1#!/bin/sh 2# 3# Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") 4# Copyright (C) 2000-2002 Internet Software Consortium. 5# 6# Permission to use, copy, modify, and/or distribute this software for any 7# purpose with or without fee is hereby granted, provided that the above 8# copyright notice and this permission notice appear in all copies. 9# 10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16# PERFORMANCE OF THIS SOFTWARE. 17 18# $Id$ 19 20SYSTEMTESTTOP=.. 21. $SYSTEMTESTTOP/conf.sh 22 23status=0 24n=1 25 26rm -f dig.out.* 27 28DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" 29 30# convert private-type records to readable form 31showprivate () { 32 echo "-- $@ --" 33 $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | 34 while read record; do 35 perl -e 'my $rdata = pack("H*", @ARGV[0]); 36 die "invalid record" unless length($rdata) == 5; 37 my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); 38 my $action = "signing"; 39 $action = "removing" if $remove; 40 my $state = " (incomplete)"; 41 $state = " (complete)" if $complete; 42 print ("$action: alg: $alg, key: $key$state\n");' $record 43 done 44} 45 46# check that signing records are marked as complete 47checkprivate () { 48 ret=0 49 x=`showprivate "$@"` 50 echo $x | grep incomplete >&- 2>&- && ret=1 51 [ $ret = 1 ] && { 52 echo "$x" 53 echo "I:failed" 54 } 55 return $ret 56} 57 58# Check the example. domain 59 60echo "I:checking that zone transfer worked ($n)" 61for i in 1 2 3 4 5 6 7 8 9 62do 63 ret=0 64 $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 65 $DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 66 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 67 [ $ret = 0 ] && break 68 sleep 1 69done 70$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 71n=`expr $n + 1` 72if [ $ret != 0 ]; then echo "I:failed"; fi 73status=`expr $status + $ret` 74 75# test AD bit: 76# - dig +adflag asks for authentication (ad in response) 77echo "I:checking AD bit asking for validation ($n)" 78ret=0 79$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 80$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 81$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 82grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 83n=`expr $n + 1` 84if [ $ret != 0 ]; then echo "I:failed"; fi 85status=`expr $status + $ret` 86 87echo "I:checking for AD in authoritative answer ($n)" 88ret=0 89$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 90grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 91n=`expr $n + 1` 92if [ $ret != 0 ]; then echo "I:failed"; fi 93status=`expr $status + $ret` 94 95echo "I:checking positive validation NSEC ($n)" 96ret=0 97$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 98$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 99$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 100grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 101n=`expr $n + 1` 102if [ $ret != 0 ]; then echo "I:failed"; fi 103status=`expr $status + $ret` 104 105echo "I:checking positive validation NSEC3 ($n)" 106ret=0 107$DIG $DIGOPTS +noauth a.nsec3.example. \ 108 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 109$DIG $DIGOPTS +noauth a.nsec3.example. \ 110 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 111$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 112grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 113n=`expr $n + 1` 114if [ $ret != 0 ]; then echo "I:failed"; fi 115status=`expr $status + $ret` 116 117echo "I:checking positive validation OPTOUT ($n)" 118ret=0 119$DIG $DIGOPTS +noauth a.optout.example. \ 120 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 121$DIG $DIGOPTS +noauth a.optout.example. \ 122 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 123$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 124grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 125n=`expr $n + 1` 126if [ $ret != 0 ]; then echo "I:failed"; fi 127status=`expr $status + $ret` 128 129echo "I:checking positive wildcard validation NSEC ($n)" 130ret=0 131$DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 132$DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 133$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 134grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 135grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 136n=`expr $n + 1` 137if [ $ret != 0 ]; then echo "I:failed"; fi 138status=`expr $status + $ret` 139 140echo "I:checking positive wildcard answer NSEC3 ($n)" 141ret=0 142$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 143grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 144grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 145n=`expr $n + 1` 146if [ $ret != 0 ]; then echo "I:failed"; fi 147status=`expr $status + $ret` 148 149echo "I:checking positive wildcard answer NSEC3 ($n)" 150ret=0 151$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 152grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 153grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 154n=`expr $n + 1` 155if [ $ret != 0 ]; then echo "I:failed"; fi 156status=`expr $status + $ret` 157 158echo "I:checking positive wildcard validation NSEC3 ($n)" 159ret=0 160$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 161$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 162$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 163grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 164grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 165n=`expr $n + 1` 166if [ $ret != 0 ]; then echo "I:failed"; fi 167status=`expr $status + $ret` 168 169echo "I:checking positive wildcard validation OPTOUT ($n)" 170ret=0 171$DIG $DIGOPTS a.wild.optout.example. \ 172 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 173$DIG $DIGOPTS a.wild.optout.example. \ 174 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 175$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 176grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 177grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 178n=`expr $n + 1` 179if [ $ret != 0 ]; then echo "I:failed"; fi 180status=`expr $status + $ret` 181 182echo "I:checking negative validation NXDOMAIN NSEC ($n)" 183ret=0 184$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 185$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 186$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 187grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 188grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 189n=`expr $n + 1` 190if [ $ret != 0 ]; then echo "I:failed"; fi 191status=`expr $status + $ret` 192 193echo "I:checking negative validation NXDOMAIN NSEC3 ($n)" 194ret=0 195$DIG $DIGOPTS +noauth q.nsec3.example. \ 196 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 197$DIG $DIGOPTS +noauth q.nsec3.example. \ 198 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 