summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/synthfromdnssec
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/synthfromdnssec')
-rw-r--r--bin/tests/system/synthfromdnssec/clean.sh50
-rw-r--r--bin/tests/system/synthfromdnssec/ns1/dnamed.db.in17
-rw-r--r--bin/tests/system/synthfromdnssec/ns1/example.db.in25
-rw-r--r--bin/tests/system/synthfromdnssec/ns1/minimal.db.in46
-rw-r--r--bin/tests/system/synthfromdnssec/ns1/named.conf.in72
-rw-r--r--bin/tests/system/synthfromdnssec/ns1/root.db.in24
-rw-r--r--bin/tests/system/synthfromdnssec/ns1/sign.sh76
-rw-r--r--bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in23
-rw-r--r--bin/tests/system/synthfromdnssec/ns2/example.internal.db16
-rw-r--r--bin/tests/system/synthfromdnssec/ns2/named.conf.in57
-rw-r--r--bin/tests/system/synthfromdnssec/ns2/root.hints13
-rw-r--r--bin/tests/system/synthfromdnssec/ns3/named.conf.in52
-rw-r--r--bin/tests/system/synthfromdnssec/ns3/redirect.db20
-rw-r--r--bin/tests/system/synthfromdnssec/ns3/root.hints13
-rw-r--r--bin/tests/system/synthfromdnssec/ns4/named.conf.in48
-rw-r--r--bin/tests/system/synthfromdnssec/ns4/root.hints13
-rw-r--r--bin/tests/system/synthfromdnssec/ns5/internal2.db17
-rw-r--r--bin/tests/system/synthfromdnssec/ns5/named.conf.in60
-rw-r--r--bin/tests/system/synthfromdnssec/ns5/root.hints13
-rw-r--r--bin/tests/system/synthfromdnssec/ns6/named.conf.in48
-rw-r--r--bin/tests/system/synthfromdnssec/ns6/root.hints13
-rw-r--r--bin/tests/system/synthfromdnssec/setup.sh29
-rw-r--r--bin/tests/system/synthfromdnssec/tests.sh904
-rw-r--r--bin/tests/system/synthfromdnssec/tests_sh_synthfromdnssec.py14
24 files changed, 1663 insertions, 0 deletions
diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh
new file mode 100644
index 0000000..bd86173
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ./*/named.memstats
+rm -f ./*/named.conf
+rm -f ./*/named.run
+rm -f ./*/named.run.prev
+rm -f ./*/named.stats
+rm -f ./dig.out.*
+rm -f ./ns1/K*+*+*.key
+rm -f ./ns1/K*+*+*.private
+rm -f ./ns1/dsset-*
+rm -f ./ns1/example.db
+rm -f ./ns1/example.db.signed
+rm -f ./ns1/insecure.example.db
+rm -f ./ns1/insecure.example.db.signed
+rm -f ./ns1/dnamed.db
+rm -f ./ns1/dnamed.db.signed
+rm -f ./ns1/minimal.db
+rm -f ./ns1/minimal.db.signed
+rm -f ./ns1/root.db
+rm -f ./ns1/root.db.signed
+rm -f ./ns1/soa-without-dnskey.db
+rm -f ./ns1/soa-without-dnskey.db.signed
+rm -f ./ns1/trusted.conf
+rm -f ./ns2/named_dump.db
+rm -f ./ns*/managed-keys.bind*
+rm -f ./nodata.out ./insecure.nodata.out
+rm -f ./nxdomain.out ./insecure.nxdomain.out
+rm -f ./wild.out ./insecure.wild.out
+rm -f ./wildcname.out ./insecure.wildcname.out
+rm -f ./wildnodata1nsec.out ./insecure.wildnodata1nsec.out
+rm -f ./wildnodata2nsec.out ./insecure.wildnodata2nsec.out
+rm -f ./wildnodata2nsecafterdata.out ./insecure.wildnodata2nsecafterdata.out
+rm -f ./minimal.nxdomain.out
+rm -f ./black.out
+rm -f ./xml.out*
+rm -f ./json.out*
diff --git a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
new file mode 100644
index 0000000..61dfcf8
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ SOA ns1 hostmaster 1 3600 1200 604800 5
+@ NS ns1
+ns1 A 10.53.0.1
+a A 10.53.0.1
+dname DNAME example.
