1#!/bin/sh 2# 3# Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") 4# Copyright (C) 2000-2002 Internet Software Consortium. 5# 6# Permission to use, copy, modify, and/or distribute this software for any 7# purpose with or without fee is hereby granted, provided that the above 8# copyright notice and this permission notice appear in all copies. 9# 10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16# PERFORMANCE OF THIS SOFTWARE. 17 18# Id 19 20SYSTEMTESTTOP=.. 21. $SYSTEMTESTTOP/conf.sh 22 23RANDFILE=random.data 24 25status=0 26n=1 27 28rm -f dig.out.* 29 30DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" 31 32# convert private-type records to readable form 33showprivate () { 34 echo "-- $@ --" 35 $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | 36 while read record; do 37 perl -e 'my $rdata = pack("H*", @ARGV[0]); 38 die "invalid record" unless length($rdata) == 5; 39 my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); 40 my $action = "signing"; 41 $action = "removing" if $remove; 42 my $state = " (incomplete)"; 43 $state = " (complete)" if $complete; 44 print ("$action: alg: $alg, key: $key$state\n");' $record 45 done 46} 47 48# check that signing records are marked as complete 49checkprivate () { 50 ret=0 51 x=`showprivate "$@"` 52 echo $x | grep incomplete >&- 2>&- && ret=1 53 [ $ret = 1 ] && { 54 echo "$x" 55 echo "I:failed" 56 } 57 return $ret 58} 59 60# check that a zone file is raw format, version 0 61israw0 () { 62 cat $1 | perl -e 'binmode STDIN; 63 read(STDIN, $input, 8); 64 ($style, $version) = unpack("NN", $input); 65 exit 1 if ($style != 2 || $version != 0);' 66 return $? 67} 68 69# check that a zone file is raw format, version 1 70israw1 () { 71 cat $1 | perl -e 'binmode STDIN; 72 read(STDIN, $input, 8); 73 ($style, $version) = unpack("NN", $input); 74 exit 1 if ($style != 2 || $version != 1);' 75 return $? 76} 77 78# Check the example. domain 79 80echo "I:checking that zone transfer worked ($n)" 81for i in 1 2 3 4 5 6 7 8 9 82do 83 ret=0 84 $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 85 $DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 86 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 87 [ $ret = 0 ] && break 88 sleep 1 89done 90$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 91n=`expr $n + 1` 92if [ $ret != 0 ]; then echo "I:failed"; fi 93status=`expr $status + $ret` 94 95# test AD bit: 96# - dig +adflag asks for authentication (ad in response) 97echo "I:checking AD bit asking for validation ($n)" 98ret=0 99$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 100$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 101$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 102grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 103n=`expr $n + 1` 104if [ $ret != 0 ]; then echo "I:failed"; fi 105status=`expr $status + $ret` 106 107# test AD bit: 108# - dig +noadflag 109echo "I:checking that AD is not set without +adflag or +dnssec ($n)" 110ret=0 111$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 112$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 113$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 114grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 115n=`expr $n + 1` 116if [ $ret != 0 ]; then echo "I:failed"; fi 117status=`expr $status + $ret` 118echo "I:checking for AD in authoritative answer ($n)" 119ret=0 120$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 121grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 122n=`expr $n + 1` 123if [ $ret != 0 ]; then echo "I:failed"; fi 124status=`expr $status + $ret` 125 126echo "I:checking positive validation NSEC ($n)" 127ret=0 128$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 129$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 130$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 131grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 132n=`expr $n + 1` 133if [ $ret != 0 ]; then echo "I:failed"; fi 134status=`expr $status + $ret` 135 136echo "I:checking positive validation NSEC3 ($n)" 137ret=0 138$DIG $DIGOPTS +noauth a.nsec3.example. \ 139 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 140$DIG $DIGOPTS +noauth a.nsec3.example. \ 141 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 142$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 143grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 144n=`expr $n + 1` 145if [ $ret != 0 ]; then echo "I:failed"; fi 146status=`expr $status + $ret` 147 148echo "I:checking positive validation OPTOUT ($n)" 149ret=0 150$DIG $DIGOPTS +noauth a.optout.example. \ 151 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 152$DIG $DIGOPTS +noauth a.optout.example. \ 153 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 154$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 155grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 156n=`expr $n + 1` 157if [ $ret != 0 ]; then echo "I:failed"; fi 158status=`expr $status + $ret` 159 160echo "I:checking positive wildcard validation NSEC ($n)" 161ret=0 162$DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 163$DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 164$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 165grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 166grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 167n=`expr $n + 1` 168if [ $ret != 0 ]; then echo "I:failed"; fi 169status=`expr $status + $ret` 170 171echo "I:checking positive wildcard answer NSEC3 ($n)" 172ret=0 173$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 174grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 175grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 176n=`expr $n + 1` 177if [ $ret != 0 ]; then echo "I:failed"; fi 178status=`expr $status + $ret` 179 180echo "I:checking positive wildcard answer NSEC3 ($n)" 181ret=0 182$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 183grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 184grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 185n=`expr $n + 1` 186if [ $ret != 0 ]; then echo "I:failed"; fi 187status=`expr $status + $ret` 188 189echo "I:checking positive wildcard validation NSEC3 ($n)" 190ret=0 191$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 192$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 193$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 194grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 195grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 196n=`expr $n + 1` 197if [ $ret != 0 ]; then echo "I:failed"; fi 198status=`expr $status + $ret` 199 200echo "I:checking positive wildcard validation OPTOUT ($n)" 201ret=0 202$DIG $DIGOPTS a.wild.optout.example. \ 203 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 204$DIG $DIGOPTS a.wild.optout.example. \ 205 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 206$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 207grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 208grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 209n=`expr $n + 1` 210if [ $ret != 0 ]; then echo "I:failed"; fi 211status=`expr $status + $ret` 212 213echo "I:checking negative validation NXDOMAIN NSEC ($n)" 214ret=0 215$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 216$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 217$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 218grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 219grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 220n=`expr $n + 1` 221if [ $ret != 0 ]; then echo "I:failed"; fi 222status=`expr $status + $ret` 223 224echo "I:checking negative validation NXDOMAIN NSEC3 ($n)" 225ret=0 226$DIG $DIGOPTS +noauth q.nsec3.example. \ 227 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 228$DIG $DIGOPTS +noauth q.nsec3.example. \ 229 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 230$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 231grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 232grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 233n=`expr $n + 1` 234if [ $ret != 0 ]; then echo "I:failed"; fi 235status=`expr $status + $ret` 236 237echo "I:checking negative validation NXDOMAIN OPTOUT ($n)" 238ret=0 239$DIG $DIGOPTS +noauth q.optout.example. \ 240 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 241$DIG $DIGOPTS +noauth q.optout.example. \ 242 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 243$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 244grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 245# Note - this is looking for failure, hence the && 246grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 247n=`expr $n + 1` 248if [ $ret != 0 ]; then echo "I:failed"; fi 249status=`expr $status + $ret` 250 251echo "I:checking negative validation NODATA NSEC ($n)" 252ret=0 253$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 254$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 