199$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 200grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 201grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 202n=`expr $n + 1` 203if [ $ret != 0 ]; then echo "I:failed"; fi 204status=`expr $status + $ret` 205 206echo "I:checking negative validation NXDOMAIN OPTOUT ($n)" 207ret=0 208$DIG $DIGOPTS +noauth q.optout.example. \ 209 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 210$DIG $DIGOPTS +noauth q.optout.example. \ 211 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 212$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 213grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 214# Note - this is looking for failure, hence the && 215grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 216n=`expr $n + 1` 217if [ $ret != 0 ]; then echo "I:failed"; fi 218status=`expr $status + $ret` 219 220echo "I:checking negative validation NODATA NSEC ($n)" 221ret=0 222$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 223$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 224$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 225grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 226grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 227grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 228n=`expr $n + 1` 229if [ $ret != 0 ]; then echo "I:failed"; fi 230status=`expr $status + $ret` 231 232echo "I:checking negative validation NODATA NSEC3 ($n)" 233ret=0 234$DIG $DIGOPTS +noauth a.nsec3.example. \ 235 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 236$DIG $DIGOPTS +noauth a.nsec3.example. \ 237 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 238$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 239grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 240grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 241grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 242n=`expr $n + 1` 243if [ $ret != 0 ]; then echo "I:failed"; fi 244status=`expr $status + $ret` 245 246echo "I:checking negative validation NODATA OPTOUT ($n)" 247ret=0 248$DIG $DIGOPTS +noauth a.optout.example. \ 249 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 250$DIG $DIGOPTS +noauth a.optout.example. \ 251 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 252$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 253grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 254grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 255grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 256n=`expr $n + 1` 257if [ $ret != 0 ]; then echo "I:failed"; fi 258status=`expr $status + $ret` 259 260echo "I:checking negative wildcard validation NSEC ($n)" 261ret=0 262$DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 263$DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 264$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 265grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 266grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 267n=`expr $n + 1` 268if [ $ret != 0 ]; then echo "I:failed"; fi 269status=`expr $status + $ret` 270 271echo "I:checking negative wildcard validation NSEC3 ($n)" 272ret=0 273$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 274$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 275$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 276grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 277n=`expr $n + 1` 278if [ $ret != 0 ]; then echo "I:failed"; fi 279status=`expr $status + $ret` 280 281echo "I:checking negative wildcard validation OPTOUT ($n)" 282ret=0 283$DIG $DIGOPTS b.wild.optout.example. \ 284 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 285$DIG $DIGOPTS b.wild.optout.example. \ 286 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 287$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 288grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 289# Note - this is looking for failure, hence the && 290grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 291n=`expr $n + 1` 292if [ $ret != 0 ]; then echo "I:failed"; fi 293status=`expr $status + $ret` 294 295# Check the insecure.example domain 296 297echo "I:checking 1-server insecurity proof NSEC ($n)" 298ret=0 299$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 300$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 301$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 302grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 303# Note - this is looking for failure, hence the && 304grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 305n=`expr $n + 1` 306if [ $ret != 0 ]; then echo "I:failed"; fi 307status=`expr $status + $ret` 308 309echo "I:checking 1-server insecurity proof NSEC3 ($n)" 310ret=0 311$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 312$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 313$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 314grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 315# Note - this is looking for failure, hence the && 316grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 317n=`expr $n + 1` 318if [ $ret != 0 ]; then echo "I:failed"; fi 319status=`expr $status + $ret` 320 321echo "I:checking 1-server insecurity proof OPTOUT ($n)" 322ret=0 323$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 324$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 325$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 326grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 327# Note - this is looking for failure, hence the && 328grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 329n=`expr $n + 1` 330if [ $ret != 0 ]; then echo "I:failed"; fi 331status=`expr $status + $ret` 332 333echo "I:checking 1-server negative insecurity proof NSEC ($n)" 334ret=0 335$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ 336 > dig.out.ns3.test$n || ret=1 337$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ 338 > dig.out.ns4.test$n || ret=1 339$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 340grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 341# Note - this is looking for failure, hence the && 342grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 343n=`expr $n + 1` 344if [ $ret != 0 ]; then echo "I:failed"; fi 345status=`expr $status + $ret` 346 347echo "I:checking 1-server negative insecurity proof NSEC3 ($n)" 348ret=0 349$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \ 350 > dig.out.ns3.test$n || ret=1 351$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.4 \ 352 > dig.out.ns4.test$n || ret=1 353$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 354grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 355# Note - this is looking for failure, hence the && 356grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 357n=`expr $n + 1` 358if [ $ret != 0 ]; then echo "I:failed"; fi 359status=`expr $status + $ret` 360 361echo "I:checking 1-server negative insecurity proof OPTOUT ($n)" 362ret=0 363$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \ 364 > dig.out.ns3.test$n || ret=1 365$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.4 \ 366 > dig.out.ns4.test$n || ret=1 367$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 368grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 369# Note - this is looking for failure, hence the && 370grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 371n=`expr $n + 1` 372if [ $ret != 0 ]; then echo "I:failed"; fi 373status=`expr $status + $ret` 374 375echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)" 376ret=0 377$DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \ 378 > dig.out.ns3.test$n || ret=1 379$DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \ 380 > dig.out.ns4.test$n || ret=1 381$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 382grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 383grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 384# Note - this is looking for failure, hence the && 385grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 386n=`expr $n + 1` 387if [ $ret != 0 ]; then echo "I:failed"; fi 388status=`expr $status + $ret` 389 390echo "I:checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" 391ret=0 392$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.3 \ 393 > dig.out.ns3.test$n || ret=1 394$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.4 \ 395 > dig.out.ns4.test$n || ret=1 396$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 397grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 398grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 399# Note - this is looking for failure, hence the && 400grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 401n=`expr $n + 1` 402if [ $ret != 0 ]; then echo "I:failed"; fi 403status=`expr $status + $ret` 404 405echo "I:checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" 406ret=0 407$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.3 \ 408 > dig.out.ns3.test$n || ret=1 409$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.4 \ 410 > dig.out.ns4.test$n || ret=1 411$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 412grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 413grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 414# Note - this is looking for failure, hence the && 415grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 416n=`expr $n + 1` 417if [ $ret != 0 ]; then echo "I:failed"; fi 418status=`expr $status + $ret` 419 420# Check the secure.example domain 421 422echo "I:checking multi-stage positive validation NSEC/NSEC ($n)" 423ret=0 424$DIG $DIGOPTS +noauth a.secure.example. \ 425 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 426$DIG $DIGOPTS +noauth a.secure.example. \ 427 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 428$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 429grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 430grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 431n=`expr $n + 1` 432if [ $ret != 0 ]; then echo "I:failed"; fi 433status=`expr $status + $ret` 434 435echo "I:checking multi-stage positive validation NSEC/NSEC3 ($n)" 436ret=0 437$DIG $DIGOPTS +noauth a.nsec3.example. \ 438 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 439$DIG $DIGOPTS +noauth a.nsec3.example. \ 440 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 441$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 442grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 443grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 444n=`expr $n + 1` 445if [ $ret != 0 ]; then echo "I:failed"; fi 446status=`expr $status + $ret` 447 448echo "I:checking multi-stage positive validation NSEC/OPTOUT ($n)" 449ret=0 450$DIG $DIGOPTS +noauth a.optout.example. \ 451 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 452$DIG $DIGOPTS +noauth a.optout.example. \ 453 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 454$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 455grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 456grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 457n=`expr $n + 1` 458if [ $ret != 0 ]; then echo "I:failed"; fi 459status=`expr $status + $ret` 460 461echo "I:checking multi-stage positive validation NSEC3/NSEC ($n)" 462ret=0 463$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ 464 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 465$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ 466 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 467$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 468grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 469grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 470n=`expr $n + 1` 471if [ $ret != 0 ]; then echo "I:failed"; fi 472status=`expr $status + $ret` 473 474echo "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)" 475ret=0 476$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ 477 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 478$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ 479 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 480$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 481grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 482grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 483n=`expr $n + 1` 484if [ $ret != 0 ]; then echo "I:failed"; fi 485status=`expr $status + $ret` 486 487echo "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)" 488ret=0 489$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ 490 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 491$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ 492 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 493$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 494grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 495grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 496n=`expr $n + 1` 497if [ $ret != 0 ]; then echo "I:failed"; fi 498status=`expr $status + $ret` 499 500echo "I:checking multi-stage positive validation OPTOUT/NSEC ($n)" 501ret=0 502$DIG $DIGOPTS +noauth a.secure.optout.example. \ 503 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 504$DIG $DIGOPTS +noauth a.secure.optout.example. \ 505 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 506$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 507grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 508grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 509n=`expr $n + 1` 510if [ $ret != 0 ]; then echo "I:failed"; fi 511status=`expr $status + $ret` 512 513echo "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)" 514ret=0 515$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ 516 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 