diff --git a/bin/tests/system/synthfromdnssec/ns1/example.db.in b/bin/tests/system/synthfromdnssec/ns1/example.db.in
new file mode 100644
index 0000000..79d5c27
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/example.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ SOA ns1 hostmaster 1 3600 1200 604800 3600
+@ NS ns1
+ns1 A 10.53.0.1
+nodata TXT nodata
+*.wild-a A 1.2.3.4
+*.wild-cname CNAME ns1
+*.wild-1-nsec A 1.2.3.4
+*.wild-2-nsec A 1.2.3.4
+_x.wild-2-nsec TXT a name beween wild-2-nsec and a.wild-2-nsec
+*.wild-2-nsec-afterdata A 1.2.3.4
+*.wild-2-nsec-afterdata AAAA 2002::1
+_x.wild-2-nsec-afterdata TXT a name beween wild-2-nsec-afterdata and a.wild-2-nsec-afterdata
+dnamed DNAME dnamed.
diff --git a/bin/tests/system/synthfromdnssec/ns1/minimal.db.in b/bin/tests/system/synthfromdnssec/ns1/minimal.db.in
new file mode 100644
index 0000000..2df3890
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/minimal.db.in
@@ -0,0 +1,46 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+minimal. 3600 SOA ns1.minimal. hostmaster.minimal. (
+ 1 ; serial
+ 3600 ; refresh (1 hour)
+ 1200 ; retry (20 minutes)
+ 604800 ; expire (1 week)
+ 3600 ; minimum (1 hour)
+ )
+ 3600 NS ns1.minimal.
+ 3600 NSEC badtypemap.minimal. NS SOA RRSIG NSEC DNSKEY
+; bad NSEC type map without RRSIG or NSEC
+badtypemap.minimal. 3600 NSEC black.minimal. A
+badtypemap.minimal. 3600 A 1.2.3.4
+badtypemap.minimal. 3600 AAAA 2002::1
+; cloudflare black lie
+black.minimal. 3600 NSEC \000.black.minimal. RRSIG NSEC
+;
+dnamed.minimal. 3600 DNAME dnamed.
+ 3600 NSEC insecure.minimal. DNAME RRSIG NSEC
+insecure.minimal. 3600 NS ns1.insecure.minimal.
+ 3600 NSEC nodata.minimal. NS RRSIG NSEC
+nodata.minimal. 3600 TXT "nodata"
+ 3600 NSEC ns1.minimal. TXT RRSIG NSEC
+; incomplete chain pointing at non-existent ns2.minimal
+ns1.minimal. 3600 A 10.53.0.1
+ 3600 NSEC ns2.minimal. A RRSIG NSEC
+; minimal response for nxdomain.minimal.
+nxdomaia.minimal. 3600 NSEC nxdomaiz.minimal. RRSIG NSEC
+;
+*.wild-a.minimal. 3600 A 1.2.3.4
+ 3600 NSEC *.wild-cname.minimal. A RRSIG NSEC
+*.wild-cname.minimal. 3600 CNAME ns1.minimal.
