1#!/bin/sh 2# 3# Copyright (C) 2004, 2007, 2009-2012 Internet Systems Consortium, Inc. ("ISC") 4# Copyright (C) 2000, 2001 Internet Software Consortium. 5# 6# Permission to use, copy, modify, and/or distribute this software for any 7# purpose with or without fee is hereby granted, provided that the above 8# copyright notice and this permission notice appear in all copies. 9# 10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16# PERFORMANCE OF THIS SOFTWARE. 17 18# $Id$ 19 20SYSTEMTESTTOP=.. 21. $SYSTEMTESTTOP/conf.sh 22 23status=0 24n=0 25 26echo "I:checking non-cachable NXDOMAIN response handling" 27ret=0 28$DIG +tcp nxdomain.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 29grep "status: NXDOMAIN" dig.out > /dev/null || ret=1 30if [ $ret != 0 ]; then echo "I:failed"; fi 31status=`expr $status + $ret` 32 33echo "I:checking non-cachable NODATA response handling" 34ret=0 35$DIG +tcp nodata.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 36grep "status: NOERROR" dig.out > /dev/null || ret=1 37 38if [ $ret != 0 ]; then echo "I:failed"; fi 39status=`expr $status + $ret` 40echo "I:checking handling of bogus referrals" 41# If the server has the "INSIST(!external)" bug, this query will kill it. 42$DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1 43 44echo "I:check handling of cname + other data / 1" 45$DIG +tcp cname1.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1 46 47echo "I:check handling of cname + other data / 2" 48$DIG +tcp cname2.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1 49 50echo "I:check that server is still running" 51$DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1 52 53echo "I:checking answer IPv4 address filtering (deny)" 54ret=0 55$DIG +tcp www.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 56grep "status: SERVFAIL" dig.out > /dev/null || ret=1 57if [ $ret != 0 ]; then echo "I:failed"; fi 58status=`expr $status + $ret` 59 60echo "I:checking answer IPv6 address filtering (deny)" 61ret=0 62$DIG +tcp www.example.net @10.53.0.1 aaaa -p 5300 > dig.out || ret=1 63grep "status: SERVFAIL" dig.out > /dev/null || ret=1 64if [ $ret != 0 ]; then echo "I:failed"; fi 65status=`expr $status + $ret` 66 67echo "I:checking answer IPv4 address filtering (accept)" 68ret=0 69$DIG +tcp www.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1 70grep "status: NOERROR" dig.out > /dev/null || ret=1 71if [ $ret != 0 ]; then echo "I:failed"; fi 72status=`expr $status + $ret` 73 74echo "I:checking answer IPv6 address filtering (accept)" 75ret=0 76$DIG +tcp www.example.org @10.53.0.1 aaaa -p 5300 > dig.out || ret=1 77grep "status: NOERROR" dig.out > /dev/null || ret=1 78if [ $ret != 0 ]; then echo "I:failed"; fi 79status=`expr $status + $ret` 80 81echo "I:checking CNAME target filtering (deny)" 82ret=0 83$DIG +tcp badcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 84grep "status: SERVFAIL" dig.out > /dev/null || ret=1 85if [ $ret != 0 ]; then echo "I:failed"; fi 86status=`expr $status + $ret` 87 88echo "I:checking CNAME target filtering (accept)" 89ret=0 90$DIG +tcp goodcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 91grep "status: NOERROR" dig.out > /dev/null || ret=1 92if [ $ret != 0 ]; then echo "I:failed"; fi 93status=`expr $status + $ret` 94 95echo "I:checking CNAME target filtering (accept due to subdomain)" 96ret=0 97$DIG +tcp cname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1 98grep "status: NOERROR" dig.out > /dev/null || ret=1 99if [ $ret != 0 ]; then echo "I:failed"; fi 100status=`expr $status + $ret` 101 102echo "I:checking DNAME target filtering (deny)" 103ret=0 104$DIG +tcp foo.baddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 105grep "status: SERVFAIL" dig.out > /dev/null || ret=1 106if [ $ret != 0 ]; then echo "I:failed"; fi 107status=`expr $status + $ret` 108 109echo "I:checking DNAME target filtering (accept)" 110ret=0 111$DIG +tcp foo.gooddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1 112grep "status: NOERROR" dig.out > /dev/null || ret=1 113if [ $ret != 0 ]; then echo "I:failed"; fi 114status=`expr $status + $ret` 115 116echo "I:checking DNAME target filtering (accept due to subdomain)" 117ret=0 118$DIG +tcp www.dname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1 119grep "status: NOERROR" dig.out > /dev/null || ret=1 120if [ $ret != 0 ]; then echo "I:failed"; fi 121status=`expr $status + $ret` 122 123n=`expr $n + 1` 124echo "I: RT21594 regression test check setup ($n)" 125ret=0 126# Check that "aa" is not being set by the authoritative server. 127$DIG +tcp . @10.53.0.4 soa -p 5300 > dig.ns4.out.${n} || ret=1 128grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1 129if [ $ret != 0 ]; then echo "I:failed"; fi 130status=`expr $status + $ret` 131 132n=`expr $n + 1` 133echo "I: RT21594 regression test positive answers ($n)" 134ret=0 135# Check that resolver accepts the non-authoritative positive answers. 136$DIG +tcp . @10.53.0.5 soa -p 5300 > dig.ns5.out.${n} || ret=1 137grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 138if [ $ret != 0 ]; then echo "I:failed"; fi 139status=`expr $status + $ret` 140 141n=`expr $n + 1` 142echo "I: RT21594 regression test NODATA answers ($n)" 143ret=0 144# Check that resolver accepts the non-authoritative nodata answers. 145$DIG +tcp . @10.53.0.5 txt -p 5300 > dig.ns5.out.${n} || ret=1 146grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 147if [ $ret != 0 ]; then echo "I:failed"; fi 148status=`expr $status + $ret` 149 150n=`expr $n + 1` 151echo "I: RT21594 regression test NXDOMAIN answers ($n)" 152ret=0 153# Check that resolver accepts the non-authoritative positive answers. 154$DIG +tcp noexistant @10.53.0.5 txt -p 5300 > dig.ns5.out.