255$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 256grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 257grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 258grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 259n=`expr $n + 1` 260if [ $ret != 0 ]; then echo "I:failed"; fi 261status=`expr $status + $ret` 262 263echo "I:checking negative validation NODATA NSEC3 ($n)" 264ret=0 265$DIG $DIGOPTS +noauth a.nsec3.example. \ 266 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 267$DIG $DIGOPTS +noauth a.nsec3.example. \ 268 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 269$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 270grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 271grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 272grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 273n=`expr $n + 1` 274if [ $ret != 0 ]; then echo "I:failed"; fi 275status=`expr $status + $ret` 276 277echo "I:checking negative validation NODATA OPTOUT ($n)" 278ret=0 279$DIG $DIGOPTS +noauth a.optout.example. \ 280 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 281$DIG $DIGOPTS +noauth a.optout.example. \ 282 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 283$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 284grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 285grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 286grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 287n=`expr $n + 1` 288if [ $ret != 0 ]; then echo "I:failed"; fi 289status=`expr $status + $ret` 290 291echo "I:checking negative wildcard validation NSEC ($n)" 292ret=0 293$DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 294$DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 295$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 296grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 297grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 298n=`expr $n + 1` 299if [ $ret != 0 ]; then echo "I:failed"; fi 300status=`expr $status + $ret` 301 302echo "I:checking negative wildcard validation NSEC3 ($n)" 303ret=0 304$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 305$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 306$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 307grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 308n=`expr $n + 1` 309if [ $ret != 0 ]; then echo "I:failed"; fi 310status=`expr $status + $ret` 311 312echo "I:checking negative wildcard validation OPTOUT ($n)" 313ret=0 314$DIG $DIGOPTS b.wild.optout.example. \ 315 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 316$DIG $DIGOPTS b.wild.optout.example. \ 317 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 318$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 319grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 320# Note - this is looking for failure, hence the && 321grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 322n=`expr $n + 1` 323if [ $ret != 0 ]; then echo "I:failed"; fi 324status=`expr $status + $ret` 325 326# Check the insecure.example domain 327 328echo "I:checking 1-server insecurity proof NSEC ($n)" 329ret=0 330$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 331$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 332$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 333grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 334# Note - this is looking for failure, hence the && 335grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 336n=`expr $n + 1` 337if [ $ret != 0 ]; then echo "I:failed"; fi 338status=`expr $status + $ret` 339 340echo "I:checking 1-server insecurity proof NSEC3 ($n)" 341ret=0 342$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 343$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 344$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 345grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 346# Note - this is looking for failure, hence the && 347grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 348n=`expr $n + 1` 349if [ $ret != 0 ]; then echo "I:failed"; fi 350status=`expr $status + $ret` 351 352echo "I:checking 1-server insecurity proof OPTOUT ($n)" 353ret=0 354$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 355$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 356$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 357grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 358# Note - this is looking for failure, hence the && 359grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 360n=`expr $n + 1` 361if [ $ret != 0 ]; then echo "I:failed"; fi 362status=`expr $status + $ret` 363 364echo "I:checking 1-server negative insecurity proof NSEC ($n)" 365ret=0 366$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ 367 > dig.out.ns3.test$n || ret=1 368$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ 369 > dig.out.ns4.test$n || ret=1 370$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 371grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 372# Note - this is looking for failure, hence the && 373grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 374n=`expr $n + 1` 375if [ $ret != 0 ]; then echo "I:failed"; fi 376status=`expr $status + $ret` 377 378echo "I:checking 1-server negative insecurity proof NSEC3 ($n)" 379ret=0 380$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \ 381 > dig.out.ns3.test$n || ret=1 382$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.4 \ 383 > dig.out.ns4.test$n || ret=1 384$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 385grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 386# Note - this is looking for failure, hence the && 387grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 388n=`expr $n + 1` 389if [ $ret != 0 ]; then echo "I:failed"; fi 390status=`expr $status + $ret` 391 392echo "I:checking 1-server negative insecurity proof OPTOUT ($n)" 393ret=0 394$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \ 395 > dig.out.ns3.test$n || ret=1 396$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.4 \ 397 > dig.out.ns4.test$n || ret=1 398$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 399grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 400# Note - this is looking for failure, hence the && 401grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 402n=`expr $n + 1` 403if [ $ret != 0 ]; then echo "I:failed"; fi 404status=`expr $status + $ret` 405 406echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)" 407ret=0 408$DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \ 409 > dig.out.ns3.test$n || ret=1 410$DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \ 411 > dig.out.ns4.test$n || ret=1 412$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 413grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 414grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 415# Note - this is looking for failure, hence the && 416grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 417n=`expr $n + 1` 418if [ $ret != 0 ]; then echo "I:failed"; fi 419status=`expr $status + $ret` 420 421echo "I:checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" 422ret=0 423$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.3 \ 424 > dig.out.ns3.test$n || ret=1 425$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.4 \ 426 > dig.out.ns4.test$n || ret=1 427$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 428grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 429grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 430# Note - this is looking for failure, hence the && 431grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 432n=`expr $n + 1` 433if [ $ret != 0 ]; then echo "I:failed"; fi 434status=`expr $status + $ret` 435 436echo "I:checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" 437ret=0 438$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.3 \ 439 > dig.out.ns3.test$n || ret=1 440$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.4 \ 441 > dig.out.ns4.test$n || ret=1 442$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 443grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 444grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 445# Note - this is looking for failure, hence the && 446grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 447n=`expr $n + 1` 448if [ $ret != 0 ]; then echo "I:failed"; fi 449status=`expr $status + $ret` 450 451# Check the secure.example domain 452 453echo "I:checking multi-stage positive validation NSEC/NSEC ($n)" 454ret=0 455$DIG $DIGOPTS +noauth a.secure.example. \ 456 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 457$DIG $DIGOPTS +noauth a.secure.example. \ 458 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 459$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 460grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 461grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 462n=`expr $n + 1` 463if [ $ret != 0 ]; then echo "I:failed"; fi 464status=`expr $status + $ret` 465 466echo "I:checking multi-stage positive validation NSEC/NSEC3 ($n)" 467ret=0 468$DIG $DIGOPTS +noauth a.nsec3.example. \ 469 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 470$DIG $DIGOPTS +noauth a.nsec3.example. \ 471 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 472$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 473grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 474grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 475n=`expr $n + 1` 476if [ $ret != 0 ]; then echo "I:failed"; fi 477status=`expr $status + $ret` 478 479echo "I:checking multi-stage positive validation NSEC/OPTOUT ($n)" 480ret=0 481$DIG $DIGOPTS +noauth a.optout.example. \ 482 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 483$DIG $DIGOPTS +noauth a.optout.example. \ 484 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 485$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 486grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 487grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 488n=`expr $n + 1` 489if [ $ret != 0 ]; then echo "I:failed"; fi 490status=`expr $status + $ret` 491 492echo "I:checking multi-stage positive validation NSEC3/NSEC ($n)" 493ret=0 494$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ 495 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 496$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ 497 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 498$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 499grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 500grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 501n=`expr $n + 1` 502if [ $ret != 0 ]; then echo "I:failed"; fi 503status=`expr $status + $ret` 504 505echo "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)" 506ret=0 507$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ 508 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 509$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ 510 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 511$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 512grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 513grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 514n=`expr $n + 1` 515if [ $ret != 0 ]; then echo "I:failed"; fi 516status=`expr $status + $ret` 517 518echo "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)" 519ret=0 520$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ 521 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 522$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ 523 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 524$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 525grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 526grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 527n=`expr $n + 1` 528if [ $ret != 0 ]; then echo "I:failed"; fi 529status=`expr $status + $ret` 530 531echo "I:checking multi-stage positive validation OPTOUT/NSEC ($n)" 532ret=0 533$DIG $DIGOPTS +noauth a.secure.optout.example. \ 534 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 535$DIG $DIGOPTS +noauth a.secure.optout.example. \ 536 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 537$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 538grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 539grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 540n=`expr $n + 1` 541if [ $ret != 0 ]; then echo "I:failed"; fi 542status=`expr $status + $ret` 543 544echo "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)" 545ret=0 546$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ 547 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 548$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ 549 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 550$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 551grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 552grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 553n=`expr $n + 1` 554if [ $ret != 0 ]; then echo "I:failed"; fi 555status=`expr $status + $ret` 556 557echo "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)" 558ret=0 559$DIG $DIGOPTS +noauth a.optout.optout.example. \ 560 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 561$DIG $DIGOPTS +noauth a.optout.optout.example. \ 562 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 563$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 564grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 565grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 566n=`expr $n + 1` 567if [ $ret != 0 ]; then echo "I:failed"; fi 568status=`expr $status + $ret` 569 570echo "I:checking empty NODATA OPTOUT ($n)" 571ret=0 572$DIG $DIGOPTS +noauth empty.optout.example. \ 573 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 574$DIG $DIGOPTS +noauth empty.optout.example. \ 575 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 576$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 577grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 578#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 579n=`expr $n + 1` 580if [ $ret != 0 ]; then echo "I:failed"; fi 581status=`expr $status + $ret` 582 583# Check the bogus domain 584 585echo "I:checking failed validation ($n)" 586ret=0 587$DIG $DIGOPTS a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 588grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 589n=`expr $n + 1` 590if [ $ret != 0 ]; then echo "I:failed"; fi 591status=`expr $status + $ret` 592 593# Try validating with a bad trusted key. 594# This should fail. 595 596echo "I:checking that validation fails with a misconfigured trusted key ($n)" 597ret=0 598$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 599grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 600n=`expr $n + 1` 601if [ $ret != 0 ]; then echo "I:failed"; fi 602status=`expr $status + $ret` 603 604echo "I:checking that negative validation fails with a misconfigured trusted key ($n)" 605ret=0 606$DIG $DIGOPTS example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 607grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 608n=`expr $n + 1` 609if [ $ret != 0 ]; then echo "I:failed"; fi 610status=`expr $status + $ret` 611 612echo "I:checking that insecurity proofs fail with a misconfigured trusted key ($n)" 613ret=0 614$DIG $DIGOPTS a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 615grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 616n=`expr $n + 1` 617if [ $ret != 0 ]; then echo "I:failed"; fi 618status=`expr $status + $ret` 619 620echo "I:checking that validation fails when key record is missing ($n)" 621ret=0 622$DIG $DIGOPTS a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 623grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 624n=`expr $n + 1` 625if [ $ret != 0 ]; then echo "I:failed"; fi 626status=`expr $status + $ret` 627 628echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)" 629ret=0 630#prime 631$DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 632#check: requery with +CD. pending data should be returned even if it's bogus 633expect="a.example. 63410.0.0.1" 635ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1 636test "$ans" = "$expect" || ret=1 637test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" 638#check: requery without +CD. bogus cached data should be rejected. 639$DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 640grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 641n=`expr $n + 1` 642if [ $ret != 0 ]; then echo "I:failed"; fi 643status=`expr $status + $ret` 644 645echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)" 646ret=0 647#prime 648$DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 649#check: requery with +CD. pending data should be returned even if it's bogus 650expect="example. 651a.example. 65210.0.0.1" 653ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1 654test "$ans" = "$expect" || ret=1 655test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" 656#check: requery without +CD. bogus cached data should be rejected. 