517$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ 518 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 519$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 520grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 521grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 522n=`expr $n + 1` 523if [ $ret != 0 ]; then echo "I:failed"; fi 524status=`expr $status + $ret` 525 526echo "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)" 527ret=0 528$DIG $DIGOPTS +noauth a.optout.optout.example. \ 529 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 530$DIG $DIGOPTS +noauth a.optout.optout.example. \ 531 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 532$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 533grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 534grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 535n=`expr $n + 1` 536if [ $ret != 0 ]; then echo "I:failed"; fi 537status=`expr $status + $ret` 538 539echo "I:checking empty NODATA OPTOUT ($n)" 540ret=0 541$DIG $DIGOPTS +noauth empty.optout.example. \ 542 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 543$DIG $DIGOPTS +noauth empty.optout.example. \ 544 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 545$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 546grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 547#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 548n=`expr $n + 1` 549if [ $ret != 0 ]; then echo "I:failed"; fi 550status=`expr $status + $ret` 551 552# Check the bogus domain 553 554echo "I:checking failed validation ($n)" 555ret=0 556$DIG $DIGOPTS a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 557grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 558n=`expr $n + 1` 559if [ $ret != 0 ]; then echo "I:failed"; fi 560status=`expr $status + $ret` 561 562# Try validating with a bad trusted key. 563# This should fail. 564 565echo "I:checking that validation fails with a misconfigured trusted key ($n)" 566ret=0 567$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 568grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 569n=`expr $n + 1` 570if [ $ret != 0 ]; then echo "I:failed"; fi 571status=`expr $status + $ret` 572 573echo "I:checking that negative validation fails with a misconfigured trusted key ($n)" 574ret=0 575$DIG $DIGOPTS example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 576grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 577n=`expr $n + 1` 578if [ $ret != 0 ]; then echo "I:failed"; fi 579status=`expr $status + $ret` 580 581echo "I:checking that insecurity proofs fail with a misconfigured trusted key ($n)" 582ret=0 583$DIG $DIGOPTS a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 584grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 585n=`expr $n + 1` 586if [ $ret != 0 ]; then echo "I:failed"; fi 587status=`expr $status + $ret` 588 589echo "I:checking that validation fails when key record is missing ($n)" 590ret=0 591$DIG $DIGOPTS a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 592grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 593n=`expr $n + 1` 594if [ $ret != 0 ]; then echo "I:failed"; fi 595status=`expr $status + $ret` 596 597echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)" 598ret=0 599#prime 600$DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 601#check: requery with +CD. pending data should be returned even if it's bogus 602expect="a.example. 60310.0.0.1" 604ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1 605test "$ans" = "$expect" || ret=1 606test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" 607#check: requery without +CD. bogus cached data should be rejected. 608$DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 609grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 610n=`expr $n + 1` 611if [ $ret != 0 ]; then echo "I:failed"; fi 612status=`expr $status + $ret` 613 614echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)" 615ret=0 616#prime 617$DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 618#check: requery with +CD. pending data should be returned even if it's bogus 619expect="example. 620a.example. 62110.0.0.1" 622ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1 623test "$ans" = "$expect" || ret=1 624test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" 625#check: requery without +CD. bogus cached data should be rejected. 626$DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 627grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 628n=`expr $n + 1` 629if [ $ret != 0 ]; then echo "I:failed"; fi 630status=`expr $status + $ret` 631 632# Check the insecure.secure.example domain (insecurity proof) 633 634echo "I:checking 2-server insecurity proof ($n)" 635ret=0 636$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ 637 > dig.out.ns2.test$n || ret=1 638$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ 639 > dig.out.ns4.test$n || ret=1 640$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 641grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 642# Note - this is looking for failure, hence the && 643grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 644n=`expr $n + 1` 645if [ $ret != 0 ]; then echo "I:failed"; fi 646status=`expr $status + $ret` 647 648# Check a negative response in insecure.secure.example 649 650echo "I:checking 2-server insecurity proof with a negative answer ($n)" 651ret=0 652$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ 653 || ret=1 654$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ 655 || ret=1 656$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 657grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 658# Note - this is looking for failure, hence the && 659grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 660n=`expr $n + 1` 661if [ $ret != 0 ]; then echo "I:failed"; fi 662status=`expr $status + $ret` 663 664echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)" 665ret=0 666$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ 667 || ret=1 668$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ 669 || ret=1 670$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 671grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 672# Note - this is looking for failure, hence the && 673grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 674n=`expr $n + 1` 675if [ $ret != 0 ]; then echo "I:failed"; fi 676status=`expr $status + $ret` 677 678# Check that the query for a security root is successful and has ad set 679 680echo "I:checking security root query ($n)" 681ret=0 682$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 683grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 684grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 685n=`expr $n + 1` 686if [ $ret != 0 ]; then echo "I:failed"; fi 687status=`expr $status + $ret` 688 689# Check that the setting the cd bit works 690 691echo "I:checking