${n} || ret=1 155grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 156if [ $ret != 0 ]; then echo "I:failed"; fi 157status=`expr $status + $ret` 158 159n=`expr $n + 1` 160echo "I:check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" 161ret=0 162$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=1 163grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 164if [ $ret = 1 ]; then echo "I:mx priming failed"; fi 165$NSUPDATE << EOF 166server 10.53.0.6 5300 167zone example.net 168update delete mail.example.net A 169update add mail.example.net 0 AAAA ::1 170send 171EOF 172$DIG +tcp a mail.example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=2 173grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2 174grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2 175if [ $ret = 2 ]; then echo "I:ncache priming failed"; fi 176$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=3 177grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3 178$DIG +tcp rrsig mail.example.net +norec @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=4 179grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4 180grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4 181if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 182status=`expr $status + $ret` 183 184if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 185status=`expr $status + $ret` 186 187n=`expr $n + 1` 188echo "I:checking that update a nameservers address has immediate effects ($n)" 189ret=0 190$DIG +tcp TXT foo.moves @10.53.0.7 -p 5300 > dig.ns7.foo.${n} || ret=1 191grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 192$NSUPDATE << EOF 193server 10.53.0.7 5300 194zone server 195update delete ns.server A 196update add ns.server 300 A 10.53.0.4 197send 198EOF 199sleep 1 200$DIG +tcp TXT bar.moves @10.53.0.7 -p 5300 > dig.ns7.bar.${n} || ret=1 201grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 202 203if [ $ret != 0 ]; then echo "I:failed"; status=1; fi 204 205n=`expr $n + 1` 206echo "I:checking that update a nameservers glue has immediate effects ($n)" 207ret=0 208$DIG +tcp TXT foo.child.server @10.53.0.7 -p 5300 > dig.ns7.foo.${n} || ret=1 209grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 210$NSUPDATE << EOF 211server 10.53.0.7 5300 212zone server 213update delete ns.child.server A 214update add ns.child.server 300 A 10.53.0.4 215send 216EOF 217sleep 1 218$DIG +tcp TXT bar.child.server @10.53.0.7 -p 5300 > dig.ns7.bar.${n} || ret=1 219grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 220 221if [ $ret != 0 ]; then echo "I:failed"; status=1; fi 222 223n=`expr $n + 1` 224echo "I:checking empty RFC 1918 reverse zones ($n)" 225ret=0 226# Check that "aa" is being set by the resolver for RFC 1918 zones 227# except the one that has been deliberately disabled 228$DIG @10.53.0.7 -p 5300 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1 229grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1 230$DIG @10.53.0.7 -p 5300 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1 231grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1 232$DIG @10.53.0.7 -p 5300 -x 172.16.1.1 > dig.ns4.out.3.${n} || ret=1 233grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1 234$DIG @10.53.0.7 -p 5300 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1 235grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1 236$DIG @10.53.0.7 -p 5300 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1 237grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1 238$DIG @10.53.0.7 -p 5300 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1 239grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1 240$DIG @10.53.0.7 -p 5300 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1 241grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1 242$DIG @10.53.0.7 -p 5300 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1 243grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1 244$DIG @10.53.0.7 -p 5300 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1 245grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1 246$DIG @10.53.0.7 -p 5300 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1 247grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1 248$DIG @10.53.0.7 -p 5300 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1 249grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1 250$DIG @10.53.0.7 -p 5300 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1 251grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1 252$DIG @10.53.0.7 -p 5300 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1 253grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1 254$DIG @10.53.0.7 -p 5300 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1 255grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1 256$DIG @10.53.0.7 -p 5300 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1 257grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1 258$DIG @10.53.0.7 -p 5300 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1 259grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1 260$DIG @10.53.0.7 -p 5300 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1 261grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1 262# but this one should NOT be authoritative 263$DIG @10.53.0.7 -p 5300 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1 264grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1 265if [ $ret != 0 ]; then echo "I:failed"; status=1; fi 266 267n=`expr $n + 1` 268echo "I:checking that removal of a delegation is honoured ($n)" 269ret=0 270$DIG -p 5300 @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n} 271grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo "I: priming failed"; } 272cp ns4/tld2.db ns4/tld.db 273($RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reload tld 2>&1 ) | 274sed -e '/reload queued/d' -e 's/^/I:ns4 /' 275old= 276for i in 0 1 2 3 4 5 6 7 8 9 277do 278 foo=0 279 $DIG -p 5300 @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null 280 $DIG -p 5300 @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n} 281 grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1 282 [ $foo = 0 ] && break 283 $NSUPDATE << EOF 284server 10.53.0.6 5300 285zone to-be-removed.tld 286update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld 287update delete to-be-removed.tld NS ns${old}.to-be-removed.tld 288send 289EOF 290 old=$i 291 sleep 1 292done 293[ $ret = 0 ] && ret=$foo; 294if [ $ret != 0 ]; then echo "I:failed"; status=1; fi 295 296echo "I:exit status: $status" 297 298exit $status 299