+ 3600 NSEC minimal. CNAME RRSIG NSEC
+; glue
+ns1.insecure.minimal. 3600 A 10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
new file mode 100644
index 0000000..9a86e24
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-validation yes;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+statistics-channels {
+ inet 10.53.0.1 port @EXTRAPORT1@ allow { any; };
+};
+
+zone "." {
+ type primary;
+ file "root.db.signed";
+};
+
+zone "example" {
+ type primary;
+ file "example.db.signed";
+};
+
+zone "insecure.example" {
+ type primary;
+ file "insecure.example.db.signed";
+};
+
+zone "dnamed" {
+ type primary;
+ file "dnamed.db.signed";
+};
+
+zone "minimal" {
+ type primary;
+ file "minimal.db.signed";
+};
+
+zone "soa-without-dnskey" {
+ type primary;
+ file "soa-without-dnskey.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns1/root.db.in b/bin/tests/system/synthfromdnssec/ns1/root.db.in
new file mode 100644
index 0000000..bade656
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/root.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ SOA ns1 hostmaster 1 3600 1200 604800 3600
+@ NS ns1
+ns1 A 10.53.0.1
+example NS ns1.example
+fun NS ns1.example
+ns1.example A 10.53.0.1
+dnamed NS ns1.dnamed
+ns1.dnamed A 10.53.0.1
+minimal NS ns1.minimal
+ns1.minimal A 10.53.0.1
+soa-without-dnskey NS ns1.soa-without-dnskey
+ns1.soa-without-dnskey A 10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh
new file mode 100644
index 0000000..9f699a0
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh
@@ -0,0 +1,76 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+zone=example
+infile=example.db.in
+zonefile=example.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+echo insecure NS ns1.insecure >> "$zonefile"
+echo ns1.insecure A 10.53.0.1 >> "$zonefile"
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+zone=insecure.example
+infile=example.db.in
+zonefile=insecure.example.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+zone=dnamed
+infile=dnamed.db.in
+zonefile=dnamed.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+zone=minimal
+infile=minimal.db.in
+zonefile=minimal.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+# do not regenerate NSEC chain as there in a minimal NSEC record present
+$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null
+
+zone=soa-without-dnskey
+infile=soa-without-dnskey.db.in
+zonefile=soa-without-dnskey.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+# do not regenerate NSEC chain as there in a minimal NSEC record present
+$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds "$keyname" > trusted.conf
diff --git a/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in b/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in
new file mode 100644
index 0000000..a8ad40c
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+soa-without-dnskey. 3600 SOA ns1.soa-without-dnskey. hostmaster.soa-without-dnskey. (
+ 1 ; serial
+ 3600 ; refresh (1 hour)
+ 1200 ; retry (20 minutes)
+ 604800 ; expire (1 week)
+ 3600 ; minimum (1 hour)
+ )
+ 3600 NS ns1.soa-without-dnskey.
+ 3600 NSEC ns1.soa-without-dnskey. NS SOA RRSIG NSEC
+ns1.soa-without-dnskey. 3600 A 10.53.0.1
+ 3600 NSEC soa-without-dnskey. A RRSIG NSEC
diff --git a/bin/tests/system/synthfromdnssec/ns2/example.internal.db b/bin/tests/system/synthfromdnssec/ns2/example.internal.db
new file mode 100644
index 0000000..938159b
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns2/example.internal.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ SOA ns2 hostmaster 1 3600 1200 604800 3600
+@ NS ns2
+@ A 1.2.3.4
+ns2 A 10.53.0.2
diff --git a/bin/tests/system/synthfromdnssec/ns2/named.conf.in b/bin/tests/system/synthfromdnssec/ns2/named.conf.in
new file mode 100644
index 0000000..f4b5059
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns2/named.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify no;
+ dnssec-validation yes;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+statistics-channels {
+ inet 10.53.0.2 port @EXTRAPORT1@ allow { any; };
+};
+
+zone "." {
+ type hint;
+ file "root.hints";
+};
+
+zone "example.internal" {
+ type primary;
+ file "example.internal.db";
+};
+
+zone "example.internal2" {
+ type primary;
+ file "example.internal.db";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns2/root.hints b/bin/tests/system/synthfromdnssec/ns2/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns2/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. NS ns1
+ns1 A 10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns3/named.conf.in b/bin/tests/system/synthfromdnssec/ns3/named.conf.in
new file mode 100644
index 0000000..874143a
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns3/named.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify no;
+ dnssec-validation yes;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+statistics-channels {
+ inet 10.53.0.3 port @EXTRAPORT1@ allow { any; };
+};
+
+zone "." {
+ type hint;
+ file "root.hints";
+};
+
+zone "." {
+ type redirect;
+ file "redirect.db";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns3/redirect.db b/bin/tests/system/synthfromdnssec/ns3/redirect.db
new file mode 100644
index 0000000..c529ad2
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns3/redirect.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
+@ IN NS ns.example.net
+;
+; NS records do not need address records in this zone as it is not in the
+; normal namespace.