657$DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 658grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 659n=`expr $n + 1` 660if [ $ret != 0 ]; then echo "I:failed"; fi 661status=`expr $status + $ret` 662 663# Check the insecure.secure.example domain (insecurity proof) 664 665echo "I:checking 2-server insecurity proof ($n)" 666ret=0 667$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ 668 > dig.out.ns2.test$n || ret=1 669$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ 670 > dig.out.ns4.test$n || ret=1 671$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 672grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 673# Note - this is looking for failure, hence the && 674grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 675n=`expr $n + 1` 676if [ $ret != 0 ]; then echo "I:failed"; fi 677status=`expr $status + $ret` 678 679# Check a negative response in insecure.secure.example 680 681echo "I:checking 2-server insecurity proof with a negative answer ($n)" 682ret=0 683$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ 684 || ret=1 685$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ 686 || ret=1 687$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 688grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 689# Note - this is looking for failure, hence the && 690grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 691n=`expr $n + 1` 692if [ $ret != 0 ]; then echo "I:failed"; fi 693status=`expr $status + $ret` 694 695echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)" 696ret=0 697$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ 698 || ret=1 699$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ 700 || ret=1 701$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 702grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 703# Note - this is looking for failure, hence the && 704grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 705n=`expr $n + 1` 706if [ $ret != 0 ]; then echo "I:failed"; fi 707status=`expr $status + $ret` 708 709# Check that the query for a security root is successful and has ad set 710 711echo "I:checking security root query ($n)" 712ret=0 713$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 714grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 715grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 716n=`expr $n + 1` 717if [ $ret != 0 ]; then echo "I:failed"; fi 718status=`expr $status + $ret` 719 720# Check that the setting the cd bit works 721 722echo "I:checking cd bit on a positive answer ($n)" 723ret=0 724$DIG $DIGOPTS +noauth example. soa @10.53.0.4 \ 725 > dig.out.ns4.test$n || ret=1 726$DIG $DIGOPTS +noauth +cdflag example. soa @10.53.0.5 \ 727 > dig.out.ns5.test$n || ret=1 728$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 729grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 730# Note - this is looking for failure, hence the && 731grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 732n=`expr $n + 1` 733if [ $ret != 0 ]; then echo "I:failed"; fi 734status=`expr $status + $ret` 735 736echo "I:checking cd bit on a negative answer ($n)" 737ret=0 738$DIG $DIGOPTS q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 739$DIG $DIGOPTS +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 740$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 741grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 742# Note - this is looking for failure, hence the && 743grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 744n=`expr $n + 1` 745if [ $ret != 0 ]; then echo "I:failed"; fi 746status=`expr $status + $ret` 747 748echo "I:checking positive validation RSASHA256 NSEC ($n)" 749ret=0 750$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 751$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 752$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 753grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 754n=`expr $n + 1` 755if [ $ret != 0 ]; then echo "I:failed"; fi 756status=`expr $status + $ret` 757 758echo "I:checking positive validation RSASHA512 NSEC ($n)" 759ret=0 760$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 761$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 762$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 763grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 764n=`expr $n + 1` 765if [ $ret != 0 ]; then echo "I:failed"; fi 766status=`expr $status + $ret` 767 768echo "I:checking positive validation with KSK-only DNSKEY signature ($n)" 769ret=0 770$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 771$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 772$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 773grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 774n=`expr $n + 1` 775if [ $ret != 0 ]; then echo "I:failed"; fi 776status=`expr $status + $ret` 777 778echo "I:checking cd bit on a query that should fail ($n)" 779ret=0 780$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \ 781 > dig.out.ns4.test$n || ret=1 782$DIG $DIGOPTS +cdflag a.bogus.example. soa @10.53.0.5 \ 783 > dig.out.ns5.test$n || ret=1 784$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 785grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 786# Note - this is looking for failure, hence the && 787grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 788n=`expr $n + 1` 789if [ $ret != 0 ]; then echo "I:failed"; fi 790status=`expr $status + $ret` 791 792echo "I:checking cd bit on an insecurity proof ($n)" 793ret=0 794$DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \ 795 > dig.out.ns4.test$n || ret=1 796$DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ 797 > dig.out.ns5.test$n || ret=1 798$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 799grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 800# Note - these are looking for failure, hence the && 801grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 802grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 803n=`expr $n + 1` 804if [ $ret != 0 ]; then echo "I:failed"; fi 805status=`expr $status + $ret` 806 807echo "I:checking cd bit on a negative insecurity proof ($n)" 808ret=0 809$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ 810 > dig.out.ns4.test$n || ret=1 811$DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \ 812 > dig.out.ns5.test$n || ret=1 813$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 814grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 815# Note - these are looking for failure, hence the && 816grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 817grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 818n=`expr $n + 1` 819if [ $ret != 0 ]; then echo "I:failed"; fi 820status=`expr $status + $ret` 821 822echo "I:checking that validation of an ANY query works ($n)" 823ret=0 824$DIG $DIGOPTS +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 825$DIG $DIGOPTS +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 826$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 827grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 828# 2 records in the zone, 1 NXT, 3 SIGs 829grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 830n=`expr $n + 1` 831if [ $ret != 0 ]; then echo "I:failed"; fi 832status=`expr $status + $ret` 833 834echo "I:checking that validation of a query returning a CNAME works ($n)" 835ret=0 836$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.2 \ 837 > dig.out.ns2.test$n || ret=1 838$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.4 \ 839 > dig.out.ns4.test$n || ret=1 840$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 841grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 842# the CNAME & its sig, the TXT and its SIG 843grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 844n=`expr $n + 1` 845if [ $ret != 0 ]; then echo "I:failed"; fi 846status=`expr $status + $ret` 847 848echo "I:checking that validation of a query returning a DNAME works ($n)" 849ret=0 850$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.2 \ 851 > dig.out.ns2.test$n || ret=1 852$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.4 \ 853 > dig.out.ns4.test$n || ret=1 854$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 855grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 856# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. 857# It would be nice to test that the CNAME is being synthesized by the 858# recursive server and not cached, but I don't know how. 859grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 860n=`expr $n + 1` 861if [ $ret != 0 ]; then echo "I:failed"; fi 862status=`expr $status + $ret` 863 864echo "I:checking that validation of an ANY query returning a CNAME works ($n)" 865ret=0 866$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.2 \ 867 > dig.out.ns2.test$n || ret=1 868$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.4 \ 869 > dig.out.ns4.test$n || ret=1 870$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 871grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 872# The CNAME, NXT, and their SIGs 873grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 874n=`expr $n + 1` 875if [ $ret != 0 ]; then echo "I:failed"; fi 876status=`expr $status + $ret` 877 878echo "I:checking that validation of an ANY query returning a DNAME works ($n)" 879ret=0 880$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.2 \ 881 > dig.out.ns2.test$n || ret=1 882$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.4 \ 883 > dig.out.ns4.test$n || ret=1 884$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 885grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 886n=`expr $n + 1` 887if [ $ret != 0 ]; then echo "I:failed"; fi 888status=`expr $status + $ret` 889 890echo "I:checking that positive validation in a privately secure zone works ($n)" 891ret=0 892$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ 893 > dig.out.ns2.test$n || ret=1 894$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ 895 > dig.out.ns4.test$n || ret=1 896$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 897grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 898# Note - this is looking for failure, hence the && 899grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 900n=`expr $n + 1` 901if [ $ret != 0 ]; then echo "I:failed"; fi 902status=`expr $status + $ret` 903 904echo "I:checking that negative validation in a privately secure zone works ($n)" 905ret=0 906$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ 907 > dig.out.ns2.test$n || ret=1 908$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ 909 > dig.out.ns4.test$n || ret=1 910$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 911grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 912# Note - this is looking for failure, hence the && 913grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 914n=`expr $n + 1` 915if [ $ret != 0 ]; then echo "I:failed"; fi 916status=`expr $status + $ret` 917 918echo "I:checking that lookups succeed after disabling a algorithm works ($n)" 919ret=0 920$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \ 921 > dig.out.ns2.test$n || ret=1 922$DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \ 923 > dig.out.ns6.test$n || ret=1 924$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 925# Note - this is looking for failure, hence the && 926grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 927n=`expr $n + 1` 928if [ $ret != 0 ]; then echo "I:failed"; fi 929status=`expr $status + $ret` 930 931echo "I:checking privately secure to nxdomain works ($n)" 932ret=0 933$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \ 934 > dig.out.ns2.test$n || ret=1 935$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \ 936 > dig.out.ns4.test$n || ret=1 937$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 938# Note - this is looking for failure, hence the && 939grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 940n=`expr $n + 1` 941if [ $ret != 0 ]; then echo "I:failed"; fi 942status=`expr $status + $ret` 943 944echo "I:checking privately secure wildcard to nxdomain works ($n)" 945ret=0 946$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \ 947 > dig.out.ns2.test$n || ret=1 948$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \ 949 > dig.out.ns4.test$n || ret=1 950$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 951# Note - this is looking for failure, hence the && 952grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 953n=`expr $n + 1` 954if [ $ret != 0 ]; then echo "I:failed"; fi 955status=`expr $status + $ret` 956 957echo "I:checking a non-cachable NODATA works ($n)" 958ret=0 959$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.7 \ 960 > dig.out.ns7.test$n || ret=1 961grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 962$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.4 \ 963 > dig.out.ns4.test$n || ret=1 964grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 965n=`expr $n + 1` 966if [ $ret != 0 ]; then echo "I:failed"; fi 967status=`expr $status + $ret` 968 969echo "I:checking a non-cachable NXDOMAIN works ($n)" 970ret=0 971$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.7 \ 972 > dig.out.ns7.test$n || ret=1 973grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 974$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.4 \ 975 > dig.out.ns4.test$n || ret=1 976grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 977n=`expr $n + 1` 978if [ $ret != 0 ]; then echo "I:failed"; fi 979status=`expr $status + $ret` 980 981# 982# private.secure.example is served by the same server as its 983# grand parent and there is not a secure delegation from secure.example 984# to private.secure.example. In addition secure.example is using a 985# algorithm which the validation does not support. 986# 987echo "I:checking dnssec-lookaside-validation works ($n)" 988ret=0 989$DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \ 990 > dig.out.ns6.test$n || ret=1 991grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1 992n=`expr $n + 1` 993if [ $ret != 0 ]; then echo "I:failed"; fi 994status=`expr $status + $ret` 995 996echo "I:checking that we can load a rfc2535 signed zone ($n)" 997ret=0 998$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \ 999 > dig.out.ns2.test$n || ret=1 1000grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 1001n=`expr $n + 1` 1002if [ $ret != 0 ]; then echo "I:failed"; fi 1003status=`expr $status + $ret` 1004 1005echo "I:checking that we can transfer a rfc2535 signed zone ($n)" 1006ret=0 1007$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \ 1008 > dig.out.ns3.test$n || ret=1 1009grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 1010n=`expr $n + 1` 1011if [ $ret != 0 ]; then echo "I:failed"; fi 1012status=`expr $status + $ret` 1013 1014echo "I:checking that we can sign a zone with out-of-zone records ($n)" 1015ret=0 1016zone=example 1017key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1018key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1019( 1020cd signer 1021cat example.db.in $key1.key $key2.key > example.db 1022$SIGNER -o example -f example.db example.db > /dev/null 2>&1 1023) || ret=1 1024n=`expr $n + 1` 1025if [ $ret != 0 ]; then echo "I:failed"; fi 1026status=`expr $status + $ret` 1027 1028echo "I:checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" 1029ret=0 1030zone=example 1031key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1032key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1033( 1034cd signer 1035cat example.db.in $key1.key $key2.key > example.db 1036$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1 1037awk '/^IQF9LQTLK/ { 1038 printf("%s", $0); 1039 while (!index($0, ")")) { 1040 if (getline <= 0) 1041 break; 1042 printf (" %s", $0); 1043 } 1044 printf("\n"); 1045 }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out 1046 1047grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null 1048) || ret=1 1049n=`expr $n + 1` 1050if [ $ret != 0 ]; then echo "I:failed"; fi 1051status=`expr $status + $ret` 1052 1053echo "I:checking that dnsssec-signzone updates originalttl on ttl changes ($n)" 1054ret=0 1055zone=example 1056key1=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 1057key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone` 1058( 1059cd signer 1060cat example.db.in $key1.key $key2.key > example.db 1061$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1 1062sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed 1063$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1 1064) 1065grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1 1066n=`expr $n + 1` 1067if [ $ret != 0 ]; then echo "I:failed"; fi 1068status=`expr $status + $ret` 1069 1070echo "I:checking dnssec-signzone keeps valid signatures from removed keys ($n)" 1071ret=0 1072zone=example 1073key1=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone` 1074key2=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 1075keyid2=`echo $key2 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'` 1076key3=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 1077keyid3=`echo $key3 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'` 1078( 1079cd signer 1080cat example.db.in $key1.key $key2.key > example.db 1081$SIGNER -D -o example example.db > /dev/null 2>&1 1082 1083# now switch out key2 for key3 and resign the zone 1084cat example.db.in $key1.key $key3.key > example.db 1085echo '$INCLUDE "example.db.signed"' >> example.db 1086$SIGNER -D -o example example.db > /dev/null 2>&1 1087) || ret=1 1088grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1089grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1090n=`expr $n + 1` 1091if [ $ret != 0 ]; then echo "I:failed"; fi 1092status=`expr $status + $ret` 1093 1094echo "I:checking dnssec-signzone -R purges signatures from removed keys ($n)" 1095ret=0 1096( 1097cd signer 1098$SIGNER -RD -o example example.db > /dev/null 2>&1 1099) || ret=1 1100grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1 1101grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1102n=`expr $n + 1` 1103if [ $ret != 0 ]; then echo "I:failed"; fi 1104status=`expr $status + $ret` 1105 1106echo "I:checking dnssec-signzone retains unexpired signatures ($n)" 1107ret=0 1108( 1109cd signer 1110$SIGNER -Sxt -o example example.db > signer.out.1 2>&1 1111$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1 1112) || ret=1 1113gen1=`awk '/generated/ {print $3}' signer/signer.out.1` 1114retain1=`awk '/retained/ {print $3}' signer/signer.out.1` 1115drop1=`awk '/dropped/ {print $3}' signer/signer.out.1` 1116gen2=`awk '/generated/ {print $3}' signer/signer.out.2` 1117retain2=`awk '/retained/ {print $3}' signer/signer.out.2` 1118drop2=`awk '/dropped/ {print $3}' signer/signer.out.2` 1119[ "$retain2" -eq `expr "$gen1" + "$retain1"` ] || ret=1 1120[ "$gen2" -eq 0 ] || ret=1 1121[ "$drop2" -eq 0 ] || ret=1 1122n=`expr $n + 1` 1123if [ $ret != 0 ]; then echo "I:failed"; fi 1124status=`expr $status + $ret` 1125 1126echo "I:checking dnssec-signzone output format ($n)" 1127ret=0 1128( 1129cd signer 1130$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null 1131$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null 1132$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1 1133$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1 1134$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null 1135) || ret=1 1136awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 1137awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1 1138israw1 signer/signer.out.5 || ret=1 1139israw0 signer/signer.out.6 || ret=1 1140israw1 signer/signer.out.7 || ret=1 1141if [ $ret != 0 ]; then echo "I:failed"; fi 1142status=`expr $status + $ret` 1143 1144echo "I:checking validated data are not cached longer than originalttl ($n)" 1145ret=0 1146$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1147$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1148grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 1149grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 1150grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 1151grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 1152n=`expr $n + 1` 1153if [ $ret != 0 ]; then echo "I:failed"; fi 1154status=`expr $status + $ret` 1155 1156# Test that "rndc secroots" is able to dump trusted keys 1157echo "I:checking rndc secroots ($n)" 1158ret=0 1159$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /' 1160keyid=`cat ns1/managed.key.id` 1161linecount=`grep "./RSAMD5/$keyid ; trusted" ns4/named.secroots | wc -l` 1162[ "$linecount" -eq 1 ] || ret=1 1163linecount=`cat ns4/named.secroots | wc -l` 1164[ "$linecount" -eq 5 ] || ret=1 1165n=`expr $n + 1` 1166if [ $ret != 0 ]; then echo "I:failed"; fi 1167status=`expr $status + $ret` 1168 1169# Check direct query for RRSIG. If we first ask for normal (non RRSIG) 1170# record, the corresponding RRSIG should be cached and subsequent query 1171# for RRSIG will be returned with the cached record. 1172echo "I:checking RRSIG query from cache ($n)" 1173ret=0 1174$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 1175ans=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.4 rrsig` || ret=1 1176expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1 1177test "$ans" = "$expect" || ret=1 1178# also check that RA is set 1179$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 1180grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1181n=`expr $n + 1` 1182if [ $ret != 0 ]; then echo "I:failed"; fi 1183status=`expr $status + $ret` 1184 1185# Check direct query for RRSIG: If it's not cached with other records, 1186# it should result in an empty response. 1187echo "I:checking RRSIG query not in cache ($n)" 1188ret=0 1189ans=`$DIG $DIGOPTS +short rrsigonly.secure.example. @10.53.0.4 rrsig` || ret=1 1190test -z "$ans" || ret=1 1191# also check that RA is cleared 1192$DIG $DIGOPTS rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 1193grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1194n=`expr $n + 1` 1195if [ $ret != 0 ]; then echo "I:failed"; fi 1196status=`expr $status + $ret` 1197 1198# 1199# RT21868 regression test. 1200# 1201echo "I:checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" 1202ret=0 1203$DIG $DIGOPTS non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1204grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 1205n=`expr $n + 1` 1206if [ $ret != 0 ]; then echo "I:failed"; fi 1207status=`expr $status + $ret` 1208 1209# 1210# RT22007 regression test. 1211# 1212echo "I:checking optout NSEC3 referral with only insecure delegations ($n)" 1213ret=0 1214$DIG $DIGOPTS +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1215grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 1216grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1217n=`expr $n + 1` 1218if [ $ret != 0 ]; then echo "I:failed"; fi 1219status=`expr $status + $ret` 1220 1221echo "I:checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" 1222ret=0 1223$DIG $DIGOPTS +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1224grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 1225grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1226n=`expr $n + 1` 1227if [ $ret != 0 ]; then echo "I:failed"; fi 1228 1229status=`expr $status + $ret` 1230echo "I:checking optout NSEC3 nodata with only insecure delegations ($n)" 1231ret=0 1232$DIG $DIGOPTS +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1233grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 1234grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1235n=`expr $n + 1` 1236if [ $ret != 0 ]; then echo "I:failed"; fi 1237status=`expr $status + $ret` 1238 1239echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)" 1240ret=0 1241$DIG $DIGOPTS ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1242grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1243grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 1244if [ $ret != 0 ]; then echo "I:failed"; fi 1245status=`expr $status + $ret` 1246 1247# Run a minimal update test if possible. This is really just 1248# a regression test for RT #2399; more tests should be added. 1249 1250if $PERL -e 'use Net::DNS;' 2>/dev/null 1251then 1252 echo "I:running DNSSEC update test" 1253 $PERL dnssec_update_test.pl -s 10.53.0.3 -p 5300 dynamic.example. || status=1 1254else 1255 echo "I:The DNSSEC update test requires the Net::DNS library." >&2 1256fi 1257 1258echo "I:checking managed key maintenance has not started yet ($n)" 1259ret=0 1260[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 1261n=`expr $n + 1` 1262if [ $ret != 0 ]; then echo "I:failed"; fi 1263status=`expr $status + $ret` 1264 1265# Reconfigure caching server to use "dnssec-validation auto", and repeat 1266# some of the DNSSEC validation tests to ensure that it works correctly. 1267echo "I:switching to automatic root key configuration" 1268cp ns4/named2.conf ns4/named.conf 1269$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' 1270sleep 5 1271 1272echo "I:checking managed key maintenance timer has now started ($n)" 1273ret=0 1274[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 1275n=`expr $n + 1` 1276if [ $ret != 0 ]; then echo "I:failed"; fi 1277status=`expr $status + $ret` 1278 1279echo "I:checking positive validation NSEC ($n)" 1280ret=0 1281$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1282$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1283$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1284grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1285n=`expr $n + 1` 1286if [ $ret != 0 ]; then echo "I:failed"; fi 1287status=`expr $status + $ret` 1288 1289echo "I:checking positive validation NSEC3 ($n)" 1290ret=0 1291$DIG $DIGOPTS +noauth a.nsec3.example. \ 1292 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1293$DIG $DIGOPTS +noauth a.nsec3.example. \ 1294 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1295$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 1296grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1297n=`expr $n + 1` 1298if [ $ret != 0 ]; then echo "I:failed"; fi 1299status=`expr $status + $ret` 1300 1301echo "I:checking positive validation OPTOUT ($n)" 1302ret=0 1303$DIG $DIGOPTS +noauth a.optout.example. \ 1304 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1305$DIG $DIGOPTS +noauth a.optout.example. \ 1306 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1307$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 1308grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1309n=`expr $n + 1` 1310if [ $ret != 0 ]; then echo "I:failed"; fi 1311status=`expr $status + $ret` 1312 1313echo "I:checking negative validation ($n)" 1314ret=0 1315$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1316$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1317$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1318grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1319grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 1320n=`expr $n + 1` 1321if [ $ret != 0 ]; then echo "I:failed"; fi 1322status=`expr $status + $ret` 1323 1324echo "I:checking that root DS queries validate ($n)" 1325ret=0 1326$DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 1327$DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 1328$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 1329grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1330grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1331n=`expr $n + 1` 1332if [ $ret != 0 ]; then echo "I:failed"; fi 1333status=`expr $status + $ret` 1334 1335echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" 1336ret=0 1337$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 1338grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 1339n=`expr $n + 1` 1340if [ $ret != 0 ]; then echo "I:failed"; fi 1341 1342status=`expr $status + $ret` 1343echo "I:checking expired signatures do not validate ($n)" 1344ret=0 1345$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 1346grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 1347grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1348grep "expired.example .