From 14509ce60103dab695cef4d4f31321bab27ab967 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 8 Apr 2024 18:41:28 +0200 Subject: Merging upstream version 1:9.18.24. Signed-off-by: Daniel Baumann --- bin/tests/system/doth/ns1/named.conf.in | 27 +- bin/tests/system/doth/ns2/named.conf.in | 4 +- bin/tests/system/doth/ns3/named.conf.in | 4 +- bin/tests/system/doth/ns4/named.conf.in | 4 +- bin/tests/system/doth/ns5/named.conf.in | 83 ++++ bin/tests/system/doth/prereq.sh | 4 +- bin/tests/system/doth/setup.sh | 15 +- bin/tests/system/doth/stress_http_quota.py | 4 +- bin/tests/system/doth/tests.sh | 677 +++++++++++++++-------------- 9 files changed, 481 insertions(+), 341 deletions(-) create mode 100644 bin/tests/system/doth/ns5/named.conf.in (limited to 'bin/tests/system/doth') diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in index 500675f..6a8bcdb 100644 --- a/bin/tests/system/doth/ns1/named.conf.in +++ b/bin/tests/system/doth/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -89,6 +89,7 @@ options { listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.1; }; // DoT listen-on port @EXTRAPORT5@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; }; // DoT listen-on port @EXTRAPORT6@ tls tls-forward-secrecy-mutual-tls http local { 10.53.0.1; }; // DoH + listen-on port @EXTRAPORT7@ tls tls-forward-secrecy { 10.53.0.1; }; // DoT recursion no; notify explicit; also-notify { 10.53.0.2 port @PORT@; }; @@ -170,3 +171,27 @@ zone "example11" { file "example.db"; allow-transfer port @EXTRAPORT5@ transport tls { any; }; }; + +zone "example12" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example13" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example14" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example15" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in index 3cb2042..e533f47 100644 --- a/bin/tests/system/doth/ns2/named.conf.in +++ b/bin/tests/system/doth/ns2/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -55,7 +55,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-example-primary { diff --git a/bin/tests/system/doth/ns3/named.conf.in b/bin/tests/system/doth/ns3/named.conf.in index 74d3957..cd1ab9c 100644 --- a/bin/tests/system/doth/ns3/named.conf.in +++ b/bin/tests/system/doth/ns3/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -48,7 +48,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-v1.2-pfs { diff --git a/bin/tests/system/doth/ns4/named.conf.in b/bin/tests/system/doth/ns4/named.conf.in index 077226a..c7c6c91 100644 --- a/bin/tests/system/doth/ns4/named.conf.in +++ b/bin/tests/system/doth/ns4/named.conf.in @@ -18,7 +18,7 @@ # startup/reconfiguration was known to cause timeout issues in the CI # system, where many tests run in parallel. -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -56,7 +56,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-v1.2-pfs { diff --git a/bin/tests/system/doth/ns5/named.conf.in b/bin/tests/system/doth/ns5/named.conf.in new file mode 100644 index 0000000..6808618 --- /dev/null +++ b/bin/tests/system/doth/ns5/named.conf.in @@ -0,0 +1,83 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# We need a separate instance for the "rndc reconfig" test in order to +# ensure that it does not use ephemeral keys (these are costly to +# generate) and creates a minimal amount of TLS contexts, reducing the +# time needed for startup/reconfiguration. Long +# startup/reconfiguration was known to cause timeout issues in the CI +# system, where many tests run in parallel. + +include "../../_common/rndc.key"; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + tls-port @TLSPORT@; + https-port @HTTPSPORT@; + http-port @HTTPPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + notify no; + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +# Let's reuse the same entry multiple times to see if transfers will succeed + +tls tls-v1.2 { + protocols { TLSv1.2; }; + prefer-server-ciphers yes; +}; + +zone "example12" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example12.db"; + allow-transfer { any; }; +}; + +zone "example13" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example13.db"; + allow-transfer { any; }; +}; + +zone "example14" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example14.db"; + allow-transfer { any; }; +}; + +zone "example15" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example15.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/doth/prereq.sh b/bin/tests/system/doth/prereq.sh index 36a8e37..c745136 100644 --- a/bin/tests/system/doth/prereq.sh +++ b/bin/tests/system/doth/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --with-libnghttp2 || { - echo_i "This test requires libnghttp2 support." >&2 - exit 255 + echo_i "This test requires libnghttp2 support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/doth/setup.sh b/bin/tests/system/doth/setup.sh index c50c31f..775dd33 100644 --- a/bin/tests/system/doth/setup.sh +++ b/bin/tests/system/doth/setup.sh @@ -15,18 +15,19 @@ $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 >ns1/example.db -echo '; huge answer' >> ns1/example.db +echo '; huge answer' >>ns1/example.db x=1 while [ $x -le 50 ]; do - y=1 - while [ $y -le 50 ]; do - printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >> ns1/example.db - y=$((y+1)) - done - x=$((x+1)) + y=1 + while [ $y -le 50 ]; do + printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >>ns1/example.db + y=$((y + 1)) + done + x=$((x + 1)) done copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf diff --git a/bin/tests/system/doth/stress_http_quota.py b/bin/tests/system/doth/stress_http_quota.py index 12e29c8..05ad043 100755 --- a/bin/tests/system/doth/stress_http_quota.py +++ b/bin/tests/system/doth/stress_http_quota.py @@ -161,12 +161,12 @@ class SubDIG: # and examining their statuses in one logical operation. class MultiDIG: def __init__(self, numdigs, http_secure=None, extra_args=None): - assert int(numdigs) > 0 + assert int(numdigs) > 0, f"numdigs={numdigs}" digs = [] for _ in range(1, int(numdigs) + 1): digs.append(SubDIG(http_secure=http_secure, extra_args=extra_args)) self.digs = digs - assert len(self.digs) == int(numdigs) + assert len(self.digs) == int(numdigs), f"len={len(self.digs)} numdigs={numdigs}" def run(self): for p in self.digs: diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index a95bd8c..aad2352 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -23,9 +23,9 @@ msg_peer_verification_failed=";; TLS peer certificate verification" ca_file="./CA/CA.pem" if [ -x "$PYTHON" ]; then - OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py") - OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1) - OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2) + OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py") + OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1) + OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2) fi # According to the RFC 8310, Section 8.1, Subject field MUST @@ -44,91 +44,91 @@ fi # ignore the tests checking the correct handling of absence of # SubjectAltName. if [ -n "$OPENSSL_VERSION" ]; then - if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then - run_san_tests=1 - elif [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then - run_san_tests=1 - fi + if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then + run_san_tests=1 + elif [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then + run_san_tests=1 + fi fi dig_with_tls_opts() { - # shellcheck disable=SC2086 - "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@" } dig_with_https_opts() { - # shellcheck disable=SC2086 - "$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@" } dig_with_http_opts() { - # shellcheck disable=SC2086 - "$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@" } dig_with_opts() { - # shellcheck disable=SC2086 - "$DIG" $common_dig_options -p "${PORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" $common_dig_options -p "${PORT}" "$@" } wait_for_tls_xfer() ( - srv_number="$1" - shift - zone_name="$1" - shift - # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces - dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1 - grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1 - return 0 + srv_number="$1" + shift + zone_name="$1" + shift + # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces + dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1 + grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1 + return 0 ) status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig) ($n)" ret=0 -dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 grep "^;" dig.out.ns1.test$n | cat_i digcomp example.axfr.good dig.out.ns1.test$n || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example; then - digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) if [ -n "$run_san_tests" ]; then - n=$((n + 1)) - echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)" - ret=0 - if retry_quiet 10 wait_for_tls_xfer 2 example3; then - ret=1 - else - echo_i "timed out waiting for zone transfer" - fi - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + n=$((n + 1)) + echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)" + ret=0 + if retry_quiet 10 wait_for_tls_xfer 2 example3; then + ret=1 + else + echo_i "timed out waiting for zone transfer" + fi + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via implicit IP) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example4; then - retry_quiet 5 test -f "ns2/example4.db" || ret=1 + retry_quiet 5 test -f "ns2/example4.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example4.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example4.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -137,11 +137,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv4) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example5; then - retry_quiet 5 test -f "ns2/example5.db" || ret=1 + retry_quiet 5 test -f "ns2/example5.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example5.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example5.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -150,11 +150,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv6) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example6; then - retry_quiet 5 test -f "ns2/example6.db" || ret=1 + retry_quiet 5 test -f "ns2/example6.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example6.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example6.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -163,9 +163,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, wrong hostname, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example7; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -174,9 +174,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, expired certificate, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example8; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -185,11 +185,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example9; then - retry_quiet 5 test -f "ns2/example9.db" || ret=1 + retry_quiet 5 test -f "ns2/example9.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example9.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example9.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -198,9 +198,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, no client cert, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example10; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -209,96 +209,96 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, expired client cert, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example11; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the second secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 3 example; then - digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns3.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns3.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the second secondary, mismatching ciphers, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 3 example2; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the third secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 4 example; then - digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns4.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns4.