+;
+*.redirect. IN A 100.100.100.2
+*.redirect. IN AAAA 2001:ffff:ffff::100.100.100.2
diff --git a/bin/tests/system/synthfromdnssec/ns3/root.hints b/bin/tests/system/synthfromdnssec/ns3/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns3/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. NS ns1
+ns1 A 10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns4/named.conf.in b/bin/tests/system/synthfromdnssec/ns4/named.conf.in
new file mode 100644
index 0000000..c9d9210
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns4/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify no;
+ dnssec-validation yes;
+ synth-from-dnssec no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+statistics-channels {
+ inet 10.53.0.4 port @EXTRAPORT1@ allow { any; };
+};
+
+zone "." {
+ type hint;
+ file "root.hints";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns4/root.hints b/bin/tests/system/synthfromdnssec/ns4/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns4/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. NS ns1
+ns1 A 10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns5/internal2.db b/bin/tests/system/synthfromdnssec/ns5/internal2.db
new file mode 100644
index 0000000..4f07f70
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns5/internal2.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ SOA ns5 hostmaster 1 3600 1200 604800 3600
+@ NS ns5
+ns5 A 10.53.0.5
+example NS ns2.example
+ns2.example A 10.53.0.2
diff --git a/bin/tests/system/synthfromdnssec/ns5/named.conf.in b/bin/tests/system/synthfromdnssec/ns5/named.conf.in
new file mode 100644
index 0000000..4249548
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns5/named.conf.in
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+ query-source address 10.53.0.5;
+ notify-source 10.53.0.5;
+ transfer-source 10.53.0.5;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.5; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify no;
+ dnssec-validation yes;
+ synth-from-dnssec yes;
+ validate-except { example.internal; };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+statistics-channels {
+ inet 10.53.0.5 port @EXTRAPORT1@ allow { any; };
+};
+
+zone "." {
+ type hint;
+ file "root.hints";
+};
+
+zone "example.internal" {
+ type forward;
+ forward only;
+ forwarders { 10.53.0.2; };
+};
+
+zone "internal2" {
+ type primary;
+ file "internal2.db";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns5/root.hints b/bin/tests/system/synthfromdnssec/ns5/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns5/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. NS ns1
+ns1 A 10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns6/named.conf.in b/bin/tests/system/synthfromdnssec/ns6/named.conf.in
new file mode 100644
index 0000000..c10e0f7
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns6/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+options {
+ query-source address 10.53.0.6;
+ notify-source 10.53.0.6;
+ transfer-source 10.53.0.6;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.6; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify no;
+ dnssec-validation no;
+ synth-from-dnssec yes;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+statistics-channels {
+ inet 10.53.0.6 port @EXTRAPORT1@ allow { any; };
+};
+
+zone "." {
+ type hint;
+ file "root.hints";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns6/root.hints b/bin/tests/system/synthfromdnssec/ns6/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns6/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. NS ns1
+ns1 A 10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh
new file mode 100644
index 0000000..d109871
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/setup.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+
+(
+ cd ns1
+ $SHELL sign.sh
+)
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
new file mode 100644
index 0000000..1bfd00b
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -0,0 +1,904 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# set -e
+#
+# shellcheck source=conf.sh
+. ../conf.sh
+
+RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
+
+set -e
+
+status=0
+n=1
+synth_default=yes
+
+rm -f dig.out.*
+
+dig_with_opts() {
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+check_ad_flag() {
+ if [ ${1} = yes ]
+ then
+ grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null || return 1
+ else
+ grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null && return 1
+ fi
+ return 0
+}
+
+check_status() {
+ grep "status: ${1}," ${2} > /dev/null || return 1
+ return 0
+}
+
+check_synth_soa() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*[0-9]*.IN.SOA" ${2} > /dev/null || return 1
+ grep "^${name}.*3600.IN.SOA" ${2} > /dev/null && return 1
+ return 0
+)
+
+check_nosynth_soa() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*3600.IN.SOA" ${2} > /dev/null || return 1
+ return 0
+)
+
+check_synth_a() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} > /dev/null || return 1
+ grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null && return 1
+ return 0
+)
+
+check_nosynth_a() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null || return 1
+ return 0
+)
+
