lib/isc/netmgr/netmgr-int.h @@ -776,6 +776,7 @@ struct isc_nm { isc_refcount_t references; isc_mem_t *mctx; int nworkers; + int nlisteners; isc_mutex_t lock; isc_condition_t wkstatecond; isc_condition_t wkpausecond; diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c index b19d468..2310b4b 100644 --- a/lib/isc/netmgr/netmgr.c +++ b/lib/isc/netmgr/netmgr.c @@ -189,12 +189,12 @@ isc__nm_force_tid(int tid) { } static void -isc__nm_threadpool_initialize(uint32_t workers) { +isc__nm_threadpool_initialize(uint32_t nworkers) { char buf[11]; int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf, &(size_t){ sizeof(buf) }); if (r == UV_ENOENT) { - snprintf(buf, sizeof(buf), "%" PRIu32, workers); + snprintf(buf, sizeof(buf), "%" PRIu32, nworkers); uv_os_setenv("UV_THREADPOOL_SIZE", buf); } } @@ -212,11 +212,11 @@ isc__nm_threadpool_initialize(uint32_t workers) { #endif void -isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) { +isc__netmgr_create(isc_mem_t *mctx, uint32_t nworkers, isc_nm_t **netmgrp) { isc_nm_t *mgr = NULL; char name[32]; - REQUIRE(workers > 0); + REQUIRE(nworkers > 0); #ifdef MAXIMAL_UV_VERSION if (uv_version() > MAXIMAL_UV_VERSION) { @@ -234,10 +234,13 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) { uv_version_string(), UV_VERSION_STRING); } - isc__nm_threadpool_initialize(workers); + isc__nm_threadpool_initialize(nworkers); mgr = isc_mem_get(mctx, sizeof(*mgr)); - *mgr = (isc_nm_t){ .nworkers = workers }; + *mgr = (isc_nm_t){ + .nworkers = nworkers * 2, + .nlisteners = nworkers, + }; isc_mem_attach(mctx, &mgr->mctx); isc_mutex_init(&mgr->lock); @@ -272,11 +275,12 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) { atomic_init(&mgr->keepalive, 30000); atomic_init(&mgr->advertised, 30000); - isc_barrier_init(&mgr->pausing, workers); - isc_barrier_init(&mgr->resuming, workers); + isc_barrier_init(&mgr->pausing, mgr->nworkers); + isc_barrier_init(&mgr->resuming, mgr->nworkers); - mgr->workers = isc_mem_get(mctx, workers * sizeof(isc__networker_t)); - for (size_t i = 0; i < workers; i++) { + mgr->workers = isc_mem_get(mctx, + mgr->nworkers * sizeof(isc__networker_t)); + for (int i = 0; i < mgr->nworkers; i++) { isc__networker_t *worker = &mgr->workers[i]; int r; @@ -310,7 +314,7 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) { mgr->workers_running++; isc_thread_create(nm_thread, &mgr->workers[i], &worker->thread); - snprintf(name, sizeof(name), "isc-net-%04zu", i); + snprintf(name, sizeof(name), "isc-net-%04d", i); isc_thread_setname(worker->thread, name); } @@ -817,9 +821,15 @@ isc_nm_task_enqueue(isc_nm_t *nm, isc_task_t *task, int threadid) { isc__networker_t *worker = NULL; if (threadid == -1) { - tid = (int)isc_random_uniform(nm->nworkers); + tid = (int)isc_random_uniform(nm->nlisteners); + } else if (threadid == ISC_NM_TASK_SLOW_OFFSET) { + tid = nm->nlisteners + + (int)isc_random_uniform(nm->nworkers - nm->nlisteners); + } else if (threadid < ISC_NM_TASK_SLOW_OFFSET) { + tid = nm->nlisteners + (ISC_NM_TASK_SLOW(threadid) % + (nm->nworkers - nm->nlisteners)); } else { - tid = threadid % nm->nworkers; + tid = threadid % nm->nlisteners; } worker = &nm->workers[tid]; @@ -3778,7 +3788,7 @@ isc__nm_async_settlsctx(isc__networker_t *worker, isc__netievent_t *ev0) { static void set_tlsctx_workers(isc_nmsocket_t *listener, isc_tlsctx_t *tlsctx) { /* Update the TLS context reference for every worker thread. */ - for (size_t i = 0; i < (size_t)listener->mgr->nworkers; i++) { + for (size_t i = 0; i < (size_t)listener->mgr->nlisteners; i++) { isc__netievent__tlsctx_t *ievent = isc__nm_get_netievent_settlsctx(listener->mgr, listener, tlsctx); diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c index 2a644fe..16b53cc 100644 --- a/lib/isc/netmgr/tcp.c +++ b/lib/isc/netmgr/tcp.c @@ -341,7 +341,7 @@ isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, isc__nm_connectcb(sock, req, result, false); } else { isc__nmsocket_clearcb(sock); - sock->tid = isc_random_uniform(mgr->nworkers); + sock->tid = isc_random_uniform(mgr->nlisteners); isc__nm_connectcb(sock, req, result, true); } atomic_store(&sock->closed, true); @@ -362,7 +362,7 @@ isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, isc__nm_put_netievent_tcpconnect(mgr, ievent); } else { atomic_init(&sock->active, false); - sock->tid = isc_random_uniform(mgr->nworkers); + sock->tid = isc_random_uniform(mgr->nlisteners); isc__nm_enqueue_ievent(&mgr->workers[sock->tid], (isc__netievent_t *)ievent); } @@ -457,7 +457,7 @@ isc_nm_listentcp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc__nmsocket_init(sock, mgr, isc_nm_tcplistener, iface); atomic_init(&sock->rchildren, 0); - sock->nchildren = mgr->nworkers; + sock->nchildren = mgr->nlisteners; children_size = sock->nchildren * sizeof(sock->children[0]); sock->children = isc_mem_get(mgr->mctx, children_size); memset(sock->children, 0, children_size); diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c index eda6aa6..b2a0b10 100644 --- a/lib/isc/netmgr/tcpdns.c +++ b/lib/isc/netmgr/tcpdns.c @@ -324,7 +324,7 @@ isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, isc__nm_put_netievent_tcpdnsconnect(mgr, ievent); } else { atomic_init(&sock->active, false); - sock->tid = isc_random_uniform(mgr->nworkers); + sock->tid = isc_random_uniform(mgr->nlisteners); isc__nm_enqueue_ievent(&mgr->workers[sock->tid], (isc__netievent_t *)ievent); } @@ -422,7 +422,7 @@ isc_nm_listentcpdns(isc_nm_t *mgr, isc_sockaddr_t *iface, isc__nmsocket_init(sock, mgr, isc_nm_tcpdnslistener, iface); atomic_init(&sock->rchildren, 0); - sock->nchildren = mgr->nworkers; + sock->nchildren = mgr->nlisteners; children_size = sock->nchildren * sizeof(sock->children[0]); sock->children = isc_mem_get(mgr->mctx, children_size); memset(sock->children, 0, children_size); @@ -808,6 +808,13 @@ isc__nm_tcpdns_processbuffer(isc_nmsocket_t *sock) { return (ISC_R_CANCELED); } + if (sock->client && !sock->recv_read) { + /* + * We are not reading data - stop here. + */ + return (ISC_R_CANCELED); + } + req = isc__nm_get_read_req(sock, NULL); REQUIRE(VALID_UVREQ(req)); diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c index d30e33f..feeb1a8 100644 --- a/lib/isc/netmgr/tlsdns.c +++ b/lib/isc/netmgr/tlsdns.c @@ -419,7 +419,7 @@ isc_nm_tlsdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, isc__nm_put_netievent_tlsdnsconnect(mgr, ievent); } else { atomic_init(&sock->active, false); - sock->tid = isc_random_uniform(mgr->nworkers); + sock->tid = isc_random_uniform(mgr->nlisteners); isc__nm_enqueue_ievent(&mgr->workers[sock->tid], (isc__netievent_t *)ievent); } @@ -532,7 +532,7 @@ isc_nm_listentlsdns(isc_nm_t *mgr, isc_sockaddr_t *iface, isc__nmsocket_init(sock, mgr, isc_nm_tlsdnslistener, iface); atomic_init(&sock->rchildren, 0); - sock->nchildren = mgr->nworkers; + sock->nchildren = mgr->nlisteners; children_size = sock->nchildren * sizeof(sock->children[0]); sock->children = isc_mem_get(mgr->mctx, children_size); memset(sock->children, 0, children_size); @@ -1016,6 +1016,13 @@ isc__nm_tlsdns_processbuffer(isc_nmsocket_t *sock) { return (ISC_R_CANCELED); } + if (sock->client && !sock->recv_read) { + /* + * We are not reading data - stop here. + */ + return (ISC_R_CANCELED); + } + req = isc__nm_get_read_req(sock, NULL); REQUIRE(VALID_UVREQ(req)); diff --git a/lib/isc/netmgr/tlsstream.c b/lib/isc/netmgr/tlsstream.c index 7b49071..a3fc6d2 100644 --- a/lib/isc/netmgr/tlsstream.c +++ b/lib/isc/netmgr/tlsstream.c @@ -1264,18 +1264,18 @@ isc__nm_tls_verify_tls_peer_result_string(const isc_nmhandle_t *handle) { static void tls_init_listener_tlsctx(isc_nmsocket_t *listener, isc_tlsctx_t *ctx) { - size_t nworkers; + size_t nlisteners; REQUIRE(VALID_NM(listener->mgr)); REQUIRE(ctx != NULL); - nworkers = (size_t)listener->mgr->nworkers; - INSIST(nworkers > 0); + nlisteners = (size_t)listener->mgr->nlisteners; + INSIST(nlisteners > 0); listener->tlsstream.listener_tls_ctx = isc_mem_get( - listener->mgr->mctx, sizeof(isc_tlsctx_t *) * nworkers); - listener->tlsstream.n_listener_tls_ctx = nworkers; - for (size_t i = 0; i < nworkers; i++) { + listener->mgr->mctx, sizeof(isc_tlsctx_t *) * nlisteners); + listener->tlsstream.n_listener_tls_ctx = nlisteners; + for (size_t i = 0; i < nlisteners; i++) { listener->tlsstream.listener_tls_ctx[i] = NULL; isc_tlsctx_attach(ctx, &listener->tlsstream.listener_tls_ctx[i]); diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c index 1a0ee16..661de96 100644 --- a/lib/isc/netmgr/udp.c +++ b/lib/isc/netmgr/udp.c @@ -152,18 +152,19 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb, isc_result_t result = ISC_R_SUCCESS; isc_nmsocket_t *sock = NULL; size_t children_size = 0; - REQUIRE(VALID_NM(mgr)); uv_os_sock_t fd = -1; + REQUIRE(VALID_NM(mgr)); + /* - * We are creating mgr->nworkers duplicated sockets, one + * We are creating mgr->nlisteners duplicated sockets, one * socket for each worker thread. */ sock = isc_mem_get(mgr->mctx, sizeof(isc_nmsocket_t)); isc__nmsocket_init(sock, mgr, isc_nm_udplistener, iface); atomic_init(&sock->rchildren, 0); - sock->nchildren = mgr->nworkers; + sock->nchildren = mgr->nlisteners; children_size = sock->nchildren * sizeof(sock->children[0]); sock->children = isc_mem_get(mgr->mctx, children_size); memset(sock->children, 0, children_size); @@ -693,6 +694,7 @@ isc__nm_udp_send(isc_nmhandle_t *handle, const isc_region_t *region, uint32_t maxudp = atomic_load(&sock->mgr->maxudp); int ntid; + REQUIRE(VALID_NMSOCK(sock)); INSIST(sock->type == isc_nm_udpsocket); /* @@ -1035,7 +1037,7 @@ isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer, isc__nm_put_netievent_udpconnect(mgr, event); } else { atomic_init(&sock->active, false); - sock->tid = isc_random_uniform(mgr->nworkers); + sock->tid = isc_random_uniform(mgr->nlisteners); isc__nm_enqueue_ievent(&mgr->workers[sock->tid], (isc__netievent_t *)event); } diff --git a/lib/isc/netmgr/uv-compat.h b/lib/isc/netmgr/uv-compat.h index 3a10387..eea8744 100644 --- a/lib/isc/netmgr/uv-compat.h +++ b/lib/isc/netmgr/uv-compat.h @@ -72,7 +72,7 @@ uv_tcp_close_reset(uv_tcp_t *handle, uv_close_cb close_cb); #endif #if UV_VERSION_HEX < UV_VERSION(1, 34, 0) -#define uv_sleep(msec) usleep(msec * 1000) +#define uv_sleep(msec) usleep((msec) * 1000) #endif /* UV_VERSION_HEX < UV_VERSION(1, 34, 0) */ #if UV_VERSION_HEX < UV_VERSION(1, 27, 0) diff --git a/lib/isc/stats.c b/lib/isc/stats.c index 3e4676c..183030e 100644 --- a/lib/isc/stats.c +++ b/lib/isc/stats.c @@ -28,14 +28,22 @@ #define ISC_STATS_MAGIC ISC_MAGIC('S', 't', 'a', 't') #define ISC_STATS_VALID(x) ISC_MAGIC_VALID(x, ISC_STATS_MAGIC) -typedef atomic_int_fast64_t isc__atomic_statcounter_t; +/* + * Statistics are counted with an atomic int_fast64_t but exported to functions + * taking uint64_t (isc_stats_dumper_t). A 128-bit native and fast architecture + * doesn't exist in reality so these two are the same thing in practise. + * However, a silent truncation happening silently in the future is still not + * acceptable. + */ +STATIC_ASSERT(sizeof(isc_statscounter_t) <= sizeof(uint64_t), + "Exported statistics must fit into the statistic counter size"); struct isc_stats { unsigned int magic; isc_mem_t *mctx; isc_refcount_t references; int ncounters; - isc__atomic_statcounter_t *counters; + isc_atomic_statscounter_t *counters; }; static isc_result_t @@ -46,7 +54,7 @@ create_stats(isc_mem_t *mctx, int ncounters, isc_stats_t **statsp) { REQUIRE(statsp != NULL && *statsp == NULL); stats = isc_mem_get(mctx, sizeof(*stats)); - counters_alloc_size = sizeof(isc__atomic_statcounter_t) * ncounters; + counters_alloc_size = sizeof(isc_atomic_statscounter_t) * ncounters; stats->counters = isc_mem_get(mctx, counters_alloc_size); isc_refcount_init(&stats->references, 1); for (int i = 0; i < ncounters; i++) { @@ -82,7 +90,7 @@ isc_stats_detach(isc_stats_t **statsp) { if (isc_refcount_decrement(&stats->references) == 1) { isc_refcount_destroy(&stats->references); isc_mem_put(stats->mctx, stats->counters, - sizeof(isc__atomic_statcounter_t) * + sizeof(isc_atomic_statscounter_t) * stats->ncounters); isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats)); } @@ -125,7 +133,8 @@ isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn, void *arg, REQUIRE(ISC_STATS_VALID(stats)); for (i = 0; i < stats->ncounters; i++) { - uint32_t counter = atomic_load_acquire(&stats->counters[i]); + isc_statscounter_t counter = + atomic_load_acquire(&stats->counters[i]); if ((options & ISC_STATSDUMP_VERBOSE) == 0 && counter == 0) { continue; } @@ -169,7 +178,7 @@ void isc_stats_resize(isc_stats_t **statsp, int ncounters) { isc_stats_t *stats; size_t counters_alloc_size; - isc__atomic_statcounter_t *newcounters; + isc_atomic_statscounter_t *newcounters; REQUIRE(statsp != NULL && *statsp != NULL); REQUIRE(ISC_STATS_VALID(*statsp)); @@ -182,7 +191,7 @@ isc_stats_resize(isc_stats_t **statsp, int ncounters) { } /* Grow number of counters. */ - counters_alloc_size = sizeof(isc__atomic_statcounter_t) * ncounters; + counters_alloc_size = sizeof(isc_atomic_statscounter_t) * ncounters; newcounters = isc_mem_get(stats->mctx, counters_alloc_size); for (int i = 0; i < ncounters; i++) { atomic_init(&newcounters[i], 0); @@ -192,7 +201,7 @@ isc_stats_resize(isc_stats_t **statsp, int ncounters) { atomic_store_release(&newcounters[i], counter); } isc_mem_put(stats->mctx, stats->counters, - sizeof(isc__atomic_statcounter_t) * stats->ncounters); + sizeof(isc_atomic_statscounter_t) * stats->ncounters); stats->counters = newcounters; stats->ncounters = ncounters; } diff --git a/lib/isc/trampoline.c b/lib/isc/trampoline.c index 58171d9..3e58fa7 100644 --- a/lib/isc/trampoline.c +++ b/lib/isc/trampoline.c @@ -22,6 +22,7 @@ #include #include +#include "mem_p.h" #include "trampoline_p.h" #define ISC__TRAMPOLINE_UNUSED 0 @@ -148,7 +149,7 @@ isc__trampoline_detach(isc__trampoline_t *trampoline) { isc__trampoline_min = trampoline->tid; } - free(trampoline->jemalloc_enforce_init); + isc__mem_free_noctx(trampoline->jemalloc_enforce_init, 8); free(trampoline); uv_mutex_unlock(&isc__trampoline_lock); @@ -174,7 +175,7 @@ isc__trampoline_attach(isc__trampoline_t *trampoline) { * so that an optimizing compiler does not strip away such a pair of * malloc() + free() calls altogether, as it would foil the fix. */ - trampoline->jemalloc_enforce_init = malloc(8); + trampoline->jemalloc_enforce_init = isc__mem_alloc_noctx(8); uv_mutex_unlock(&isc__trampoline_lock); } diff --git a/lib/isc/url.c b/lib/isc/url.c index cccb712..320a863 100644 --- a/lib/isc/url.c +++ b/lib/isc/url.c @@ -44,7 +44,7 @@ #ifndef BIT_AT #define BIT_AT(a, i) \ (!!