*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 1349n=`expr $n + 1` 1350if [ $ret != 0 ]; then echo "I:failed"; fi 1351status=`expr $status + $ret` 1352 1353echo "I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" 1354ret=0 1355( 1356cd ns3 1357kskname=`$KEYGEN -q -3 -r ../random.data -fk update-nsec3.example` 1358( 1359echo zone update-nsec3.example 1360echo server 10.53.0.3 5300 1361grep DNSKEY ${kskname}.key | sed -e 's/^/update add /' -e 's/IN/300 IN/' 1362echo send 1363) | $NSUPDATE 1364) 1365$DIG $DIGOPTS +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1366grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1367grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1368grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 1369n=`expr $n + 1` 1370if [ $ret != 0 ]; then echo "I:failed"; fi 1371status=`expr $status + $ret` 1372 1373echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" 1374ret=0 1375$DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1376grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1377grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1378grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 1379n=`expr $n + 1` 1380if [ $ret != 0 ]; then echo "I:failed"; fi 1381status=`expr $status + $ret` 1382 1383echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" 1384ret=0 1385$DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1386grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1387grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1388grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 1389n=`expr $n + 1` 1390if [ $ret != 0 ]; then echo "I:failed"; fi 1391status=`expr $status + $ret` 1392 1393echo "I:checking that signing records have been marked as complete ($n)" 1394ret=0 1395checkprivate dynamic.example 10.53.0.3 || ret=1 1396checkprivate update-nsec3.example 10.53.0.3 || ret=1 1397checkprivate auto-nsec3.example 10.53.0.3 || ret=1 1398checkprivate expiring.example 10.53.0.3 || ret=1 1399checkprivate auto-nsec.example 10.53.0.3 || ret=1 1400n=`expr $n + 1` 1401if [ $ret != 0 ]; then echo "I:failed"; fi 1402status=`expr $status + $ret` 1403 1404echo "I:check that 'rndc signing' without arguments is handled ($n)" 1405ret=0 1406$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing > /dev/null 2>&1 && ret=1 1407$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1408n=`expr $n + 1` 1409if [ $ret != 0 ]; then echo "I:failed"; fi 1410status=`expr $status + $ret` 1411 1412echo "I:check that 'rndc signing -list' without zone is handled ($n)" 1413ret=0 1414$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list > /dev/null 2>&1 && ret=1 1415$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1416n=`expr $n + 1` 1417if [ $ret != 0 ]; then echo "I:failed"; fi 1418status=`expr $status + $ret` 1419 1420echo "I:check that 'rndc signing -clear' without additional arguments is handled ($n)" 1421ret=0 1422$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear > /dev/null 2>&1 && ret=1 1423$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1424n=`expr $n + 1` 1425if [ $ret != 0 ]; then echo "I:failed"; fi 1426status=`expr $status + $ret` 1427 1428echo "I:check that 'rndc signing -clear all' without zone is handled ($n)" 1429ret=0 1430$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all > /dev/null 2>&1 && ret=1 1431$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1432n=`expr $n + 1` 1433if [ $ret != 0 ]; then echo "I:failed"; fi 1434status=`expr $status + $ret` 1435 1436echo "I:check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" 1437ret=0 1438$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param > /dev/null 2>&1 && ret=1 1439$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1440n=`expr $n + 1` 1441if [ $ret != 0 ]; then echo "I:failed"; fi 1442status=`expr $status + $ret` 1443 1444echo "I:check that 'rndc signing -nsec3param none' without zone is handled ($n)" 1445ret=0 1446$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none > /dev/null 2>&1 && ret=1 1447$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1448n=`expr $n + 1` 1449if [ $ret != 0 ]; then echo "I:failed"; fi 1450status=`expr $status + $ret` 1451 1452echo "I:check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" 1453ret=0 1454$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 1455$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1456n=`expr $n + 1` 1457if [ $ret != 0 ]; then echo "I:failed"; fi 1458status=`expr $status + $ret` 1459 1460echo "I:check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" 1461ret=0 1462$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 1463$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1464n=`expr $n + 1` 1465if [ $ret != 0 ]; then echo "I:failed"; fi 1466status=`expr $status + $ret` 1467 1468echo "I:check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" 1469ret=0 1470$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 1471$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1472n=`expr $n + 1` 1473if [ $ret != 0 ]; then echo "I:failed"; fi 1474status=`expr $status + $ret` 1475 1476echo "I:check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" 1477ret=0 1478$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 1479$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1480n=`expr $n + 1` 1481if [ $ret != 0 ]; then echo "I:failed"; fi 1482status=`expr $status + $ret` 1483 1484echo "I:check that 'rndc signing -nsec3param' works with salt ($n)" 1485ret=0 1486$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 1487$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1488for i in 1 2 3 4 5 6 7 8 9 10 ; do 1489 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` 1490 if [ "$salt" = "FFFF" ]; then 1491 break; 1492 fi 1493 echo "I:sleeping ...." 1494 sleep 1 1495done; 1496[ "$salt" = "FFFF" ] || ret=1 1497n=`expr $n + 1` 1498if [ $ret != 0 ]; then echo "I:failed"; fi 1499status=`expr $status + $ret` 1500 1501echo "I:check that 'rndc signing -nsec3param' works without salt ($n)" 1502ret=0 1503$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 1504$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1505for i in 1 2 3 4 5 6 7 8 9 10 ; do 1506 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` 1507 if [ "$salt" = "-" ]; then 1508 break; 1509 fi 1510 echo "I:sleeping ...." 1511 sleep 1 1512done; 1513[ "$salt" = "-" ] || ret=1 1514n=`expr $n + 1` 1515if [ $ret != 0 ]; then echo "I:failed"; fi 1516status=`expr $status + $ret` 1517 1518echo "I:check rndc signing -list output ($n)" 1519ret=0 1520$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic.example 2>&1 > signing.out 1521grep "No signing records found" signing.out > /dev/null 2>&1 || { 1522 ret=1 1523 sed 's/^/I:ns3 /' signing.out 1524} 1525$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out 1526grep "Done signing with key .*/NSEC3RSASHA1" signing.out > /dev/null 2>&1 || { 1527 ret=1 1528 sed 's/^/I:ns3 /' signing.out 1529} 1530n=`expr $n + 1` 1531if [ $ret != 0 ]; then echo "I:failed"; fi 1532status=`expr $status + $ret` 1533 1534echo "I:clear signing records ($n)" 1535$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all update-nsec3.example > /dev/null || ret=1 1536sleep 1 1537$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out 1538grep "No signing records found" signing.out > /dev/null 2>&1 || { 1539 ret=1 1540 sed 's/^/I:ns3 /' signing.out 1541} 1542n=`expr $n + 1` 1543if [ $ret != 0 ]; then echo "I:failed"; fi 1544status=`expr $status + $ret` 1545 1546echo "I:checking that a insecure zone beneath a cname resolves ($n)" 1547ret=0 1548$DIG $DIGOPTS soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1549grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1550grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 1551n=`expr $n + 1` 1552if [ $ret != 0 ]; then echo "I:failed"; fi 1553status=`expr $status + $ret` 1554 1555echo "I:checking that a secure zone beneath a cname resolves ($n)" 1556ret=0 1557$DIG $DIGOPTS soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1558grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1559grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 1560grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1561n=`expr $n + 1` 1562if [ $ret != 0 ]; then echo "I:failed"; fi 1563status=`expr $status + $ret` 1564 1565echo "I:checking dnskey query with no data still gets put in cache ($n)" 1566ret=0 1567myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 @10.53.0.4" 1568firstVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'` 