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (ephemeral key) ($n)" ret=0 -dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query via IPv6 (ephemeral key) ($n)" ret=0 -dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (static key) ($n)" ret=0 -dig_with_tls_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query via IPv6 (static key) ($n)" ret=0 -dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT XFR ($n)" ret=0 -dig_with_tls_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # zone transfers are allowed only via TLS -n=$((n+1)) +n=$((n + 1)) echo_i "testing zone transfer over Do53 server functionality (using dig, failure expected) ($n)" ret=0 -dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 +dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +grep "; Transfer failed." dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -306,8 +306,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking Do53 query ($n)" ret=0 -dig_with_opts @10.53.0.1 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.1 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -321,8 +321,8 @@ n=$((n + 1)) echo_i "checking DoT XFR with wrong ALPN token (h2, failure expected) ($n)" ret=0 # shellcheck disable=SC2086 -"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR > dig.out.test$n -grep "$msg_xfrs_not_allowed" dig.out.test$n > /dev/null || ret=1 +"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR >dig.out.test$n +grep "$msg_xfrs_not_allowed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -332,279 +332,279 @@ n=$((n + 1)) echo_i "checking DoH query when ALPN is expected to fail (dot, failure expected) ($n)" ret=0 # shellcheck disable=SC2086 -"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "ALPN for HTTP/2 failed." dig.out.test$n > /dev/null || ret=1 +"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "ALPN for HTTP/2 failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) ($n)" ret=0 -dig_with_https_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST) ($n)" ret=0 -dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, static key) ($n)" ret=0 -dig_with_https_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, static key) ($n)" ret=0 -dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts +https=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https=/alter @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH XFR (POST) (failure expected) ($n)" ret=0 -dig_with_https_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET) ($n)" ret=0 -dig_with_https_opts +stat +https-get @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat +https-get @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET) ($n)" ret=0 -dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, static key) ($n)" ret=0 -dig_with_https_opts +https-get @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, static key) ($n)" ret=0 -dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH XFR (GET) (failure expected) ($n)" ret=0 -dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query (POST) ($n)" ret=0 -dig_with_http_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +stat @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 (POST) ($n)" ret=0 -dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query (GET) ($n)" ret=0 -dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 (GET) ($n)" ret=0 -dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH XFR (failure expected) ($n)" ret=0 -dig_with_http_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query for a large answer (POST) ($n)" ret=0 -dig_with_https_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 for a large answer (POST) ($n)" ret=0 -dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query for a large answer (GET) ($n)" ret=0 -dig_with_https_opts +https-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 for a large answer (GET) ($n)" ret=0 -dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query for a large answer (POST) ($n)" ret=0 -dig_with_http_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 for a large answer (POST) ($n)" ret=0 -dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query for a large answer (GET) ($n)" ret=0 -dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 for a large answer (GET) ($n)" ret=0 -dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -wait_for_tlsctx_update_ns4 () { - grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run > /dev/null || return 1 - grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run > /dev/null || return 1 - return 0 +wait_for_tlsctx_update_ns4() { + grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run >/dev/null || return 1 + grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run >/dev/null || return 1 + return 0 } n=$((n + 1)) @@ -618,16 +618,16 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query after a reconfiguration ($n)" ret=0 -dig_with_tls_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) after a reconfiguration ($n)" ret=0 -dig_with_https_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -635,7 +635,7 @@ n=$((n + 1)) echo_i "doing rndc reconfig to see if HTTP endpoints have gotten reconfigured ($n)" ret=0 # 'sed -i ...' is not portable. Sigh... -sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" > "ns4/named.conf.sed" +sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" >"ns4/named.conf.sed" mv -f "ns4/named.conf.sed" "ns4/named.conf" rndc_reconfig ns4 10.53.0.4 60 retry_quiet 15 wait_for_tlsctx_update_ns4 || ret=1 @@ -645,40 +645,40 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) to verify HTTP endpoint reconfiguration ($n)" ret=0 -dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification enabled) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (with TLS verification enabled, self-signed cert, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification using the system's CA store, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (with TLS verification using the system's CA store, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -687,30 +687,30 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification, hostname is not specified, IP address is used instead) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null && ret=1 +dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if [ -n "$run_san_tests" ]; then - # SubjectAltName is required for DoT as according to RFC 8310, Subject - # field MUST NOT be inspected when verifying hostname for DoT. - n=$((n + 1)) - echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)" - ret=0 - dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 - grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)" - ret=0 - # shellcheck disable=SC2086 - dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 - grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + # SubjectAltName is required for DoT as according to RFC 8310, Subject + # field MUST NOT be inspected when verifying hostname for DoT. + n=$((n + 1)) + echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)" + ret=0 + dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 + grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)" + ret=0 + # shellcheck disable=SC2086 + dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 + grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # SubjectAltName is not required for HTTPS. Having a properly set @@ -718,48 +718,48 @@ fi n=$((n + 1)) echo_i "checking DoH query (when SubjectAltName is not set) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (expired certificate, Opportunistic TLS) ($n)" ret=0 -dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (expired certificate, Strict TLS, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig, client certificate required, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi +dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +grep "; Transfer failed." dig.out.ns1.test$n >/dev/null || ret=1 +if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig, client certificate used) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -digcomp dig.out.ns1.test$n example8.axfr.good > /dev/null || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi +dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +digcomp dig.out.ns1.test$n example8.axfr.good >/dev/null || ret=1 +if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (client certificate required, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 +dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -767,8 +767,8 @@ n=$((n + 1)) echo_i "checking DoH query (client certificate used) ($n)" ret=0 # shellcheck disable=SC2086 -dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -777,64 +777,63 @@ n=$((n + 1)) echo_i "checking DoH query (client certificate used - session resumption when using Mutual TLS) ($n)" ret=0 # shellcheck disable=SC2086 -dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA > dig.out.test$n || ret=1 -grep "TLS error" dig.out.test$n > /dev/null && ret=1 +dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA >dig.out.test$n || ret=1 +grep "TLS error" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) test_opcodes() { - EXPECT_STATUS="$1" - shift - for op in "$@"; - do - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH for opcode $op ($n)" - ret=0 - dig_with_https_opts +https @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)" - ret=0 - dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)" - ret=0 - dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)" - ret=0 - dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoT for opcode $op ($n)" - ret=0 - dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)" - ret=0 - dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - done + EXPECT_STATUS="$1" + shift + for op in "$@"; do + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH for opcode $op ($n)" + ret=0 + dig_with_https_opts +https @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)" + ret=0 + dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT for opcode $op ($n)" + ret=0 + dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)" + ret=0 + dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + done } test_opcodes NOERROR 0 @@ -845,45 +844,77 @@ n=$((n + 1)) echo_i "checking server quotas for both encrypted and unencrypted HTTP ($n)" ret=0 if [ -x "$PYTHON" ]; then - BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$? + BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$? else - echo_i "Python is not available. Skipping the test..." + echo_i "Python is not available. Skipping the test..." fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # check whether we can use curl for sending test queries. -if [ -x "${CURL}" ] ; then - CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)" - - if [ -n "$CURL_HTTP2" ]; then - testcurl=1 - else - echo_i "The available version of CURL does not have HTTP/2 support" - fi +if [ -x "${CURL}" ]; then + CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)" + + if [ -n "$CURL_HTTP2" ]; then + testcurl=1 + else + echo_i "The available version of CURL does not have HTTP/2 support" + fi fi # Note: see README.curl for information on how to generate curl # queries. if [ -n "$testcurl" ]; then - n=$((n + 1)) - echo_i "checking max-age for positive answer ($n)" - ret=0 - # use curl to query for 'example/SOA' - $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" > /dev/null 2>&1 || ret=1 - grep "cache-control: max-age=86400" headers.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking max-age for negative answer ($n)" - ret=0 - # use curl to query for 'fake.example/TXT' - $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" > /dev/null 2>&1 || ret=1 - grep "cache-control: max-age=3600" headers.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + n=$((n + 1)) + echo_i "checking max-age for positive answer ($n)" + ret=0 + # use curl to query for 'example/SOA' + $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" >/dev/null 2>&1 || ret=1 + grep "cache-control: max-age=86400" headers.$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking max-age for negative answer ($n)" + ret=0 + # use curl to query for 'fake.example/TXT' + $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" >/dev/null 2>&1 || ret=1 + grep "cache-control: max-age=3600" headers.$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example12\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example12 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example13\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example13 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example14\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example14 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example15\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example15 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 -- cgit v1.2.3