1#!/bin/sh
2#
3# Copyright (C) 2004, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
4# Copyright (C) 2000, 2001  Internet Software Consortium.
5#
6# Permission to use, copy, modify, and/or distribute this software for any
7# purpose with or without fee is hereby granted, provided that the above
8# copyright notice and this permission notice appear in all copies.
9#
10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16# PERFORMANCE OF THIS SOFTWARE.
17
18# $Id$
19
20SYSTEMTESTTOP=..
21. $SYSTEMTESTTOP/conf.sh
22
23status=0
24n=0
25
26echo "I:checking non-cachable NXDOMAIN response handling"
27ret=0
28$DIG +tcp nxdomain.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
29grep "status: NXDOMAIN" dig.out > /dev/null || ret=1
30if [ $ret != 0 ]; then echo "I:failed"; fi
31status=`expr $status + $ret`
32
33echo "I:checking non-cachable NODATA response handling"
34ret=0
35$DIG +tcp nodata.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
36grep "status: NOERROR" dig.out > /dev/null || ret=1
37
38if [ $ret != 0 ]; then echo "I:failed"; fi
39status=`expr $status + $ret`
40echo "I:checking handling of bogus referrals"
41# If the server has the "INSIST(!external)" bug, this query will kill it.
42$DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
43
44echo "I:check handling of cname + other data / 1"
45$DIG +tcp cname1.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
46
47echo "I:check handling of cname + other data / 2"
48$DIG +tcp cname2.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
49
50echo "I:check that server is still running"
51$DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
52
53echo "I:checking answer IPv4 address filtering (deny)"
54ret=0
55$DIG +tcp www.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
56grep "status: SERVFAIL" dig.out > /dev/null || ret=1
57if [ $ret != 0 ]; then echo "I:failed"; fi
58status=`expr $status + $ret`
59
60echo "I:checking answer IPv6 address filtering (deny)"
61ret=0
62$DIG +tcp www.example.net @10.53.0.1 aaaa -p 5300 > dig.out || ret=1
63grep "status: SERVFAIL" dig.out > /dev/null || ret=1
64if [ $ret != 0 ]; then echo "I:failed"; fi
65status=`expr $status + $ret`
66
67echo "I:checking answer IPv4 address filtering (accept)"
68ret=0
69$DIG +tcp www.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
70grep "status: NOERROR" dig.out > /dev/null || ret=1
71if [ $ret != 0 ]; then echo "I:failed"; fi
72status=`expr $status + $ret`
73
74echo "I:checking answer IPv6 address filtering (accept)"
75ret=0
76$DIG +tcp www.example.org @10.53.0.1 aaaa -p 5300 > dig.out || ret=1
77grep "status: NOERROR" dig.out > /dev/null || ret=1
78if [ $ret != 0 ]; then echo "I:failed"; fi
79status=`expr $status + $ret`
80
81echo "I:checking CNAME target filtering (deny)"
82ret=0
83$DIG +tcp badcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
84grep "status: SERVFAIL" dig.out > /dev/null || ret=1
85if [ $ret != 0 ]; then echo "I:failed"; fi
86status=`expr $status + $ret`
87
88echo "I:checking CNAME target filtering (accept)"
89ret=0
90$DIG +tcp goodcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
91grep "status: NOERROR" dig.out > /dev/null || ret=1
92if [ $ret != 0 ]; then echo "I:failed"; fi
93status=`expr $status + $ret`
94
95echo "I:checking CNAME target filtering (accept due to subdomain)"
96ret=0
97$DIG +tcp cname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
98grep "status: NOERROR" dig.out > /dev/null || ret=1
99if [ $ret != 0 ]; then echo "I:failed"; fi
100status=`expr $status + $ret`
101
102echo "I:checking DNAME target filtering (deny)"
103ret=0
104$DIG +tcp foo.baddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
105grep "status: SERVFAIL" dig.out > /dev/null || ret=1
106if [ $ret != 0 ]; then echo "I:failed"; fi
107status=`expr $status + $ret`
108
109echo "I:checking DNAME target filtering (accept)"
110ret=0
111$DIG +tcp foo.gooddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
112grep "status: NOERROR" dig.out > /dev/null || ret=1
113if [ $ret != 0 ]; then echo "I:failed"; fi
114status=`expr $status + $ret`
115
116echo "I:checking DNAME target filtering (accept due to subdomain)"
117ret=0
118$DIG +tcp www.dname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
119grep "status: NOERROR" dig.out > /dev/null || ret=1
120if [ $ret != 0 ]; then echo "I:failed"; fi
121status=`expr $status + $ret`
122
123n=`expr $n + 1`
124echo "I: RT21594 regression test check setup ($n)"
125ret=0
126# Check that "aa" is not being set by the authoritative server.
127$DIG +tcp . @10.53.0.4 soa -p 5300 > dig.ns4.out.${n} || ret=1
128grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1
129if [ $ret != 0 ]; then echo "I:failed"; fi
130status=`expr $status + $ret`
131
132n=`expr $n + 1`
133echo "I: RT21594 regression test positive answers ($n)"
134ret=0
135# Check that resolver accepts the non-authoritative positive answers.
136$DIG +tcp . @10.53.0.5 soa -p 5300 > dig.ns5.out.${n} || ret=1
137grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1
138if [ $ret != 0 ]; then echo "I:failed"; fi
139status=`expr $status + $ret`
140
141n=`expr $n + 1`
142echo "I: RT21594 regression test NODATA answers ($n)"
143ret=0
144# Check that resolver accepts the non-authoritative nodata answers.