1569sleep 1 1570secondVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'` 1571if [ $firstVal -eq $secondVal ] 1572then 1573 sleep 1 1574 thirdVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'` 1575 if [ $firstVal -eq $thirdVal ] 1576 then 1577 echo "I: cannot confirm query answer still in cache" 1578 ret=1 1579 fi 1580fi 1581n=`expr $n + 1` 1582if [ $ret != 0 ]; then echo "I:failed"; fi 1583status=`expr $status + $ret` 1584 1585echo "I:check that a split dnssec dnssec-signzone work ($n)" 1586ret=0 1587$DIG $DIGOPTS soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1588grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1589grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 1590grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1591n=`expr $n + 1` 1592if [ $ret != 0 ]; then echo "I:failed"; fi 1593status=`expr $status + $ret` 1594 1595echo "I:check that a smart split dnssec dnssec-signzone work ($n)" 1596ret=0 1597$DIG $DIGOPTS soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1598grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1599grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 1600grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1601n=`expr $n + 1` 1602if [ $ret != 0 ]; then echo "I:failed"; fi 1603status=`expr $status + $ret` 1604 1605echo "I:check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" 1606ret=0 1607( 1608echo zone nsec3chain-test 1609echo server 10.53.0.2 5300 1610echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 1611echo send 1612) | $NSUPDATE 1613for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1614do 1615 $DIG $DIGOPTS nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 1616 if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null 1617 then 1618 break; 1619 fi 1620 echo "I:sleeping ...." 1621 sleep 3 1622done; 1623grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 1624if [ $ret != 0 ]; then echo "I:nsec3 chain generation not complete"; fi 1625sleep 3 1626$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 1627$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 1628$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 1629n=`expr $n + 1` 1630if [ $ret != 0 ]; then echo "I:failed"; fi 1631status=`expr $status + $ret` 1632 1633echo "I:check dnssec-dsfromkey from stdin ($n)" 1634ret=0 1635$DIG $DIGOPTS dnskey algroll. @10.53.0.2 | \ 1636 $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 1637diff -b dig.out.ns2.test$n ns1/dsset-algroll. > /dev/null 2>&1 || ret=1 1638n=`expr $n + 1` 1639if [ $ret != 0 ]; then echo "I:failed"; fi 1640status=`expr $status + $ret` 1641 1642echo "I:testing soon-to-expire RRSIGs without a replacement private key ($n)" 1643ret=0 1644$DIG +noall +answer +dnssec +nottl -p 5300 expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 1645# there must be a signature here 1646[ -s dig.out.ns3.test$n ] || ret=1 1647n=`expr $n + 1` 1648if [ $ret != 0 ]; then echo "I:failed"; fi 1649status=`expr $status + $ret` 1650 1651echo "I:testing new records are signed with 'no-resign' ($n)" 1652ret=0 1653( 1654echo zone nosign.example 1655echo server 10.53.0.3 5300 1656echo update add new.nosign.example 300 in txt "hi there" 1657echo send 1658) | $NSUPDATE 1659sleep 1 1660$DIG +noall +answer +dnssec -p 5300 txt new.nosign.example @10.53.0.3 \ 1661 > dig.out.ns3.test$n 2>&1 1662grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 1663n=`expr $n + 1` 1664if [ $ret != 0 ]; then echo "I:failed"; fi 1665status=`expr $status + $ret` 1666 1667echo "I:testing expiring records aren't resigned with 'no-resign' ($n)" 1668ret=0 1669$DIG +noall +answer +dnssec +nottl -p 5300 nosign.example ns @10.53.0.3 | \ 1670 grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 1671# the NS RRSIG should not be changed 1672cmp -s nosign.before dig.out.ns3.test$n || ret=1 1673n=`expr $n + 1` 1674if [ $ret != 0 ]; then echo "I:failed"; fi 1675status=`expr $status + $ret` 1676 1677echo "I:testing updates fail with no private key ($n)" 1678ret=0 1679rm -f ns3/Knosign.example.*.private 1680( 1681echo zone nosign.example 1682echo server 10.53.0.3 5300 1683echo update add fail.nosign.example 300 in txt "reject me" 1684echo send 1685) | $NSUPDATE > /dev/null 2>&1 && ret=1 1686$DIG +noall +answer +dnssec -p 5300 fail.nosign.example txt @10.53.0.3 \ 1687 > dig.out.ns3.test$n 2>&1 1688[ -s dig.out.ns3.test$n ] && ret=1 1689n=`expr $n + 1` 1690if [ $ret != 0 ]; then echo "I:failed"; fi 1691status=`expr $status + $ret` 1692 1693echo "I:testing legacy upper case signer name validation ($n)" 1694ret=0 1695$DIG +tcp +dnssec -p 5300 +noadd +noauth soa upper.example @10.53.0.4 \ 1696 > dig.out.ns4.test$n 2>&1 1697grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1 1698grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1 1699n=`expr $n + 1` 1700if [ $ret != 0 ]; then echo "I:failed"; fi 1701status=`expr $status + $ret` 1702 1703echo "I:testing that we lower case signer name ($n)" 1704ret=0 1705$DIG +tcp +dnssec -p 5300 +noadd +noauth soa LOWER.EXAMPLE @10.53.0.4 \ 1706 > dig.out.ns4.test$n 2>&1 1707grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1 1708grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1 1709n=`expr $n + 1` 1710if [ $ret != 0 ]; then echo "I:failed"; fi 1711status=`expr $status + $ret` 1712 1713echo "I:testing TTL is capped at RRSIG expiry time ($n)" 1714ret=0 1715$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze expiring.example 2>&1 | sed 's/^/I:ns3 /' 1716( 1717cd ns3 1718RANDFILE=../random.data 1719for file in K*.moved; do 1720 mv $file `basename $file .moved` 1721done 1722$SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1 1723) || ret=1 1724$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload expiring.example 2>&1 | sed 's/^/I:ns3 /' 1725 1726$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush 1727$DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n 1728$DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n 1729ttls=`awk '{print $2}' dig.out.ns4.1.$n` 1730ttls2=`awk '{print $2}' dig.out.ns4.2.$n` 1731for ttl in $ttls; do 1732 [ $ttl -eq 300 ] || ret=1 1733done 1734for ttl in $ttls2; do 1735 [ $ttl -le 60 ] || ret=1 1736done 1737n=`expr $n + 1` 1738if [ $ret != 0 ]; then echo "I:failed"; fi 1739status=`expr $status + $ret` 1740 1741echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section ($n)" 1742ret=0 1743$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush 1744$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n 1745$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n 1746ttls=`awk '{print $2}' dig.out.ns4.1.$n` 1747ttls2=`awk '{print $2}' dig.out.ns4.2.$n` 1748for ttl in $ttls; do 1749 [ $ttl -eq 300 ] || ret=1 1750done 1751for ttl in $ttls2; do 1752 [ $ttl -le 60 ] || ret=1 1753done 1754n=`expr $n + 1` 1755if [ $ret != 0 ]; then echo "I:failed"; fi 1756status=`expr $status + $ret` 1757 1758cp ns4/named3.conf ns4/named.conf 1759$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' 1760sleep 3 1761 1762echo "I:testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" 1763ret=0 1764$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush 1765$DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n 1766$DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n 1767ttls=`awk '{print $2}' dig.out.ns4.1.$n` 1768ttls2=`awk '{print $2}' dig.out.ns4.2.$n` 1769for ttl in $ttls; do 1770 [ $ttl -eq 300 ] || ret=1 1771done 1772for ttl in $ttls2; do 1773 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 1774done 1775n=`expr $n + 1` 1776if [ $ret != 0 ]; then echo "I:failed"; fi 1777status=`expr $status + $ret` 1778 1779echo "I:testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" 1780ret=0 1781$DIG +noall +answer +dnssec +cd -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.1.$n 1782$DIG +noall +answer +dnssec -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.2.$n 1783ttls=`awk '{print $2}' dig.out.ns4.1.$n` 1784ttls2=`awk '{print $2}' dig.out.ns4.2.$n` 1785for ttl in $ttls; do 1786 [ $ttl -eq 300 ] || ret=1 1787done 1788for ttl in $ttls2; do 1789 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 1790done 1791n=`expr $n + 1` 1792if [ $ret != 0 ]; then echo "I:failed"; fi 1793status=`expr $status + $ret` 1794 1795echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" 1796ret=0 1797$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush 1798$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n 1799$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n 1800ttls=`awk '{print $2}' dig.out.ns4.1.$n` 1801ttls2=`awk '{print $2}' dig.out.ns4.2.$n` 1802for ttl in $ttls; do 1803 [ $ttl -eq 300 ] || ret=1 1804done 1805for ttl in $ttls2; do 1806 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 1807done 1808n=`expr $n + 1` 1809if [ $ret != 0 ]; then echo "I:failed"; fi 1810status=`expr $status + $ret` 1811 1812echo "I:exit status: $status" 1813exit $status 1814