((unsigned int)(a)[(unsigned int)(i) >> 3] & \ - (1 << ((unsigned int)(i)&7)))) + (1 << ((unsigned int)(i) & 7)))) #endif #if HTTP_PARSER_STRICT @@ -201,7 +201,8 @@ typedef enum { #define IS_URL_CHAR(c) (BIT_AT(normal_url_char, (unsigned char)c)) #define IS_HOST_CHAR(c) (isalnum((unsigned char)c) || (c) == '.' || (c) == '-') #else -#define IS_URL_CHAR(c) (BIT_AT(normal_url_char, (unsigned char)c) || ((c)&0x80)) +#define IS_URL_CHAR(c) \ + (BIT_AT(normal_url_char, (unsigned char)c) || ((c) & 0x80)) #define IS_HOST_CHAR(c) \ (isalnum((unsigned char)c) || (c) == '.' || (c) == '-' || (c) == '_') #endif diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in index 3fee7ca..2a8d865 100644 --- a/lib/isccc/Makefile.in +++ b/lib/isccc/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index cbd9bad..71e5b14 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -255,7 +255,7 @@ list_towire(isccc_sexpr_t *list, isc_buffer_t **buffer) { } static isc_result_t -sign(unsigned char *data, unsigned int length, unsigned char *hmac, +sign(unsigned char *data, unsigned int length, unsigned char *out, uint32_t algorithm, isccc_region_t *secret) { const isc_md_type_t *md_type; isc_result_t result; @@ -304,9 +304,9 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, return (result); } if (algorithm == ISCCC_ALG_HMACMD5) { - PUT_MEM(digestb64, HMD5_LENGTH, hmac); + PUT_MEM(digestb64, HMD5_LENGTH, out); } else { - PUT_MEM(digestb64, HSHA_LENGTH, hmac); + PUT_MEM(digestb64, HSHA_LENGTH, out); } return (ISC_R_SUCCESS); } @@ -382,7 +382,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, isccc_region_t source; isccc_region_t target; isc_result_t result; - isccc_sexpr_t *_auth, *hmac; + isccc_sexpr_t *_auth, *hmacvalue; unsigned char digest[ISC_MAX_MD_SIZE]; unsigned int digestlen = sizeof(digest); unsigned char digestb64[HSHA_LENGTH * 4]; @@ -395,11 +395,11 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, return (ISC_R_FAILURE); } if (algorithm == ISCCC_ALG_HMACMD5) { - hmac = isccc_alist_lookup(_auth, "hmd5"); + hmacvalue = isccc_alist_lookup(_auth, "hmd5"); } else { - hmac = isccc_alist_lookup(_auth, "hsha"); + hmacvalue = isccc_alist_lookup(_auth, "hsha"); } - if (!isccc_sexpr_binaryp(hmac)) { + if (!isccc_sexpr_binaryp(hmacvalue)) { return (ISC_R_FAILURE); } /* @@ -452,7 +452,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, isccc_region_t *region; unsigned char *value; - region = isccc_sexpr_tobinary(hmac); + region = isccc_sexpr_tobinary(hmacvalue); if ((region->rend - region->rstart) != HMD5_LENGTH) { return (ISCCC_R_BADAUTH); } @@ -465,7 +465,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, unsigned char *value; uint32_t valalg; - region = isccc_sexpr_tobinary(hmac); + region = isccc_sexpr_tobinary(hmacvalue); /* * Note: with non-MD5 algorithms, there's an extra octet diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in index 38f6b93..5fe9255 100644 --- a/lib/isccfg/Makefile.in +++ b/lib/isccfg/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 4e4c098..d5b28ba 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2137,9 +2137,11 @@ static cfg_clausedef_t view_clauses[] = { { "request-nsid", &cfg_type_boolean, 0 }, { "request-sit", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "require-server-cookie", &cfg_type_boolean, 0 }, - { "resolver-nonbackoff-tries", &cfg_type_uint32, 0 }, + { "resolver-nonbackoff-tries", &cfg_type_uint32, + CFG_CLAUSEFLAG_DEPRECATED }, { "resolver-query-timeout", &cfg_type_uint32, 0 }, - { "resolver-retry-interval", &cfg_type_uint32, 0 }, + { "resolver-retry-interval", &cfg_type_uint32, + CFG_CLAUSEFLAG_DEPRECATED }, { "response-padding", &cfg_type_resppadding, 0 }, { "response-policy", &cfg_type_rpz, 0 }, { "rfc2308-type1", NULL, CFG_CLAUSEFLAG_ANCIENT }, @@ -2161,8 +2163,7 @@ static cfg_clausedef_t view_clauses[] = { { "synth-from-dnssec", &cfg_type_boolean, 0 }, { "topology", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "transfer-format", &cfg_type_transferformat, 0 }, - { "trust-anchor-telemetry", &cfg_type_boolean, - CFG_CLAUSEFLAG_EXPERIMENTAL }, + { "trust-anchor-telemetry", &cfg_type_boolean, 0 }, { "use-queryport-pool", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "validate-except", &cfg_type_namelist, 0 }, { "v6-bias", &cfg_type_uint32, 0 }, diff --git a/lib/ns/Makefile.in b/lib/ns/Makefile.in index ba30d74..5737778 100644 --- a/lib/ns/Makefile.in +++ b/lib/ns/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/lib/ns/client.c b/lib/ns/client.c index 5ed64fd..a62343b 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -1672,9 +1672,7 @@ ns__client_put_cb(void *client0) { dns_message_detach(&client->message); - if (client->manager != NULL) { - ns_clientmgr_detach(&client->manager); - } + ns_clientmgr_detach(&client->manager); /* * Detaching the task must be done after unlinking from @@ -2322,11 +2320,8 @@ ns__client_setup(ns_client_t *client, ns_clientmgr_t *mgr, bool new) { isc_result_t result; /* - * Caller must be holding the manager lock. - * * Note: creating a client does not add the client to the - * manager's client list or set the client's manager pointer. - * The caller is responsible for that. + * manager's client list, the caller is responsible for that. */ if (new) { @@ -2402,26 +2397,13 @@ ns__client_setup(ns_client_t *client, ns_clientmgr_t *mgr, bool new) { return (ISC_R_SUCCESS); cleanup: - if (client->sendbuf != NULL) { - isc_mem_put(client->manager->send_mctx, client->sendbuf, - NS_CLIENT_SEND_BUFFER_SIZE); - } - - if (client->message != NULL) { - dns_message_detach(&client->message); - } - - if (client->task != NULL) { - isc_task_detach(&client->task); - } - - if (client->manager != NULL) { - ns_clientmgr_detach(&client->manager); - } + isc_mem_put(client->manager->send_mctx, client->sendbuf, + NS_CLIENT_SEND_BUFFER_SIZE); + dns_message_detach(&client->message); + isc_task_detach(&client->task); + ns_clientmgr_detach(&client->manager); isc_mem_detach(&client->mctx); - if (client->sctx != NULL) { - ns_server_detach(&client->sctx); - } + ns_server_detach(&client->sctx); return (result); } diff --git a/lib/ns/query.c b/lib/ns/query.c index 00ef955..40e1232 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -199,7 +199,7 @@ client_trace(ns_client_t *client, int level, const char *message) { #define DNS_GETDB_IGNOREACL 0x08U #define DNS_GETDB_STALEFIRST 0X0CU -#define PENDINGOK(x) (((x)&DNS_DBFIND_PENDINGOK) != 0) +#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0) #define SFCACHE_CDFLAG 0x1 @@ -465,10 +465,10 @@ static void query_addnxrrsetnsec(query_ctx_t *qctx); static isc_result_t -query_nxdomain(query_ctx_t *qctx, isc_result_t res); +query_nxdomain(query_ctx_t *qctx, isc_result_t result); static isc_result_t -query_redirect(query_ctx_t *qctx); +query_redirect(query_ctx_t *qctx, isc_result_t result); static isc_result_t query_ncache(query_ctx_t *qctx, isc_result_t result); @@ -6228,6 +6228,13 @@ query_lookup_stale(ns_client_t *client) { query_ctx_t qctx; qctx_init(client, NULL, client->query.qtype, &qctx); + if (DNS64(client)) { + qctx.qtype = qctx.type = dns_rdatatype_a; + qctx.dns64 = true; + } + if (DNS64EXCLUDE(client)) { + qctx.dns64_exclude = true; + } dns_db_attach(client->view->cachedb, &qctx.db); client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; client->query.dboptions |= DNS_DBFIND_STALETIMEOUT; @@ -7681,8 +7688,19 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) { qctx_freedata(qctx); if (dns_view_staleanswerenabled(qctx->client->view)) { - dns_db_attach(qctx->client->view->cachedb, &qctx->db); - qctx->version = NULL; + isc_result_t ret; + ret = query_getdb(qctx->client, qctx->client->query.qname, + qctx->client->query.qtype, qctx->options, + &qctx->zone, &qctx->db, &qctx->version, + &qctx->is_zone); + if (ret != ISC_R_SUCCESS) { + /* + * Failed to get the database, unexpected, but let us + * at least abandon serve-stale. + */ + return (false); + } + qctx->client->query.dboptions |= DNS_DBFIND_STALEOK; if (qctx->client->query.fetch != NULL) { dns_resolver_destroyfetch(&qctx->client->query.fetch); @@ -7707,8 +7725,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) { * result from the search. */ static isc_result_t -query_gotanswer(query_ctx_t *qctx, isc_result_t res) { - isc_result_t result = res; +query_gotanswer(query_ctx_t *qctx, isc_result_t result) { char errmsg[256]; CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer"); @@ -7784,7 +7801,7 @@ root_key_sentinel: return (query_coveringnsec(qctx)); case DNS_R_NCACHENXDOMAIN: - result = query_redirect(qctx); + result = query_redirect(qctx, result); if (result != ISC_R_COMPLETE) { return (result); } @@ -9601,11 +9618,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) { * Handle NXDOMAIN and empty wildcard responses. */ static isc_result_t -query_nxdomain(query_ctx_t *qctx, isc_result_t res) { +query_nxdomain(query_ctx_t *qctx, isc_result_t result) { dns_section_t section; uint32_t ttl; - isc_result_t result = res; - bool empty_wild = (res == DNS_R_EMPTYWILD); + bool empty_wild = (result == DNS_R_EMPTYWILD); CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain"); @@ -9614,7 +9630,7 @@ query_nxdomain(query_ctx_t *qctx, isc_result_t res) { INSIST(qctx->is_zone || REDIRECT(qctx->client)); if (!empty_wild) { - result = query_redirect(qctx); + result = query_redirect(qctx, result); if (result != ISC_R_COMPLETE) { return (result); } @@ -9702,7 +9718,7 @@ cleanup: * redirecting, so query processing should continue past it. */ static isc_result_t -query_redirect(query_ctx_t *qctx) { +query_redirect(query_ctx_t *qctx, isc_result_t saved_result) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_redirect"); @@ -9743,7 +9759,7 @@ query_redirect(query_ctx_t *qctx) { SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset); SAVE(qctx->client->query.redirect.sigrdataset, qctx->sigrdataset); - qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN; + qctx->client->query.redirect.result = saved_result; dns_name_copy(qctx->fname, qctx->client->query.redirect.fname); qctx->client->query.redirect.authoritative = qctx->authoritative; @@ -10404,7 +10420,7 @@ query_coveringnsec(query_ctx_t *qctx) { * We now have the proof that we have an NXDOMAIN. Apply * NXDOMAIN redirection if configured. */ - result = query_redirect(qctx); + result = query_redirect(qctx, DNS_R_COVERINGNSEC); if (result != ISC_R_COMPLETE) { redirected = true; goto cleanup; diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c index 9380924..1429d3b 100644 --- a/lib/ns/xfrout.c +++ b/lib/ns/xfrout.c @@ -1264,7 +1264,7 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, * Note that although 65535-byte RRs are allowed in principle, they * cannot be zone-transferred (at least not if uncompressible), * because the message and RR headers would push the size of the - * TCP message over the 65536 byte limit. + * TCP message over the 65535 byte limit. */ mem = isc_mem_get(mctx, len); isc_buffer_init(&xfr->buf, mem, len); diff --git a/m4/ax_perl_module.m4 b/m4/ax_perl_module.m4 deleted file mode 100644 index f2cddd2..0000000 --- a/m4/ax_perl_module.m4 +++ /dev/null @@ -1,32 +0,0 @@ -# SPDX-License-Identifier: FSFAP -# -# SYNOPSIS -# -# AX_PERL_MODULE(MODULE[, ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) -# -# DESCRIPTION -# -# Checks for Perl module. -# -# LICENSE -# -# Copyright (c) 2020 Internet Systems Consortium -# -# Copying and distribution of this file, with or without modification, are -# permitted in any medium without royalty provided the copyright notice -# and this notice are preserved. This file is offered as-is, without any -# warranty. - -AC_DEFUN([AX_PERL_MODULE],[ - AC_MSG_CHECKING([for perl module: $1]) - $PERL "-M$1" -e exit >/dev/null 2>&1 - AS_IF([test $? -eq 0], - [AC_MSG_RESULT([yes]) - eval AS_TR_CPP(HAVE_PERLMOD_$1)=yes - $2 - ], - [AC_MSG_RESULT([no]) - eval AS_TR_CPP(HAVE_PERLMOD_$1)=no - $3 - ]) - ]) diff --git a/m4/ax_python_module.m4 b/m4/ax_python_module.m4 deleted file mode 100644 index b3422fc..0000000 --- a/m4/ax_python_module.m4 +++ /dev/null @@ -1,33 +0,0 @@ -# SPDX-License-Identifier: FSFAP -# -# SYNOPSIS -# -# AX_PYTHON_MODULE(MODULE[, ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) -# -# DESCRIPTION -# -# Checks for Python module. -# -# LICENSE -# -# Copyright (c) 2008 Andrew Collier -# (c) 2020 Internet Systems Consortium -# -# Copying and distribution of this file, with or without modification, are -# permitted in any medium without royalty provided the copyright notice -# and this notice are preserved. This file is offered as-is, without any -# warranty. - -AC_DEFUN([AX_PYTHON_MODULE],[ - AC_MSG_CHECKING([for python module: $1]) - $PYTHON -c "import $1" >/dev/null 2>&1 - AS_IF([test $? -eq 0], - [AC_MSG_RESULT([yes]) - eval AS_TR_CPP(HAVE_PYMOD_$1)=yes - $2 - ], - [AC_MSG_RESULT([no]) - eval AS_TR_CPP(HAVE_PYMOD_$1)=no - $3 - ]) - ]) diff --git a/srcid b/srcid index 0ca4d18..e991324 100644 --- a/srcid +++ b/srcid @@ -1 +1 @@ -c78cd36 +6d7674f diff --git a/tests/Makefile.in b/tests/Makefile.in index 7a21334..277b6be 100644 --- a/tests/Makefile.in +++ b/tests/Makefile.in @@ -103,11 +103,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/tests/dns/Makefile.in b/tests/dns/Makefile.in index 34e27a8..88072f8 100644 --- a/tests/dns/Makefile.in +++ b/tests/dns/Makefile.in @@ -127,11 +127,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/tests/irs/Makefile.in b/tests/irs/Makefile.in index e5500c1..eb46005 100644 --- a/tests/irs/Makefile.in +++ b/tests/irs/Makefile.in @@ -106,11 +106,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/tests/isc/Makefile.in b/tests/isc/Makefile.in index 1060d23..424a589 100644 --- a/tests/isc/Makefile.in +++ b/tests/isc/Makefile.in @@ -124,11 +124,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/tests/isc/hmac_test.c b/tests/isc/hmac_test.c index 093c6b2..a1715b0 100644 --- a/tests/isc/hmac_test.c +++ b/tests/isc/hmac_test.c @@ -45,11 +45,11 @@ static int _setup(void **state) { - isc_hmac_t *hmac = isc_hmac_new(); - if (hmac == NULL) { + isc_hmac_t *hmac_st = isc_hmac_new(); + if (hmac_st == NULL) { return (-1); } - *state = hmac; + *state = hmac_st; return (0); } @@ -76,31 +76,32 @@ _reset(void **state) { ISC_RUN_TEST_IMPL(isc_hmac_new) { UNUSED(state); - isc_hmac_t *hmac = isc_hmac_new(); - assert_non_null(hmac); - isc_hmac_free(hmac); /* Cleanup */ + isc_hmac_t *hmac_st = isc_hmac_new(); + assert_non_null(hmac_st); + isc_hmac_free(hmac_st); /* Cleanup */ } ISC_RUN_TEST_IMPL(isc_hmac_free) { UNUSED(state); - isc_hmac_t *hmac = isc_hmac_new(); - assert_non_null(hmac); - isc_hmac_free(hmac); /* Test freeing valid message digest context */ - isc_hmac_free(NULL); /* Test freeing NULL argument */ + isc_hmac_t *hmac_st = isc_hmac_new(); + assert_non_null(hmac_st); + isc_hmac_free(hmac_st); /* Test freeing valid message digest context */ + isc_hmac_free(NULL); /* Test freeing NULL argument */ } static void -isc_hmac_test(isc_hmac_t *hmac, const void *key, size_t keylen, +isc_hmac_test(isc_hmac_t *hmac_st, const void *key, size_t keylen, const isc_md_type_t *type, const char *buf, size_t buflen, const char *result, const size_t repeats) { isc_result_t res; - assert_non_null(hmac); - assert_int_equal(isc_hmac_init(hmac, key, keylen, type), ISC_R_SUCCESS); + assert_non_null(hmac_st); + assert_int_equal(isc_hmac_init(hmac_st, key, keylen, type), + ISC_R_SUCCESS); for (size_t i = 0; i < repeats; i++) { - assert_int_equal(isc_hmac_update(hmac, + assert_int_equal(isc_hmac_update(hmac_st, (const unsigned char *)buf, buflen), ISC_R_SUCCESS); @@ -108,7 +109,7 @@ isc_hmac_test(isc_hmac_t *hmac, const void *key, size_t keylen, unsigned char digest[ISC_MAX_MD_SIZE]; unsigned int digestlen = sizeof(digest); - assert_int_equal(isc_hmac_final(hmac, digest, &digestlen), + assert_int_equal(isc_hmac_final(hmac_st, digest, &digestlen), ISC_R_SUCCESS); char hexdigest[ISC_MAX_MD_SIZE * 2 + 3]; @@ -121,73 +122,76 @@ isc_hmac_test(isc_hmac_t *hmac, const void *key, size_t keylen, assert_return_code(res, ISC_R_SUCCESS); assert_memory_equal(hexdigest, result, (result ? strlen(result) : 0)); - assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_reset(hmac_st), ISC_R_SUCCESS); } ISC_RUN_TEST_IMPL(isc_hmac_init) { - isc_hmac_t *hmac = *state; - assert_non_null(hmac); + isc_hmac_t *hmac_st = *state; + assert_non_null(hmac_st); expect_assert_failure(isc_hmac_init(NULL, "", 0, ISC_MD_MD5)); - assert_int_equal(isc_hmac_init(hmac, "", 0, NULL), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, NULL), ISC_R_NOTIMPLEMENTED); - expect_assert_failure(isc_hmac_init(hmac, NULL, 0, ISC_MD_MD5)); + expect_assert_failure(isc_hmac_init(hmac_st, NULL, 0, ISC_MD_MD5)); - assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_MD5), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_MD5), + ISC_R_SUCCESS); + assert_int_equal(isc_hmac_reset(hmac_st), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA1), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_SHA1), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_reset(hmac_st), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA224), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_SHA224), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_reset(hmac_st), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA256), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_SHA256), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_reset(hmac_st), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA384), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_SHA384), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_reset(hmac_st), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA512), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_SHA512), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_reset(hmac_st), ISC_R_SUCCESS); } ISC_RUN_TEST_IMPL(isc_hmac_update) { - isc_hmac_t *hmac = *state; - assert_non_null(hmac); + isc_hmac_t *hmac_st = *state; + assert_non_null(hmac_st); /* Uses message digest context initialized in isc_hmac_init_test() */ expect_assert_failure(isc_hmac_update(NULL, NULL, 0)); - assert_int_equal(isc_hmac_update(hmac, NULL, 100), ISC_R_SUCCESS); - assert_int_equal(isc_hmac_update(hmac, (const unsigned char *)"", 0), + assert_int_equal(isc_hmac_update(hmac_st, NULL, 100), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_update(hmac_st, (const unsigned char *)"", 0), ISC_R_SUCCESS); } ISC_RUN_TEST_IMPL(isc_hmac_reset) { - isc_hmac_t *hmac = *state; + isc_hmac_t *hmac_st = *state; #if 0 unsigned char digest[ISC_MAX_MD_SIZE] __attribute((unused)); unsigned int digestlen __attribute((unused)); #endif /* if 0 */ - assert_non_null(hmac); + assert_non_null(hmac_st); - assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA512), - ISC_R_SUCCESS); - assert_int_equal(isc_hmac_update(hmac, (const unsigned char *)"a", 1), - ISC_R_SUCCESS); - assert_int_equal(isc_hmac_update(hmac, (const unsigned char *)"b", 1), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_SHA512), ISC_R_SUCCESS); + assert_int_equal( + isc_hmac_update(hmac_st, (const unsigned char *)"a", 1), + ISC_R_SUCCESS); + assert_int_equal( + isc_hmac_update(hmac_st, (const unsigned char *)"b", 1), + ISC_R_SUCCESS); - assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS); + assert_int_equal(isc_hmac_reset(hmac_st), ISC_R_SUCCESS); #if 0 /* @@ -195,13 +199,13 @@ ISC_RUN_TEST_IMPL(isc_hmac_reset) { * so this could be only manually checked that the test will * segfault when called by hand */ - expect_assert_failure(isc_hmac_final(hmac, digest, &digestlen)); + expect_assert_failure(isc_hmac_final(hmac_st, digest, &digestlen)); #endif /* if 0 */ } ISC_RUN_TEST_IMPL(isc_hmac_final) { - isc_hmac_t *hmac = *state; - assert_non_null(hmac); + isc_hmac_t *hmac_st = *state; + assert_non_null(hmac_st); unsigned char digest[ISC_MAX_MD_SIZE]; unsigned int digestlen = sizeof(digest); @@ -209,23 +213,23 @@ ISC_RUN_TEST_IMPL(isc_hmac_final) { /* Fail when message digest context is empty */ expect_assert_failure(isc_hmac_final(NULL, digest, &digestlen)); /* Fail when output buffer is empty */ - expect_assert_failure(isc_hmac_final(hmac, NULL, &digestlen)); + expect_assert_failure(isc_hmac_final(hmac_st, NULL, &digestlen)); - assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA512), + assert_int_equal(isc_hmac_init(hmac_st, "", 0, ISC_MD_SHA512), ISC_R_SUCCESS); /* Fail when the digest length pointer is empty */ - expect_assert_failure(isc_hmac_final(hmac, digest, NULL)); + expect_assert_failure(isc_hmac_final(hmac_st, digest, NULL)); } ISC_RUN_TEST_IMPL(isc_hmac_md5) { - isc_hmac_t *hmac = *state; + isc_hmac_t *hmac_st = *state; /* Test 0 */ - isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_MD5, TEST_INPUT(""), + isc_hmac_test(hmac_st, TEST_INPUT(""), ISC_MD_MD5, TEST_INPUT(""), "74E6F7298A9C2D168935F58C001BAD88", 1); /* Test 1 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" "\x0b\x0b\x0b\x0b\x0b\x0b"), ISC_MD_MD5, @@ -233,14 +237,14 @@ ISC_RUN_TEST_IMPL(isc_hmac_md5) { "9294727A3638BB1C13F48EF8158BFC9D", 1); /* Test 2 */ - isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_MD5, + isc_hmac_test(hmac_st, TEST_INPUT("Jefe"), ISC_MD_MD5, TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79" "\x61\x20\x77\x61\x6e\x74\x20\x66\x6f" "\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f"), "750C783E6AB0B503EAA86E310A5DB738", 1); /* Test 3 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa"), ISC_MD_MD5, @@ -251,7 +255,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_md5) { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"), "56BE34521D144C88DBB8C733F0E8B3F6", 1); /* Test 4 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a" "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" "\x15\x16\x17\x18\x19"), @@ -264,7 +268,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_md5) { "697EAF0ACA3A3AEA3A75164746FFAA79", 1); #if 0 /* Test 5 -- unimplemented optional functionality */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"), ISC_MD_MD5, @@ -272,7 +276,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_md5) { "4C1A03424B55E07FE7F27BE1", 1); /* Test 6 -- unimplemented optional functionality */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -292,7 +296,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_md5) { "AA4AE5E15272D00E95705637CE8A3B55ED402112", 1); /* Test 7 -- unimplemented optional functionality */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -315,27 +319,27 @@ ISC_RUN_TEST_IMPL(isc_hmac_md5) { } ISC_RUN_TEST_IMPL(isc_hmac_sha1) { - isc_hmac_t *hmac = *state; + isc_hmac_t *hmac_st = *state; /* Test 0 */ - isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA1, TEST_INPUT(""), + isc_hmac_test(hmac_st, TEST_INPUT(""), ISC_MD_SHA1, TEST_INPUT(""), "FBDB1D1B18AA6C08324B7D64B71FB76370690E1D", 1); /* Test 1 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"), ISC_MD_SHA1, TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"), "B617318655057264E28BC0B6FB378C8EF146BE00", 1); /* Test 2 */ - isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA1, + isc_hmac_test(hmac_st, TEST_INPUT("Jefe"), ISC_MD_SHA1, TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61" "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20" "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"), "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 1); /* Test 3 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"), ISC_MD_SHA1, @@ -346,7 +350,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha1) { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"), "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 1); /* Test 4 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a" "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" "\x15\x16\x17\x18\x19"), @@ -359,7 +363,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha1) { "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 1); #if 0 /* Test 5 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"), ISC_MD_SHA1, @@ -368,7 +372,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha1) { 1); #endif /* if 0 */ /* Test 6 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -382,7 +386,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha1) { "Hash Key First"), "AA4AE5E15272D00E95705637CE8A3B55ED402112", 1); /* Test 7 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -398,16 +402,16 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha1) { } ISC_RUN_TEST_IMPL(isc_hmac_sha224) { - isc_hmac_t *hmac = *state; + isc_hmac_t *hmac_st = *state; /* Test 0 */ - isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA224, TEST_INPUT(""), + isc_hmac_test(hmac_st, TEST_INPUT(""), ISC_MD_SHA224, TEST_INPUT(""), "5CE14F72894662213E2748D2A6BA234B74263910CEDDE2F5" "A9271524", 1); /* Test 1 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"), ISC_MD_SHA224, @@ -416,7 +420,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha224) { "4F53684B22", 1); /* Test 2 */ - isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA224, + isc_hmac_test(hmac_st, TEST_INPUT("Jefe"), ISC_MD_SHA224, TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61" "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20" "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"), @@ -424,7 +428,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha224) { "08FD05E44", 1); /* Test 3 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"), ISC_MD_SHA224, @@ -437,7 +441,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha224) { "D1EC8333EA", 1); /* Test 4 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a" "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" "\x15\x16\x17\x18\x19"), @@ -452,7 +456,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha224) { 1); #if 0 /* Test 5 -- unimplemented optional functionality */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"), ISC_MD_SHA224, @@ -461,7 +465,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha224) { 1); #endif /* if 0 */ /* Test 6 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -483,7 +487,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha224) { "273FA6870E", 1); /* Test 7 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -521,16 +525,16 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha224) { } ISC_RUN_TEST_IMPL(isc_hmac_sha256) { - isc_hmac_t *hmac = *state; + isc_hmac_t *hmac_st = *state; /* Test 0 */ - isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA256, TEST_INPUT(""), + isc_hmac_test(hmac_st, TEST_INPUT(""), ISC_MD_SHA256, TEST_INPUT(""), "B613679A0814D9EC772F95D778C35FC5FF1697C493715653" "C6C712144292C5AD", 1); /* Test 1 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"), ISC_MD_SHA256, @@ -539,7 +543,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha256) { "A726E9376C2E32CFF7", 1); /* Test 2 */ - isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA256, + isc_hmac_test(hmac_st, TEST_INPUT("Jefe"), ISC_MD_SHA256, TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61" "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20" "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"), @@ -547,7 +551,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha256) { "839DEC58B964EC3843", 1); /* Test 3 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"), ISC_MD_SHA256, @@ -560,7 +564,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha256) { "22D9635514CED565FE", 1); /* Test 4 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a" "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" "\x15\x16\x17\x18\x19"), @@ -575,7 +579,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha256) { 1); #if 0 /* Test 5 -- unimplemented optional functionality */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"), ISC_MD_SHA256, @@ -584,7 +588,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha256) { 1); #endif /* if 0 */ /* Test 6 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -606,7 +610,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha256) { "140546040F0EE37F54", 1); /* Test 7 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -644,16 +648,16 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha256) { } ISC_RUN_TEST_IMPL(isc_hmac_sha384) { - isc_hmac_t *hmac = *state; + isc_hmac_t *hmac_st = *state; /* Test 0 */ - isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA384, TEST_INPUT(""), + isc_hmac_test(hmac_st, TEST_INPUT(""), ISC_MD_SHA384, TEST_INPUT(""), "6C1F2EE938FAD2E24BD91298474382CA218C75DB3D83E114" "B3D4367776D14D3551289E75E8209CD4B792302840234ADC", 1); /* Test 1 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"), ISC_MD_SHA384, @@ -663,7 +667,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha384) { "E8B2FA9CB6", 1); /* Test 2 */ - isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA384, + isc_hmac_test(hmac_st, TEST_INPUT("Jefe"), ISC_MD_SHA384, TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61" "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20" "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"), @@ -672,7 +676,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha384) { "ECFAB21649", 