1#!/bin/sh
2#
3# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
4#
5# Permission to use, copy, modify, and/or distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15# PERFORMANCE OF THIS SOFTWARE.
16
17# $Id$
18
19SYSTEMTESTTOP=..
20. $SYSTEMTESTTOP/conf.sh
21
22status=0
23n=0
24
25rm -f dig.out.*
26
27DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300"
28
29for conf in conf/good*.conf
30do
31	n=`expr $n + 1`
32	echo "I:checking that $conf is accepted ($n)"
33	ret=0
34	$CHECKCONF "$conf" || ret=1
35	if [ $ret != 0 ]; then echo "I:failed"; fi
36	status=`expr $status + $ret`
37done
38
39for conf in conf/bad*.conf
40do
41	n=`expr $n + 1`
42	echo "I:checking that $conf is rejected ($n)"
43	ret=0
44	$CHECKCONF "$conf" >/dev/null && ret=1
45	if [ $ret != 0 ]; then echo "I:failed"; fi
46	status=`expr $status + $ret`
47done
48
49#
50# Authoritative tests against:
51#	filter-aaaa-on-v4 yes;
52#	filter-aaaa { 10.53.0.1; };
53#
54n=`expr $n + 1`
55echo "I:checking that AAAA is returned when only AAAA record exists, signed ($n)"
56ret=0
57$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
58grep ::2 dig.out.ns1.test$n > /dev/null || ret=1
59if [ $ret != 0 ]; then echo "I:failed"; fi
60status=`expr $status + $ret`
61
62n=`expr $n + 1`
63echo "I:checking that AAAA is returned when only AAAA record exists, unsigned ($n)"
64ret=0
65$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
66grep ::5 dig.out.ns1.test$n > /dev/null || ret=1
67if [ $ret != 0 ]; then echo "I:failed"; fi
68status=`expr $status + $ret`
69
70n=`expr $n + 1`
71echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)"
72ret=0
73$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
74grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
75grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
76if [ $ret != 0 ]; then echo "I:failed"; fi
77status=`expr $status + $ret`
78
79n=`expr $n + 1`
80echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)"
81ret=0
82$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
83grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
84grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
85if [ $ret != 0 ]; then echo "I:failed"; fi
86status=`expr $status + $ret`
87
88n=`expr $n + 1`
89echo "I:checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)"
90ret=0
91$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
92grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
93if [ $ret != 0 ]; then echo "I:failed"; fi
94status=`expr $status + $ret`
95
96n=`expr $n + 1`
97echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)"
98ret=0
99$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
100grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
101grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
102if [ $ret != 0 ]; then echo "I:failed"; fi
103status=`expr $status + $ret`
104
105n=`expr $n + 1`
106echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)"
107ret=0
108$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1
109grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
110grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
111if [ $ret != 0 ]; then echo "I:failed"; fi
112status=`expr $status + $ret`
113
114n=`expr $n + 1`
115echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)"
116ret=0
117$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
118grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
119grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
120grep "::3" dig.out.ns1.test$n > /dev/null && ret=1
121if [ $ret != 0 ]; then echo "I:failed"; fi
122status=`expr $status + $ret`
123
124n=`expr $n + 1`
125echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)"
126ret=0
127$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
128grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
129grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
130grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
131if [ $ret != 0 ]; then echo "I:failed"; fi
132status=`expr $status + $ret`
133
134n=`expr $n + 1`
135echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)"
136ret=0
137$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
138grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
139grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
140grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
141if [ $ret != 0 ]; then echo "I:failed"; fi
142status=`expr $status + $ret`
143
144n=`expr $n + 1`
145echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)"
146ret=0
147$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
148grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
149grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
150grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
151if [ $ret != 0 ]; then echo "I:failed"; fi
152status=`expr $status + $ret`
153
154n=`expr $n + 1`
155echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)"
156ret=0
157$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1
158grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
159grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1
160grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
161if [ $ret != 0 ]; then echo "I:failed"; fi
162status=`expr $status + $ret`
163
164n=`expr $n + 1`
165echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 ($n)"
166if $TESTSOCK6 fd92:7065:b8e:ffff::1
167then
168ret=0
169$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
170grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1
171if [ $ret != 0 ]; then echo "I:failed"; fi
172status=`expr $status + $ret`
173else
174echo "I: skipped."