cd bit on a positive answer ($n)" 692ret=0 693$DIG $DIGOPTS +noauth example. soa @10.53.0.4 \ 694 > dig.out.ns4.test$n || ret=1 695$DIG $DIGOPTS +noauth +cdflag example. soa @10.53.0.5 \ 696 > dig.out.ns5.test$n || ret=1 697$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 698grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 699# Note - this is looking for failure, hence the && 700grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 701n=`expr $n + 1` 702if [ $ret != 0 ]; then echo "I:failed"; fi 703status=`expr $status + $ret` 704 705echo "I:checking cd bit on a negative answer ($n)" 706ret=0 707$DIG $DIGOPTS q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 708$DIG $DIGOPTS +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 709$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 710grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 711# Note - this is looking for failure, hence the && 712grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 713n=`expr $n + 1` 714if [ $ret != 0 ]; then echo "I:failed"; fi 715status=`expr $status + $ret` 716 717echo "I:checking positive validation RSASHA256 NSEC ($n)" 718ret=0 719$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 720$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 721$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 722grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 723n=`expr $n + 1` 724if [ $ret != 0 ]; then echo "I:failed"; fi 725status=`expr $status + $ret` 726 727echo "I:checking positive validation RSASHA512 NSEC ($n)" 728ret=0 729$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 730$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 731$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 732grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 733n=`expr $n + 1` 734if [ $ret != 0 ]; then echo "I:failed"; fi 735status=`expr $status + $ret` 736 737echo "I:checking positive validation with KSK-only DNSKEY signature ($n)" 738ret=0 739$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 740$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 741$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 742grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 743n=`expr $n + 1` 744if [ $ret != 0 ]; then echo "I:failed"; fi 745status=`expr $status + $ret` 746 747echo "I:checking cd bit on a query that should fail ($n)" 748ret=0 749$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \ 750 > dig.out.ns4.test$n || ret=1 751$DIG $DIGOPTS +cdflag a.bogus.example. soa @10.53.0.5 \ 752 > dig.out.ns5.test$n || ret=1 753$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 754grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 755# Note - this is looking for failure, hence the && 756grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 757n=`expr $n + 1` 758if [ $ret != 0 ]; then echo "I:failed"; fi 759status=`expr $status + $ret` 760 761echo "I:checking cd bit on an insecurity proof ($n)" 762ret=0 763$DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \ 764 > dig.out.ns4.test$n || ret=1 765$DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ 766 > dig.out.ns5.test$n || ret=1 767$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 768grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 769# Note - these are looking for failure, hence the && 770grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 771grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 772n=`expr $n + 1` 773if [ $ret != 0 ]; then echo "I:failed"; fi 774status=`expr $status + $ret` 775 776echo "I:checking cd bit on a negative insecurity proof ($n)" 777ret=0 778$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ 779 > dig.out.ns4.test$n || ret=1 780$DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \ 781 > dig.out.ns5.test$n || ret=1 782$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 783grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 784# Note - these are looking for failure, hence the && 785grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 786grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 787n=`expr $n + 1` 788if [ $ret != 0 ]; then echo "I:failed"; fi 789status=`expr $status + $ret` 790 791echo "I:checking that validation of an ANY query works ($n)" 792ret=0 793$DIG $DIGOPTS +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 794$DIG $DIGOPTS +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 795$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 796grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 797# 2 records in the zone, 1 NXT, 3 SIGs 798grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 799n=`expr $n + 1` 800if [ $ret != 0 ]; then echo "I:failed"; fi 801status=`expr $status + $ret` 802 803echo "I:checking that validation of a query returning a CNAME works ($n)" 804ret=0 805$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.2 \ 806 > dig.out.ns2.test$n || ret=1 807$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.4 \ 808 > dig.out.ns4.test$n || ret=1 809$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 810grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 811# the CNAME & its sig, the TXT and its SIG 812grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 813n=`expr $n + 1` 814if [ $ret != 0 ]; then echo "I:failed"; fi 815status=`expr $status + $ret` 816 817echo "I:checking that validation of a query returning a DNAME works ($n)" 818ret=0 819$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.2 \ 820 > dig.out.ns2.test$n || ret=1 821$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.4 \ 822 > dig.out.ns4.test$n || ret=1 823$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 824grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 825# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. 826# It would be nice to test that the CNAME is being synthesized by the 827# recursive server and not cached, but I don't know how. 828grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 829n=`expr $n + 1` 830if [ $ret != 0 ]; then echo "I:failed"; fi 831status=`expr $status + $ret` 832 833echo "I:checking that validation of an ANY query returning a CNAME works ($n)" 834ret=0 835$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.2 \ 836 > dig.out.ns2.test$n || ret=1 837$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.4 \ 838 > dig.out.ns4.test$n || ret=1 839$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 840grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 841# The CNAME, NXT, and their SIGs 842grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 843n=`expr $n + 1` 844if [ $ret != 0 ]; then echo "I:failed"; fi 845status=`expr $status + $ret` 846 847echo "I:checking that validation of an ANY query returning a DNAME works ($n)" 848ret=0 849$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.2 \ 850 > dig.out.ns2.test$n || ret=1 851$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.4 \ 852 > dig.out.ns4.test$n || ret=1 853$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 854grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 855n=`expr $n + 1` 856if [ $ret != 0 ]; then echo "I:failed"; fi 857status=`expr $status + $ret` 858 859echo "I:checking that positive validation in a privately secure zone works ($n)" 860ret=0 861$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ 862 > dig.out.ns2.test$n || ret=1 863$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ 864 > dig.out.ns4.test$n || ret=1 865$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 866grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 867# Note - this is looking for failure, hence the && 868grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 869n=`expr $n + 1` 870if [ $ret != 0 ]; then echo "I:failed"; fi 871status=`expr $status + $ret` 872 873echo "I:checking that negative validation in a privately secure zone works ($n)" 874ret=0 875$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ 876 > dig.out.ns2.test$n || ret=1 877$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ 878 > dig.out.ns4.test$n || ret=1 879$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 880grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 881# Note - this is looking for failure, hence the && 882grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 883n=`expr $n + 1` 884if [ $ret != 0 ]; then echo "I:failed"; fi 885status=`expr $status + $ret` 886 887echo "I:checking that lookups succeed after disabling a algorithm works ($n)" 888ret=0 889$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \ 890 > dig.out.ns2.test$n || ret=1 891$DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \ 892 > dig.out.ns6.test$n || ret=1 893$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 894# Note - this is looking for failure, hence the && 895grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 896n=`expr $n + 1` 897if [ $ret != 0 ]; then echo "I:failed"; fi 898status=`expr $status + $ret` 899 900echo "I:checking privately secure to nxdomain works ($n)" 901ret=0 902$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \ 903 > dig.out.ns2.test$n || ret=1 904$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \ 905 > dig.out.ns4.test$n || ret=1 906$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 907# Note - this is looking for failure, hence the && 908grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 909n=`expr $n + 1` 910if [ $ret != 0 ]; then echo "I:failed"; fi 911status=`expr $status + $ret` 912 913echo "I:checking privately secure wildcard to nxdomain works ($n)" 914ret=0 915$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \ 916 > dig.out.ns2.test$n || ret=1 917$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \ 918 > dig.out.ns4.test$n || ret=1 919$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 920# Note - this is looking for failure, hence the && 921grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 922n=`expr $n + 1` 923if [ $ret != 0 ]; then echo "I:failed"; fi 924status=`expr $status + $ret` 925 926echo "I:checking a non-cachable NODATA works ($n)" 927ret=0 928$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.7 \ 929 > dig.out.ns7.test$n || ret=1 930grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 931$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.4 \ 932 > dig.out.ns4.test$n || ret=1 933grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 934n=`expr $n + 1` 935if [ $ret != 0 ]; then echo "I:failed"; fi 936status=`expr $status + $ret` 937 938echo "I:checking a non-cachable NXDOMAIN works ($n)" 939ret=0 940$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.7 \ 941 > dig.out.ns7.test$n || ret=1 942grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 943$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.4 \ 944 > dig.out.ns4.test$n || ret=1 945grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 946n=`expr $n + 1` 947if [ $ret != 0 ]; then echo "I:failed"; fi 948status=`expr $status + $ret` 949 950# 951# private.secure.example is served by the same server as its 952# grand parent and there is not a secure delegation from secure.example 953# to private.secure.example. In addition secure.example is using a 954# algorithm which the validation does not support. 955# 956echo "I:checking dnssec-lookaside-validation works ($n)" 957ret=0 958$DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \ 959 > dig.out.ns6.test$n || ret=1 960grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1 961n=`expr $n + 1` 962if [ $ret != 0 ]; then echo "I:failed"; fi 963status=`expr $status + $ret` 964 965echo "I:checking that we can load a rfc2535 signed zone ($n)" 966ret=0 967$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \ 968 > dig.out.ns2.test$n || ret=1 969grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 970n=`expr $n + 1` 971if [ $ret != 0 ]; then echo "I:failed"; fi 972status=`expr $status + $ret` 973 974echo "I:checking that we can transfer a rfc2535 signed zone ($n)" 975ret=0 976$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \ 977 > dig.out.ns3.test$n || ret=1 978grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 979n=`expr $n + 1` 980if [ $ret != 0 ]; then echo "I:failed"; fi 981status=`expr $status + $ret` 982 983echo "I:checking that we can sign a zone with out-of-zone records ($n)" 984ret=0 985( 986cd signer 987RANDFILE=../random.data 988zone=example 989key1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` 990key2=`$KEYGEN -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` 991cat example.db.in $key1.key $key2.key > example.db 992$SIGNER -o example -f example.db example.db > /dev/null 2>&1 993) || ret=1 994n=`expr $n + 1` 995if [ $ret != 0 ]; then echo "I:failed"; fi 996status=`expr $status + $ret` 997 998echo "I:checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" 999ret=0 1000( 1001cd signer 1002RANDFILE=../random.data 1003zone=example 1004key1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1005key2=`$KEYGEN -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1006cat example.db.in $key1.key $key2.key > example.db 1007$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1 1008grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM" example.db > /dev/null 1009) || ret=1 1010n=`expr $n + 1` 1011if [ $ret != 0 ]; then echo "I:failed"; fi 1012status=`expr $status + $ret` 1013 1014echo "I:checking that dnsssec-signzone updates originalttl on ttl changes ($n)" 1015ret=0 1016( 1017cd signer 1018RANDFILE=../random.data 1019zone=example 1020key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 1021key2=`$KEYGEN -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone` 1022cat example.db.in $key1.key $key2.key > example.db 1023$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1 