1); /* Test 3 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"), ISC_MD_SHA384, @@ -686,7 +690,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha384) { "E101A34F27", 1); /* Test 4 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a" "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" "\x15\x16\x17\x18\x19"), @@ -702,7 +706,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha384) { 1); #if 0 /* Test 5 -- unimplemented optional functionality */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"), ISC_MD_SHA384, @@ -711,7 +715,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha384) { 1); #endif /* if 0 */ /* Test 6 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -734,7 +738,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha384) { "F163F44952", 1); /* Test 7 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -773,17 +777,17 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha384) { } ISC_RUN_TEST_IMPL(isc_hmac_sha512) { - isc_hmac_t *hmac = *state; + isc_hmac_t *hmac_st = *state; /* Test 0 */ - isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA512, TEST_INPUT(""), + isc_hmac_test(hmac_st, TEST_INPUT(""), ISC_MD_SHA512, TEST_INPUT(""), "B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC6" "6B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49A" "D7381EB067B338FD7B0CB22247225D47", 1); /* Test 1 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"), ISC_MD_SHA512, @@ -793,7 +797,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha512) { "4EAEA3F4E4BE9D914EEB61F1702E696C203A126854", 1); /* Test 2 */ - isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA512, + isc_hmac_test(hmac_st, TEST_INPUT("Jefe"), ISC_MD_SHA512, TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61" "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20" "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"), @@ -802,7 +806,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha512) { "65F8F0E6FDCAEAB1A34D4A6B4B636E070A38BCE737", 1); /* Test 3 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"), ISC_MD_SHA512, @@ -816,7 +820,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha512) { "A47E67C807B946A337BEE8942674278859E13292FB", 1); /* Test 4 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a" "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" "\x15\x16\x17\x18\x19"), @@ -832,7 +836,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha512) { 1); #if 0 /* Test 5 -- unimplemented optional functionality */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"), ISC_MD_SHA512, @@ -841,7 +845,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha512) { 1); #endif /* if 0 */ /* Test 6 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" @@ -864,7 +868,7 @@ ISC_RUN_TEST_IMPL(isc_hmac_sha512) { "215D6A1E5295E64F73F63F0AEC8B915A985D786598", 1); /* Test 7 */ - isc_hmac_test(hmac, + isc_hmac_test(hmac_st, TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" diff --git a/tests/isc/ht_test.c b/tests/isc/ht_test.c index 89e18f3..64efa9d 100644 --- a/tests/isc/ht_test.c +++ b/tests/isc/ht_test.c @@ -312,7 +312,57 @@ ISC_RUN_TEST_IMPL(isc_ht_iterator) { test_ht_iterator(); } +ISC_RUN_TEST_IMPL(isc_ht_case) { + isc_ht_t *ht = NULL; + void *f = NULL; + isc_result_t result = ISC_R_UNSET; + + unsigned char lower[16] = { "test case" }; + unsigned char same[16] = { "test case" }; + unsigned char upper[16] = { "TEST CASE" }; + unsigned char mixed[16] = { "tEsT CaSe" }; + + isc_ht_init(&ht, mctx, 8, ISC_HT_CASE_SENSITIVE); + assert_non_null(ht); + + result = isc_ht_add(ht, lower, 16, (void *)lower); + assert_int_equal(result, ISC_R_SUCCESS); + + result = isc_ht_add(ht, same, 16, (void *)same); + assert_int_equal(result, ISC_R_EXISTS); + + result = isc_ht_add(ht, upper, 16, (void *)upper); + assert_int_equal(result, ISC_R_SUCCESS); + + result = isc_ht_find(ht, mixed, 16, &f); + assert_int_equal(result, ISC_R_NOTFOUND); + assert_null(f); + + isc_ht_destroy(&ht); + assert_null(ht); + + isc_ht_init(&ht, mctx, 8, ISC_HT_CASE_INSENSITIVE); + assert_non_null(ht); + + result = isc_ht_add(ht, lower, 16, (void *)lower); + assert_int_equal(result, ISC_R_SUCCESS); + + result = isc_ht_add(ht, same, 16, (void *)same); + assert_int_equal(result, ISC_R_EXISTS); + + result = isc_ht_add(ht, upper, 16, (void *)upper); + assert_int_equal(result, ISC_R_EXISTS); + + result = isc_ht_find(ht, mixed, 16, &f); + assert_int_equal(result, ISC_R_SUCCESS); + assert_ptr_equal(f, &lower); + + isc_ht_destroy(&ht); + assert_null(ht); +} + ISC_TEST_LIST_START +ISC_TEST_ENTRY(isc_ht_case) ISC_TEST_ENTRY(isc_ht_20) ISC_TEST_ENTRY(isc_ht_8) ISC_TEST_ENTRY(isc_ht_1) diff --git a/tests/isc/netmgr_test.c b/tests/isc/netmgr_test.c index a20db6b..49e5e01 100644 --- a/tests/isc/netmgr_test.c +++ b/tests/isc/netmgr_test.c @@ -393,8 +393,8 @@ noop_recv_cb(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, UNUSED(cbarg); } -static unsigned int -noop_accept_cb(isc_nmhandle_t *handle, unsigned int result, void *cbarg) { +static isc_result_t +noop_accept_cb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { UNUSED(handle); UNUSED(cbarg); @@ -402,7 +402,7 @@ noop_accept_cb(isc_nmhandle_t *handle, unsigned int result, void *cbarg) { (void)atomic_fetch_add(&saccepts, 1); } - return (0); + return (ISC_R_SUCCESS); } static void @@ -2401,6 +2401,176 @@ ISC_RUN_TEST_IMPL(tlsdns_recv_one) { atomic_assert_int_eq(ssends, 0); } +static void +tlsdns_many_listen_read_cb(isc_nmhandle_t *handle, isc_result_t eresult, + isc_region_t *region, void *cbarg) { + uint64_t magic = 0; + isc_nmhandle_t *sendhandle = NULL; + isc_buffer_t *send_data = (isc_buffer_t *)cbarg; + isc_region_t send_messages = { 0 }; + + assert_non_null(handle); + assert_non_null(send_data); + + F(); + + if (eresult != ISC_R_SUCCESS) { + goto unref; + } + + atomic_fetch_add(&sreads, 1); + + assert_true(region->length >= sizeof(magic)); + + memmove(&magic, region->base + sizeof(uint16_t), sizeof(magic)); + assert_true(magic == stop_magic || magic == send_magic); + + isc_nmhandle_attach(handle, &sendhandle); + isc_refcount_increment0(&active_ssends); + isc_nmhandle_setwritetimeout(sendhandle, T_IDLE); + /* send multiple DNS messages at once */ + isc_buffer_usedregion(send_data, &send_messages); + isc_nm_send(sendhandle, &send_messages, listen_send_cb, cbarg); +unref: + isc_refcount_decrement(&active_sreads); + isc_nmhandle_detach(&handle); +} + +static isc_result_t +tlsdns_many_listen_accept_cb(isc_nmhandle_t *handle, isc_result_t eresult, + void *cbarg) { + isc_nmhandle_t *readhandle = NULL; + + UNUSED(cbarg); + + F(); + + if (eresult != ISC_R_SUCCESS) { + return (eresult); + } + + atomic_fetch_add(&saccepts, 1); + + isc_refcount_increment0(&active_sreads); + isc_nmhandle_attach(handle, &readhandle); + isc_nm_read(handle, tlsdns_many_listen_read_cb, cbarg); + + return (ISC_R_SUCCESS); +} + +static void +tlsdns_many_connect_read_cb(isc_nmhandle_t *handle, isc_result_t eresult, + isc_region_t *region, void *cbarg) { + isc_nmhandle_t *sendhandle = NULL; + uint64_t magic = 0; + + UNUSED(cbarg); + + assert_non_null(handle); + + F(); + + if (eresult != ISC_R_SUCCESS) { + goto unref; + } + + assert_true(region->length >= sizeof(magic)); + + atomic_fetch_add(&creads, 1); + + memmove(&magic, region->base, sizeof(magic)); + + assert_true(magic == stop_magic || magic == send_magic); + + isc_refcount_increment0(&active_csends); + isc_nmhandle_attach(handle, &sendhandle); + isc_nmhandle_setwritetimeout(handle, T_IDLE); + /* + * At this point the read is completed, so we should stop that - + * but the sending code will make a cycling through input + * attempt. When not properly handled, this situation will cause + * excessive reads. + */ + isc_nm_send(sendhandle, &send_msg, connect_send_cb, NULL); + +unref: + isc_refcount_decrement(&active_creads); + isc_nmhandle_detach(&handle); +} + +/* + * A unit test *VERY* specific to #4487 - it would crash the unit test + * suite without the related fix due to excessive/unexpected reads. + * + * The intention behind the test is to (needlessly ;-)) prove that the + * author of the fix is not fantasising and excessive reads are + * possible in principle. Also, it proves that there is more than one + * way to do that. + * + * It is *not* reproducing the situation from the bug report 1:1, as + * it is impossible to understand what exactly was going on with this + * custom/proprietary server without having access to it (and even in + * that case the bug was hard to reproduce to the point, where the + * reporters considered it to be fixed for a while). There are far too + * many things a play. + */ +ISC_RUN_TEST_IMPL(tlsdns_server_send_many_recv_one) { + isc_result_t result = ISC_R_SUCCESS; + isc_nmsocket_t *listen_sock = NULL; + uint8_t buf[512]; + isc_buffer_t server_send_buf = { 0 }; + + isc_buffer_init(&server_send_buf, buf, sizeof(buf)); + + /* + * Prepare a buffer with three "DNS" messages which we will send + * at once (our code does not normally do that do that). + */ + isc_buffer_putuint16(&server_send_buf, (uint16_t)send_msg.length); + isc_buffer_putmem(&server_send_buf, send_msg.base, send_msg.length); + isc_buffer_putuint16(&server_send_buf, (uint16_t)send_msg.length); + isc_buffer_putmem(&server_send_buf, send_msg.base, send_msg.length); + isc_buffer_putuint16(&server_send_buf, (uint16_t)send_msg.length); + isc_buffer_putmem(&server_send_buf, send_msg.base, send_msg.length); + + atomic_store(&nsends, 1); + + result = isc_nm_listentls( + listen_nm, &tcp_listen_addr, tlsdns_many_listen_accept_cb, + &server_send_buf, 0, 0, NULL, tcp_listen_tlsctx, &listen_sock); + assert_int_equal(result, ISC_R_SUCCESS); + + connect_readcb = tlsdns_many_connect_read_cb; + isc_refcount_increment0(&active_cconnects); + isc_nm_tlsdnsconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr, + connect_connect_cb, NULL, T_CONNECT, 0, + tcp_connect_tlsctx, tcp_tlsctx_client_sess_cache); + + WAIT_FOR_EQ(cconnects, 1); + WAIT_FOR_LE(nsends, 0); + WAIT_FOR_EQ(csends, 2); + WAIT_FOR_EQ(sreads, 1); + WAIT_FOR_EQ(ssends, 1); + WAIT_FOR_EQ(creads, 1); + + isc_nm_stoplistening(listen_sock); + isc_nmsocket_close(&listen_sock); + assert_null(listen_sock); + isc__netmgr_shutdown(connect_nm); + + X(cconnects); + X(csends); + X(creads); + X(sreads); + X(ssends); + + atomic_assert_int_eq(cconnects, 1); + atomic_assert_int_eq(csends, 2); + atomic_assert_int_eq(creads, 1); + atomic_assert_int_eq(sreads, 1); + atomic_assert_int_eq(ssends, 1); +} + ISC_RUN_TEST_IMPL(tlsdns_recv_two) { isc_result_t result = ISC_R_SUCCESS; isc_nmsocket_t *listen_sock = NULL; @@ -2879,6 +3049,8 @@ ISC_TEST_ENTRY_CUSTOM(tls_half_recv_half_send_quota_sendback, setup_test, /* TLSDNS */ ISC_TEST_ENTRY_CUSTOM(tlsdns_recv_one, setup_test, teardown_test) +ISC_TEST_ENTRY_CUSTOM(tlsdns_server_send_many_recv_one, setup_test, + teardown_test) ISC_TEST_ENTRY_CUSTOM(tlsdns_recv_two, setup_test, teardown_test) ISC_TEST_ENTRY_CUSTOM(tlsdns_noop, setup_test, teardown_test) ISC_TEST_ENTRY_CUSTOM(tlsdns_noresponse, setup_test, teardown_test) diff --git a/tests/isccfg/Makefile.in b/tests/isccfg/Makefile.in index 712138a..305d6bb 100644 --- a/tests/isccfg/Makefile.in +++ b/tests/isccfg/Makefile.in @@ -106,11 +106,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/tests/libtest/Makefile.in b/tests/libtest/Makefile.in index 8e89774..578a154 100644 --- a/tests/libtest/Makefile.in +++ b/tests/libtest/Makefile.in @@ -106,11 +106,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/tests/libtest/ns.c b/tests/libtest/ns.c index 4a53ad8..16eaefc 100644 --- a/tests/libtest/ns.c +++ b/tests/libtest/ns.c @@ -290,7 +290,7 @@ attach_query_msg_to_client(ns_client_t *client, const char *qnamestr, dns_rdatatype_t qtype, unsigned int qflags) { dns_rdataset_t *qrdataset = NULL; dns_message_t *message = NULL; - unsigned char query[65536]; + unsigned char query[65535]; dns_name_t *qname = NULL; isc_buffer_t querybuf; dns_compress_t cctx; diff --git a/tests/ns/Makefile.in b/tests/ns/Makefile.in index efa0cc9..bc9d291 100644 --- a/tests/ns/Makefile.in +++ b/tests/ns/Makefile.in @@ -107,11 +107,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/tests/unit-test-driver.sh.in b/tests/unit-test-driver.sh.in index 9a60db1..1d35b0e 100644 --- a/tests/unit-test-driver.sh.in +++ b/tests/unit-test-driver.sh.in @@ -15,8 +15,8 @@ TOP_BUILDDIR=@abs_top_builddir@ TOP_SRCDIR=@abs_top_srcdir@ if [ -z "${1}" ]; then - echo "Usage: ${0} test_program" >&2 - exit 1 + echo "Usage: ${0} test_program" >&2 + exit 1 fi TEST_PROGRAM="${1}" @@ -26,35 +26,35 @@ TIMEOUT=300 TEST_PROGRAM_PID=${!} STATUS=124 while [ ${TIMEOUT} -gt 0 ]; do - if ! kill -0 "${TEST_PROGRAM_PID}" 2>/dev/null; then - wait "${TEST_PROGRAM_PID}" - STATUS=${?} - break - fi - sleep 1 - TIMEOUT=$((TIMEOUT - 1)) + if ! kill -0 "${TEST_PROGRAM_PID}" 2>/dev/null; then + wait "${TEST_PROGRAM_PID}" + STATUS=${?} + break + fi + sleep 1 + TIMEOUT=$((TIMEOUT - 1)) done if [ ${TIMEOUT} -eq 0 ]; then - echo "PID ${TEST_PROGRAM_PID} exceeded run time limit, sending SIGABRT" >&2 - kill -ABRT "${TEST_PROGRAM_PID}" 2>/dev/null + echo "PID ${TEST_PROGRAM_PID} exceeded run time limit, sending SIGABRT" >&2 + kill -ABRT "${TEST_PROGRAM_PID}" 2>/dev/null fi TEST_PROGRAM_NAME=$(basename "${TEST_PROGRAM}") TEST_PROGRAM_WORK_DIR=$(dirname "${TEST_PROGRAM}") find "${TEST_PROGRAM_WORK_DIR}" -name 'core*' -or -name '*.core' | while read -r CORE_DUMP; do - BINARY=$(gdb --batch --core="${CORE_DUMP}" 2>/dev/null | sed -n "s/^Core was generated by \`\(.*\)'\.\$/\1/p") - if ! echo "${BINARY}" | grep -q "${TEST_PROGRAM_NAME}\$"; then - continue - fi - echo "I:${TEST_PROGRAM_NAME}:Core dump found: ${CORE_DUMP}" - echo "D:${TEST_PROGRAM_NAME}:backtrace from ${CORE_DUMP} start" - "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ - --batch \ - --command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \ - --core="${CORE_DUMP}" \ - -- \ - "${BINARY}" - echo "D:${TEST_PROGRAM_NAME}:backtrace from ${CORE_DUMP} end" + BINARY=$(gdb --batch --core="${CORE_DUMP}" 2>/dev/null | sed -n "s/^Core was generated by \`\(.*\)'\.\$/\1/p") + if ! echo "${BINARY}" | grep -q "${TEST_PROGRAM_NAME}\$"; then + continue + fi + echo "I:${TEST_PROGRAM_NAME}:Core dump found: ${CORE_DUMP}" + echo "D:${TEST_PROGRAM_NAME}:backtrace from ${CORE_DUMP} start" + "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ + --batch \ + --command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \ + --core="${CORE_DUMP}" \ + -- \ + "${BINARY}" + echo "D:${TEST_PROGRAM_NAME}:backtrace from ${CORE_DUMP} end" done exit ${STATUS} -- cgit v1.2.3