+check_synth_aaaa() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*[0-9]*.IN.AAAA" ${2} > /dev/null || return 1
+ grep "^${name}.*3600.IN.A" ${2} > /dev/null && return 1
+ return 0
+)
+
+check_nosynth_aaaa() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*3600.IN.AAAA" ${2} > /dev/null || return 1
+ return 0
+)
+
+check_synth_cname() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*[0-9]*.IN.CNAME" ${2} > /dev/null || return 1
+ grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null && return 1
+ return 0
+)
+
+check_nosynth_cname() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null || return 1
+ return 0
+)
+
+check_auth_count() {
+ grep "AUTHORITY: ${1}," ${2} > /dev/null || return 1
+ return 0
+}
+
+for ns in 2 4 5 6
+do
+ case $ns in
+ 2) ad=yes; description="<default>";;
+ 4) ad=yes; description="no";;
+ 5) ad=yes; description="yes";;
+ 6) ad=no; description="yes; dnssec-validation no";;
+ *) exit 1;;
+ esac
+ echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wild.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildcname.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ check_auth_count 4 dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata1nsec.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ check_auth_count 6 dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata2nsec.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1
+ check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > wildnodata2nsecafterdata.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ check_auth_count 4 dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ check_auth_count 6 dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1
+ check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > insecure.wildnodata2nsecafterdata.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n > /dev/null || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
+ grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+done
+
+echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+check_ad_flag no dig.out.ns3.test$n || ret=1
+check_status NOERROR dig.out.ns3.test$n || ret=1
+grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# ensure TTL of synthesised answers differs from direct answers.
+#
+sleep 1
+
+for ns in 2 4 5 6
+do
+ case $ns in
+ 2) ad=yes synth=${synth_default} description="<default>";;
+ 4) ad=yes synth=no description="no";;
+ 5) ad=yes synth=yes description="yes";;
+ 6) ad=no synth=no description="yes; dnssec-validation no";;
+ *) exit 1;;
+ esac
+ echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.example/A > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.example/A > /dev/null || ret=1
+ fi
+ digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null || ret=1
+ fi
+ digcomp nodata.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null && ret=1
+ else
+ check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null || ret=1
+ fi
+ digcomp wild.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null && ret=1
+ else
+ check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null || ret=1
+ fi
+ grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+ digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null || ret=1
+ fi
+ digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null || ret=1
+ fi
+ digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record
+ dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
+ check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1
+ #
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null || ret=1
+ fi
+ digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1
+ digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1
+ digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+ nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1
+ digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1
+ grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+ digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
+ check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1
+ #
+ dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep nxdomaic.minimal/A > /dev/null || ret=1
+ digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
+ digcomp black.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts soa-without-dnskey. @10.53.0.${ns} A > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
+ grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i
+ # 2 views, _bind should always be '0 covering nsec returned'
+ count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l)
+ test $count = 2 || ret=1
+ zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l)
+ if [ ${synth} = yes ]
+ then
+ test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes'
+ count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
+ test $count = 2 || ret=1
+ zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
+ if [ ${ad} = yes ]
+ then
+ test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ for synthesized in NXDOMAIN no-data wildcard
+ do
+ case $synthesized in
+ NXDOMAIN) count=1;;
+ no-data) count=4;;
+ wildcard) count=2;;
+ esac
+ echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ if [ ${synth} = yes ]
+ then
+ grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null || ret=1