1024sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed 1025$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1 1026) 1027grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1 1028n=`expr $n + 1` 1029if [ $ret != 0 ]; then echo "I:failed"; fi 1030status=`expr $status + $ret` 1031 1032echo "I:checking validated data are not cached longer than originalttl ($n)" 1033ret=0 1034$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1035$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1036grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 1037grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 1038grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 1039grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 1040n=`expr $n + 1` 1041if [ $ret != 0 ]; then echo "I:failed"; fi 1042status=`expr $status + $ret` 1043 1044# Test that "rndc secroots" is able to dump trusted keys 1045echo "I:checking rndc secroots ($n)" 1046ret=0 1047$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /' 1048keyid=`cat ns1/managed.key.id` 1049linecount=`grep "./RSAMD5/$keyid ; trusted" ns4/named.secroots | wc -l` 1050[ "$linecount" -eq 1 ] || ret=1 1051linecount=`cat ns4/named.secroots | wc -l` 1052[ "$linecount" -eq 5 ] || ret=1 1053n=`expr $n + 1` 1054if [ $ret != 0 ]; then echo "I:failed"; fi 1055status=`expr $status + $ret` 1056 1057# Check direct query for RRSIG. If we first ask for normal (non RRSIG) 1058# record, the corresponding RRSIG should be cached and subsequent query 1059# for RRSIG will be returned with the cached record. 1060echo "I:checking RRSIG query from cache ($n)" 1061ret=0 1062$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 1063ans=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.4 rrsig` || ret=1 1064expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1 1065test "$ans" = "$expect" || ret=1 1066# also check that RA is set 1067$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 1068grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1069n=`expr $n + 1` 1070if [ $ret != 0 ]; then echo "I:failed"; fi 1071status=`expr $status + $ret` 1072 1073# Check direct query for RRSIG: If it's not cached with other records, 1074# it should result in an empty response. 1075echo "I:checking RRSIG query not in cache ($n)" 1076ret=0 1077ans=`$DIG $DIGOPTS +short rrsigonly.secure.example. @10.53.0.4 rrsig` || ret=1 1078test -z "$ans" || ret=1 1079# also check that RA is cleared 1080$DIG $DIGOPTS rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 1081grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1082n=`expr $n + 1` 1083if [ $ret != 0 ]; then echo "I:failed"; fi 1084status=`expr $status + $ret` 1085 1086# 1087# RT21868 regression test. 1088# 1089echo "I:checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" 1090ret=0 1091$DIG $DIGOPTS non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1092grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 1093n=`expr $n + 1` 1094if [ $ret != 0 ]; then echo "I:failed"; fi 1095status=`expr $status + $ret` 1096 1097# 1098# RT22007 regression test. 1099# 1100echo "I:checking optout NSEC3 referral with only insecure delegations ($n)" 1101ret=0 1102$DIG $DIGOPTS +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1103grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 1104grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1105n=`expr $n + 1` 1106if [ $ret != 0 ]; then echo "I:failed"; fi 1107status=`expr $status + $ret` 1108 1109echo "I:checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" 1110ret=0 1111$DIG $DIGOPTS +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1112grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 1113grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1114n=`expr $n + 1` 1115if [ $ret != 0 ]; then echo "I:failed"; fi 1116 1117status=`expr $status + $ret` 1118echo "I:checking optout NSEC3 nodata with only insecure delegations ($n)" 1119ret=0 1120$DIG $DIGOPTS +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1121grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 1122grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1123n=`expr $n + 1` 1124if [ $ret != 0 ]; then echo "I:failed"; fi 1125status=`expr $status + $ret` 1126 1127echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)" 1128ret=0 1129$DIG $DIGOPTS ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1130grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1131grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 1132if [ $ret != 0 ]; then echo "I:failed"; fi 1133status=`expr $status + $ret` 1134 1135# Run a minimal update test if possible. This is really just 1136# a regression test for RT #2399; more tests should be added. 1137 1138if $PERL -e 'use Net::DNS;' 2>/dev/null 1139then 1140 echo "I:running DNSSEC update test" 1141 $PERL dnssec_update_test.pl -s 10.53.0.3 -p 5300 dynamic.example. || status=1 1142else 1143 echo "I:The DNSSEC update test requires the Net::DNS library." >&2 1144fi 1145 1146echo "I:checking managed key maintenance has not started yet ($n)" 1147ret=0 1148[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 1149n=`expr $n + 1` 1150if [ $ret != 0 ]; then echo "I:failed"; fi 1151status=`expr $status + $ret` 1152 1153# Reconfigure caching server to use "dnssec-validation auto", and repeat 1154# some of the DNSSEC validation tests to ensure that it works correctly. 1155echo "I:switching to automatic root key configuration" 1156cp ns4/named2.conf ns4/named.conf 1157$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' 1158sleep 5 1159 1160echo "I:checking managed key maintenance timer has now started ($n)" 1161ret=0 1162[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 1163n=`expr $n + 1` 1164if [ $ret != 0 ]; then echo "I:failed"; fi 1165status=`expr $status + $ret` 1166 1167echo "I:checking positive validation NSEC ($n)" 1168ret=0 1169$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1170$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1171$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1172grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1173n=`expr $n + 1` 1174if [ $ret != 0 ]; then echo "I:failed"; fi 1175status=`expr $status + $ret` 1176 1177echo "I:checking positive validation NSEC3 ($n)" 1178ret=0 1179$DIG $DIGOPTS +noauth a.nsec3.example. \ 1180 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1181$DIG $DIGOPTS +noauth a.nsec3.example. \ 1182 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1183$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 1184grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1185n=`expr $n + 1` 1186if [ $ret != 0 ]; then echo "I:failed"; fi 1187status=`expr $status + $ret` 1188 1189echo "I:checking positive validation OPTOUT ($n)" 1190ret=0 1191$DIG $DIGOPTS +noauth a.optout.example. \ 1192 