175fi
176
177n=`expr $n + 1`
178echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)"
179ret=0
180$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
181grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
182grep "ADDITIONAL: 1" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
183if [ $ret != 0 ]; then echo "I:failed"; fi
184status=`expr $status + $ret`
185
186n=`expr $n + 1`
187echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
188ret=0
189$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
190grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
191if [ $ret != 0 ]; then echo "I:failed"; fi
192status=`expr $status + $ret`
193
194n=`expr $n + 1`
195echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)"
196ret=0
197$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
198grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
199if [ $ret != 0 ]; then echo "I:failed"; fi
200status=`expr $status + $ret`
201
202n=`expr $n + 1`
203echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)"
204if $TESTSOCK6 fd92:7065:b8e:ffff::1
205then
206ret=0
207$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
208grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
209if [ $ret != 0 ]; then echo "I:failed"; fi
210status=`expr $status + $ret`
211else
212echo "I: skipped."
213fi
214
215
216#
217# Authoritative tests against:
218#	filter-aaaa-on-v4 break-dnssec;
219#	filter-aaaa { 10.53.0.4; };
220#
221n=`expr $n + 1`
222echo "I:checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)"
223ret=0
224$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
225grep ::2 dig.out.ns4.test$n > /dev/null || ret=1
226if [ $ret != 0 ]; then echo "I:failed"; fi
227status=`expr $status + $ret`
228
229n=`expr $n + 1`
230echo "I:checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)"
231ret=0
232$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
233grep ::5 dig.out.ns4.test$n > /dev/null || ret=1
234if [ $ret != 0 ]; then echo "I:failed"; fi
235status=`expr $status + $ret`
236
237n=`expr $n + 1`
238echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)"
239ret=0
240$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
241grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
242grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
243if [ $ret != 0 ]; then echo "I:failed"; fi
244status=`expr $status + $ret`
245
246n=`expr $n + 1`
247echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)"
248ret=0
249$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
250grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
251grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
252if [ $ret != 0 ]; then echo "I:failed"; fi
253status=`expr $status + $ret`
254
255n=`expr $n + 1`
256echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)"
257ret=0
258$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
259grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
260grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
261if [ $ret != 0 ]; then echo "I:failed"; fi
262status=`expr $status + $ret`
263
264n=`expr $n + 1`
265echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)"
266ret=0
267$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
268grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
269grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
270if [ $ret != 0 ]; then echo "I:failed"; fi
271status=`expr $status + $ret`
272
273n=`expr $n + 1`
274echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)"
275ret=0
276$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1
277grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
278grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
279if [ $ret != 0 ]; then echo "I:failed"; fi
280status=`expr $status + $ret`
281
282n=`expr $n + 1`
283echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
284ret=0
285$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
286grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
287grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
288grep "::3" dig.out.ns4.test$n > /dev/null && ret=1
289if [ $ret != 0 ]; then echo "I:failed"; fi
290status=`expr $status + $ret`
291
292n=`expr $n + 1`
293echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
294ret=0
295$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
296grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
297grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
298grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
299if [ $ret != 0 ]; then echo "I:failed"; fi
300status=`expr $status + $ret`
301
302n=`expr $n + 1`
303echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
304ret=0
305$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
306grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
307grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
308grep ::3 dig.out.ns4.test$n > /dev/null && ret=1
309if [ $ret != 0 ]; then echo "I:failed"; fi
310status=`expr $status + $ret`
311
312n=`expr $n + 1`
313echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
314ret=0
315$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
316grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
317grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
318grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
319if [ $ret != 0 ]; then echo "I:failed"; fi
320status=`expr $status + $ret`
321
322n=`expr $n + 1`
323echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)"
324ret=0
325$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1
326grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
327grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1
328grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
329if [ $ret != 0 ]; then echo "I:failed"; fi
330status=`expr $status + $ret`
331
332n=`expr $n + 1`
333echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 with break-dnssec ($n)"
334if $TESTSOCK6 fd92:7065:b8e:ffff::4
335then
336ret=0
337$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
338grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1
339if [ $ret != 0 ]; then echo "I:failed"; fi
340status=`expr $status + $ret`
341else
342echo "I: skipped."