+ else
+ grep "synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null && ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ done
+
+ if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ] ; then
+ echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ xml=xml.out$n
+ ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server > $xml 2>/dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CoveringNSEC">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml)
+ count=$(echo "$counter" | grep CoveringNSEC | wc -l)
+ test $count = 1 || ret=1
+ zero=$(echo "$counter" | grep ">0<" | wc -l)
+ if [ ${synth} = yes ]
+ then
+ test $zero = 0 || ret=1
+ else
+ test $zero = 1 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CacheNSECNodes">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml)
+ count=$(echo "$counter" | grep CacheNSECNodes | wc -l)
+ test $count = 1 || ret=1
+ zero=$(echo "$counter" | grep ">0<" | wc -l)
+ if [ ${ad} = yes ]
+ then
+ test $zero = 0 || ret=1
+ else
+ test $zero = 1 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD
+ do
+ case $synthesized in
+ SynthNXDOMAIN) count=1;;
+ SynthNODATA) count=4;;
+ SynthWILDCARD) count=2;;
+ esac
+
+ echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ if [ ${synth} = yes ]
+ then
+ grep '<counter name="'$synthesized'">'$count'</counter>' $xml > /dev/null || ret=1
+ else
+ grep '<counter name="'$synthesized'">'0'</counter>' $xml > /dev/null || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ done
+ else
+ echo_i "Skipping XML statistics checks"
+ fi
+
+ if $FEATURETEST --have-json-c && [ -x "${CURL}" ] ; then
+ echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ json=json.out$n
+ ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server > $json 2>/dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ count=$(grep '"CoveringNSEC":' $json | wc -l)
+ test $count = 2 || ret=1
+ zero=$(grep '"CoveringNSEC":0' $json | wc -l)
+ if [ ${synth} = yes ]
+ then
+ test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ count=$(grep '"CacheNSECNodes":' $json | wc -l)
+ test $count = 2 || ret=1
+ zero=$(grep '"CacheNSECNodes":0' $json | wc -l)
+ if [ ${ad} = yes ]
+ then
+ test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD
+ do
+ case $synthesized in
+ SynthNXDOMAIN) count=1;;
+ SynthNODATA) count=4;;
+ SynthWILDCARD) count=2;;
+ esac
+
+ echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ if [ ${synth} = yes ]
+ then
+ grep '"'$synthesized'":'$count'' $json > /dev/null || ret=1
+ else
+ grep '"'$synthesized'":' $json > /dev/null && ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ done
+ else
+ echo_i "Skipping JSON statistics checks"
+ fi
+done
+
+echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+synth=${synth_default}
+dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+check_ad_flag yes dig.out.ns3.test$n || ret=1
+check_status NXDOMAIN dig.out.ns3.test$n || ret=1
+if [ ${synth} = yes ]
+then
+ check_synth_soa . dig.out.ns3.test$n || ret=1
+else
+ check_nosynth_soa . dig.out.ns3.test$n || ret=1
+fi
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+check_ad_flag no dig.out.ns3.test$n || ret=1
+check_status NOERROR dig.out.ns3.test$n || ret=1
+grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)"
+ret=0
+dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1
+dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+check_status NOERROR dig.out.ns5-1.test$n || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "regression test for CVE-2022-0635 ($n)"
+ret=0
+# add DNAME to cache
+dig_with_opts dname.dnamed. dname @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1
+# add A record to cache at name before DNAME owner
+dig_with_opts a.dnamed. a @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
+# add NSEC record to cache at name before DNAME owner
+dig_with_opts a.dnamed. aaaa @10.53.0.5 > dig.out.ns5-3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1
+# wait for NSEC to timeout
+sleep 6
+# use DNAME for lookup
+dig_with_opts b.dname.dnamed a @10.53.0.5 > dig.out.ns5-4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)"
+ret=0
+#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
+dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
+grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
+#perform lookup in grafted zone
+dig_with_opts example.internal @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
+grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check synth-from-dnssec with grafted zone (primary zone) ($n)"
+ret=0
+#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
+dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
+grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
+#perform lookup in grafted zone
+dig_with_opts example.internal2 @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
+grep '^example\.internal2\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/synthfromdnssec/tests_sh_synthfromdnssec.py b/bin/tests/system/synthfromdnssec/tests_sh_synthfromdnssec.py
new file mode 100644
index 0000000..5cbf848
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/tests_sh_synthfromdnssec.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_synthfromdnssec(run_tests_sh):
+ run_tests_sh()