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1193$DIG $DIGOPTS +noauth a.optout.example. \ 1194 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1195$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 1196grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1197n=`expr $n + 1` 1198if [ $ret != 0 ]; then echo "I:failed"; fi 1199status=`expr $status + $ret` 1200 1201echo "I:checking negative validation ($n)" 1202ret=0 1203$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1204$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1205$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1206grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1207grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 1208n=`expr $n + 1` 1209if [ $ret != 0 ]; then echo "I:failed"; fi 1210status=`expr $status + $ret` 1211 1212echo "I:checking that root DS queries validate ($n)" 1213ret=0 1214$DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 1215$DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 1216$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 1217grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1218grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1219n=`expr $n + 1` 1220if [ $ret != 0 ]; then echo "I:failed"; fi 1221status=`expr $status + $ret` 1222 1223echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" 1224ret=0 1225$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 1226grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 1227n=`expr $n + 1` 1228if [ $ret != 0 ]; then echo "I:failed"; fi 1229 1230status=`expr $status + $ret` 1231echo "I:checking expired signatures do not validate ($n)" 1232ret=0 1233$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 1234grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 1235grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1236grep "expired.example .*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 1237n=`expr $n + 1` 1238if [ $ret != 0 ]; then echo "I:failed"; fi 1239status=`expr $status + $ret` 1240 1241echo "I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" 1242ret=0 1243( 1244cd ns3 1245kskname=`$KEYGEN -q -3 -r ../random.data -fk update-nsec3.example` 1246( 1247echo zone update-nsec3.example 1248echo server 10.53.0.3 5300 1249grep DNSKEY ${kskname}.key | sed -e 's/^/update add /' -e 's/IN/300 IN/' 1250echo send 1251) | $NSUPDATE 1252) 1253$DIG $DIGOPTS +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1254grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1255grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1256grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 1257n=`expr $n + 1` 1258if [ $ret != 0 ]; then echo "I:failed"; fi 1259status=`expr $status + $ret` 1260 1261echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" 1262ret=0 1263$DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1264grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1265grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1266grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 1267n=`expr $n + 1` 1268if [ $ret != 0 ]; then echo "I:failed"; fi 1269status=`expr $status + $ret` 1270 1271echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" 1272ret=0 1273$DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1274grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1275grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1276grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 1277n=`expr $n + 1` 1278if [ $ret != 0 ]; then echo "I:failed"; fi 1279status=`expr $status + $ret` 1280 1281echo "I:checking that signing records have been marked as complete ($n)" 1282ret=0 1283checkprivate dynamic.example 10.53.0.3 || ret=1 1284checkprivate update-nsec3.example 10.53.0.3 || ret=1 1285checkprivate auto-nsec3.example 10.53.0.3 || ret=1 1286checkprivate expiring.example 10.53.0.3 || ret=1 1287checkprivate auto-nsec.example 10.53.0.3 || ret=1 1288n=`expr $n + 1` 1289if [ $ret != 0 ]; then echo "I:failed"; fi 1290status=`expr $status + $ret` 1291 1292echo "I:checking that a insecure zone beneath a cname resolves ($n)" 1293ret=0 1294$DIG $DIGOPTS soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1295grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1296grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 1297n=`expr $n + 1` 1298if [ $ret != 0 ]; then echo "I:failed"; fi 1299status=`expr $status + $ret` 1300 1301echo "I:checking that a secure zone beneath a cname resolves ($n)" 1302ret=0 1303$DIG $DIGOPTS soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1304grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1305grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 1306grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1307n=`expr $n + 1` 1308if [ $ret != 0 ]; then echo "I:failed"; fi 1309status=`expr $status + $ret` 1310 1311echo "I:checking dnskey query with no data still gets put in cache ($n)" 1312ret=0 1313myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 @10.53.0.4" 1314firstVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'` 1315sleep 1 1316secondVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'` 1317if [ $firstVal -eq $secondVal ] 1318then 1319 sleep 1 1320 thirdVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'` 1321 if [ $firstVal -eq $thirdVal ] 1322 then 1323 echo "I: cannot confirm query answer still in cache" 1324 ret=1 1325 fi 1326fi 1327n=`expr $n + 1` 1328if [ $ret != 0 ]; then echo "I:failed"; fi 1329status=`expr $status + $ret` 1330 1331echo "I:check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" 1332ret=0 1333( 1334echo zone nsec3chain-test 1335echo server 10.53.0.2 5300 1336echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 1337echo send 1338) | $NSUPDATE 1339for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1340do 1341 $DIG $DIGOPTS nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 1342 if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null 1343 then 1344 break; 1345 fi 1346 echo "I:sleeping ...." 1347 sleep 3 1348done; 1349grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 1350if [ $ret != 0 ]; then echo "I:nsec3 chain generation not complete"; fi 1351sleep 3 1352$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 1353$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 1354$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 1355n=`expr $n + 1` 1356if [ $ret != 0 ]; then echo "I:failed"; fi 1357status=`expr $status + $ret` 1358 1359echo "I:testing soon-to-expire RRSIGs without a replacement private key ($n)" 1360ret=0 1361$DIG +noall +answer +dnssec +nottl -p 5300 expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 1362# there must be a signature here 1363[ -s dig.out.ns3.test$n ] || ret=1 1364if [ $ret != 0 ]; then echo "I:failed"; fi 1365status=`expr $status + $ret` 1366 1367echo "I:exit status: $status" 1368exit $status 1369