343fi
344
345n=`expr $n + 1`
346echo "I:checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)"
347ret=0
348$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
349grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
350grep "ADDITIONAL: 1" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
351if [ $ret != 0 ]; then echo "I:failed"; fi
352status=`expr $status + $ret`
353
354n=`expr $n + 1`
355echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)"
356ret=0
357$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
358grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
359if [ $ret != 0 ]; then echo "I:failed"; fi
360status=`expr $status + $ret`
361
362n=`expr $n + 1`
363echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)"
364ret=0
365$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
366grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
367if [ $ret != 0 ]; then echo "I:failed"; fi
368status=`expr $status + $ret`
369
370n=`expr $n + 1`
371echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, with break-dnssec ($n)"
372if $TESTSOCK6 fd92:7065:b8e:ffff::4
373then
374ret=0
375$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
376grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
377if [ $ret != 0 ]; then echo "I:failed"; fi
378status=`expr $status + $ret`
379else
380echo "I: skipped."
381fi
382
383
384#
385# Recursive tests against:
386#	filter-aaaa-on-v4 yes;
387#	filter-aaaa { 10.53.0.2; };
388#
389n=`expr $n + 1`
390echo "I:checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)"
391ret=0
392$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
393grep ::2 dig.out.ns2.test$n > /dev/null || ret=1
394if [ $ret != 0 ]; then echo "I:failed"; fi
395status=`expr $status + $ret`
396
397n=`expr $n + 1`
398echo "I:checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)"
399ret=0
400$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
401grep ::5 dig.out.ns2.test$n > /dev/null || ret=1
402if [ $ret != 0 ]; then echo "I:failed"; fi
403status=`expr $status + $ret`
404
405n=`expr $n + 1`
406echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)"
407ret=0
408$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
409grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
410grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
411if [ $ret != 0 ]; then echo "I:failed"; fi
412status=`expr $status + $ret`
413
414n=`expr $n + 1`
415echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)"
416ret=0
417$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
418grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
419grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
420if [ $ret != 0 ]; then echo "I:failed"; fi
421status=`expr $status + $ret`
422
423n=`expr $n + 1`
424echo "I:checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)"
425ret=0
426$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
427grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
428if [ $ret != 0 ]; then echo "I:failed"; fi
429status=`expr $status + $ret`
430
431n=`expr $n + 1`
432echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)"
433ret=0
434$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
435grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
436grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
437if [ $ret != 0 ]; then echo "I:failed"; fi
438status=`expr $status + $ret`
439
440n=`expr $n + 1`
441echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)"
442ret=0
443$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
444grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
445grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
446if [ $ret != 0 ]; then echo "I:failed"; fi
447status=`expr $status + $ret`
448
449n=`expr $n + 1`
450echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)"
451ret=0
452$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
453grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
454grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
455grep "::3" dig.out.ns2.test$n > /dev/null && ret=1
456if [ $ret != 0 ]; then echo "I:failed"; fi
457status=`expr $status + $ret`
458
459n=`expr $n + 1`
460echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)"
461ret=0
462$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
463grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
464grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
465grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
466if [ $ret != 0 ]; then echo "I:failed"; fi
467status=`expr $status + $ret`
468
469n=`expr $n + 1`
470echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)"
471ret=0
472$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
473grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
474grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
475grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
476if [ $ret != 0 ]; then echo "I:failed"; fi
477status=`expr $status + $ret`
478
479n=`expr $n + 1`
480echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)"
481ret=0
482$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
483grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
484grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
485grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
486if [ $ret != 0 ]; then echo "I:failed"; fi
487status=`expr $status + $ret`
488
489n=`expr $n + 1`
490echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)"
491ret=0
492$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
493grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
494grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1
495grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
496if [ $ret != 0 ]; then echo "I:failed"; fi
497status=`expr $status + $ret`
498
499n=`expr $n + 1`
500echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive ($n)"
501if $TESTSOCK6 fd92:7065:b8e:ffff::2
502then
503ret=0
504$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
505grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1
506if [ $ret != 0 ]; then echo "I:failed"; fi
507status=`expr $status + $ret`
508else
509echo "I: skipped."
510fi
511
512n=`expr $n + 1`
513echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)"
514ret=0
515$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
516grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
517grep "ADDITIONAL: 1" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
518if [ $ret != 0 ]; then echo "I:failed"; fi
519status=`expr $status + $ret`
520
521n=`expr $n + 1`
522echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
523ret=0
524$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
525grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
526if [ $ret != 0 ]; then echo "I:failed"; fi
527status=`expr $status + $ret`
528
529n=`expr $n + 1`
530echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)"
531ret=0
532$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
533grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
534if [ $ret != 0 ]; then echo "I:failed"; fi
535status=`expr $status + $ret`
536
537n=`expr $n + 1`
538echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)"
539if $TESTSOCK6 fd92:7065:b8e:ffff::2
540then
541ret=0
542$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
543grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
544if [ $ret != 0 ]; then echo "I:failed"; fi
545status=`expr $status + $ret`
546else
547echo "I: skipped."