145$DIG +tcp . @10.53.0.5 txt -p 5300 > dig.ns5.out.${n} || ret=1
146grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1
147if [ $ret != 0 ]; then echo "I:failed"; fi
148status=`expr $status + $ret`
149
150n=`expr $n + 1`
151echo "I: RT21594 regression test NXDOMAIN answers ($n)"
152ret=0
153# Check that resolver accepts the non-authoritative positive answers.
154$DIG +tcp noexistant @10.53.0.5 txt -p 5300 > dig.ns5.out.${n} || ret=1
155grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
156if [ $ret != 0 ]; then echo "I:failed"; fi
157status=`expr $status + $ret`
158
159n=`expr $n + 1`
160echo "I:check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
161ret=0
162$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=1
163grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1
164if [ $ret = 1 ]; then echo "I:mx priming failed"; fi
165$NSUPDATE << EOF
166server 10.53.0.6 5300
167zone example.net
168update delete mail.example.net A
169update add mail.example.net 0 AAAA ::1
170send
171EOF
172$DIG +tcp a mail.example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=2
173grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2
174grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2
175if [ $ret = 2 ]; then echo "I:ncache priming failed"; fi
176$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=3
177grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3
178$DIG +tcp rrsig mail.example.net +norec @10.53.0.7 -p 5300 > dig.ns7.out.${n}  || ret=4
179grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4
180grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4
181if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
182status=`expr $status + $ret`
183
184if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
185status=`expr $status + $ret`
186
187n=`expr $n + 1`
188echo "I:checking that update a nameservers address has immediate effects ($n)"
189ret=0
190$DIG +tcp TXT foo.moves @10.53.0.7 -p 5300 > dig.ns7.foo.${n} || ret=1
191grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 
192$NSUPDATE << EOF
193server 10.53.0.7 5300
194zone server
195update delete ns.server A
196update add ns.server 300 A 10.53.0.4
197send
198EOF
199sleep 1
200$DIG +tcp TXT bar.moves @10.53.0.7 -p 5300 > dig.ns7.bar.${n} || ret=1
201grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1
202
203if [ $ret != 0 ]; then echo "I:failed"; status=1; fi
204
205n=`expr $n + 1`
206echo "I:checking that update a nameservers glue has immediate effects ($n)"
207ret=0
208$DIG +tcp TXT foo.child.server @10.53.0.7 -p 5300 > dig.ns7.foo.${n} || ret=1
209grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 
210$NSUPDATE << EOF
211server 10.53.0.7 5300
212zone server
213update delete ns.child.server A
214update add ns.child.server 300 A 10.53.0.4
215send
216EOF
217sleep 1
218$DIG +tcp TXT bar.child.server @10.53.0.7 -p 5300 > dig.ns7.bar.${n} || ret=1
219grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1
220
221if [ $ret != 0 ]; then echo "I:failed"; status=1; fi
222
223n=`expr $n + 1`
224echo "I:checking empty RFC 1918 reverse zones ($n)"
225ret=0
226# Check that "aa" is being set by the resolver for RFC 1918 zones
227# except the one that has been deliberately disabled
228$DIG @10.53.0.7 -p 5300 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1
229grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1
230$DIG @10.53.0.7 -p 5300 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1
231grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1
232$DIG @10.53.0.7 -p 5300 -x 172.16.1.1  > dig.ns4.out.3.${n} || ret=1
233grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1
234$DIG @10.53.0.7 -p 5300 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1
235grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1
236$DIG @10.53.0.7 -p 5300 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1
237grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1
238$DIG @10.53.0.7 -p 5300 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1
239grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1
240$DIG @10.53.0.7 -p 5300 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1
241grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1
242$DIG @10.53.0.7 -p 5300 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1
243grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1
244$DIG @10.53.0.7 -p 5300 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1
245grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1
246$DIG @10.53.0.7 -p 5300 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1
247grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1
248$DIG @10.53.0.7 -p 5300 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1
249grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1
250$DIG @10.53.0.7 -p 5300 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1
251grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1
252$DIG @10.53.0.7 -p 5300 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1
253grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1
254$DIG @10.53.0.7 -p 5300 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1
255grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1
256$DIG @10.53.0.7 -p 5300 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1
257grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1
258$DIG @10.53.0.7 -p 5300 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1
259grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1
260$DIG @10.53.0.7 -p 5300 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1
261grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1
262# but this one should NOT be authoritative
263$DIG @10.53.0.7 -p 5300 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1
264grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1
265if [ $ret != 0 ]; then echo "I:failed"; status=1; fi
266
267n=`expr $n + 1`
268echo "I:checking that removal of a delegation is honoured ($n)"
269ret=0
270$DIG -p 5300 @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n}
271grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo "I: priming failed"; }
272cp ns4/tld2.db ns4/tld.db
273($RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reload tld 2>&1 ) | 
274sed -e '/reload queued/d' -e 's/^/I:ns4 /'
275old=
276for i in 0 1 2 3 4 5 6 7 8 9
277do
278	foo=0
279	$DIG -p 5300 @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null
280	$DIG -p 5300 @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n}
281	grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1
282	[ $foo = 0 ] && break
283	$NSUPDATE << EOF
284server 10.53.0.6 5300
285zone to-be-removed.tld
286update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld
287update delete to-be-removed.tld NS ns${old}.to-be-removed.tld
288send
289EOF
290	old=$i
291	sleep 1
292done
293[ $ret = 0 ] && ret=$foo; 
294if [ $ret != 0 ]; then echo "I:failed"; status=1; fi
295
296echo "I:exit status: $status"
297
298exit $status
299