548fi
549
550
551#
552# Recursive tests against:
553#	filter-aaaa-on-v4 break-dnssec;
554#	filter-aaaa { 10.53.0.3; };
555#
556n=`expr $n + 1`
557echo "I:checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)"
558ret=0
559$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
560grep ::2 dig.out.ns3.test$n > /dev/null || ret=1
561if [ $ret != 0 ]; then echo "I:failed"; fi
562status=`expr $status + $ret`
563
564n=`expr $n + 1`
565echo "I:checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)"
566ret=0
567$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
568grep ::5 dig.out.ns3.test$n > /dev/null || ret=1
569if [ $ret != 0 ]; then echo "I:failed"; fi
570status=`expr $status + $ret`
571
572n=`expr $n + 1`
573echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)"
574ret=0
575$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
576grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
577grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
578if [ $ret != 0 ]; then echo "I:failed"; fi
579status=`expr $status + $ret`
580
581n=`expr $n + 1`
582echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)"
583ret=0
584$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
585grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
586grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
587if [ $ret != 0 ]; then echo "I:failed"; fi
588status=`expr $status + $ret`
589
590n=`expr $n + 1`
591echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)"
592ret=0
593$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
594grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
595if [ $ret != 0 ]; then echo "I:failed"; fi
596status=`expr $status + $ret`
597
598n=`expr $n + 1`
599echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)"
600ret=0
601$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
602grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
603grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
604if [ $ret != 0 ]; then echo "I:failed"; fi
605status=`expr $status + $ret`
606
607n=`expr $n + 1`
608echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)"
609ret=0
610$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1
611grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
612grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
613if [ $ret != 0 ]; then echo "I:failed"; fi
614status=`expr $status + $ret`
615
616n=`expr $n + 1`
617echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
618ret=0
619$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
620grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
621grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
622grep "::3" dig.out.ns3.test$n > /dev/null && ret=1
623if [ $ret != 0 ]; then echo "I:failed"; fi
624status=`expr $status + $ret`
625
626n=`expr $n + 1`
627echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
628ret=0
629$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
630grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
631grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
632grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
633if [ $ret != 0 ]; then echo "I:failed"; fi
634status=`expr $status + $ret`
635
636n=`expr $n + 1`
637echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
638ret=0
639$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
640grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
641grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
642grep ::3 dig.out.ns3.test$n > /dev/null && ret=1
643if [ $ret != 0 ]; then echo "I:failed"; fi
644status=`expr $status + $ret`
645
646n=`expr $n + 1`
647echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
648ret=0
649$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
650grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
651grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
652grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
653if [ $ret != 0 ]; then echo "I:failed"; fi
654status=`expr $status + $ret`
655
656n=`expr $n + 1`
657echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)"
658ret=0
659$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1
660grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
661grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1
662grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
663if [ $ret != 0 ]; then echo "I:failed"; fi
664status=`expr $status + $ret`
665
666n=`expr $n + 1`
667echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive with break-dnssec ($n)"
668if $TESTSOCK6 fd92:7065:b8e:ffff::3
669then
670ret=0
671$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
672grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1
673if [ $ret != 0 ]; then echo "I:failed"; fi
674status=`expr $status + $ret`
675else
676echo "I: skipped."
677fi
678
679n=`expr $n + 1`
680echo "I:checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)"
681ret=0
682$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
683grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
684grep "ADDITIONAL: 1" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
685if [ $ret != 0 ]; then echo "I:failed"; fi
686status=`expr $status + $ret`
687
688n=`expr $n + 1`
689echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)"
690ret=0
691$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
692grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
693if [ $ret != 0 ]; then echo "I:failed"; fi
694status=`expr $status + $ret`
695
696n=`expr $n + 1`
697echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)"
698ret=0
699$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
700grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
701if [ $ret != 0 ]; then echo "I:failed"; fi
702status=`expr $status + $ret`
703
704n=`expr $n + 1`
705echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, recursive with break-dnssec ($n)"
706if $TESTSOCK6 fd92:7065:b8e:ffff::3
707then
708ret=0
709$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
710grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
711if [ $ret != 0 ]; then echo "I:failed"; fi
712status=`expr $status + $ret`
713else
714echo "I: skipped."
715fi
716
717echo "I:exit status: $status"
718exit $status
719