1#!/bin/sh 2# 3# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 4# 5# Permission to use, copy, modify, and/or distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15# PERFORMANCE OF THIS SOFTWARE. 16 17# Id 18 19SYSTEMTESTTOP=.. 20. $SYSTEMTESTTOP/conf.sh 21 22DIGOPTS="+tcp +dnssec" 23RANDFILE=random.data 24 25status=0 26n=0 27 28n=`expr $n + 1` 29echo "I:checking that the zone is signed on initial transfer ($n)" 30ret=0 31for i in 1 2 3 4 5 6 7 8 9 10 32do 33 ret=0 34 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 35 keys=`grep '^Done signing' signing.out.test$n | wc -l` 36 [ $keys = 2 ] || ret=1 37 if [ $ret = 0 ]; then break; fi 38 sleep 1 39done 40if [ $ret != 0 ]; then echo "I:failed"; fi 41status=`expr $status + $ret` 42 43n=`expr $n + 1` 44echo "I:checking expired signatures are updated on load ($n)" 45ret=0 46$DIG $DIGOPTS @10.53.0.3 -p 5300 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n 47expiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n` 48[ "$expiry" = "20110101000000" ] && ret=1 49if [ $ret != 0 ]; then echo "I:failed"; fi 50status=`expr $status + $ret` 51 52n=`expr $n + 1` 53echo "I:checking removal of private type record via 'rndc signing -clear' ($n)" 54ret=0 55$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 56keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n` 57for key in $keys; do 58 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} bits > /dev/null || ret=1 59 break; # We only want to remove 1 record for now. 60done 2>&1 |sed 's/^/I:ns3 /' 61 62for i in 1 2 3 4 5 6 7 8 9 10 63do 64 ans=0 65 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 66 num=`grep "Done signing with" signing.out.test$n | wc -l` 67 [ $num = 1 ] && break 68 sleep 1 69done 70[ $ans = 0 ] || ret=1 71 72if [ $ret != 0 ]; then echo "I:failed"; fi 73status=`expr $status + $ret` 74 75n=`expr $n + 1` 76echo "I:checking private type was properly signed ($n)" 77ret=0 78$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n 79grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 80grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 81 82if [ $ret != 0 ]; then echo "I:failed"; fi 83status=`expr $status + $ret` 84 85n=`expr $n + 1` 86echo "I:checking removal of remaining private type record via 'rndc signing -clear all' ($n)" 87ret=0 88$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all bits > /dev/null || ret=1 89 90for i in 1 2 3 4 5 6 7 8 9 10 91do 92 ans=0 93 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 94 grep "No signing records found" signing.out.test$n > /dev/null || ans=1 95 [ $ans = 1 ] || break 96 sleep 1 97done 98[ $ans = 0 ] || ret=1 99 100if [ $ret != 0 ]; then echo "I:failed"; fi 101status=`expr $status + $ret` 102 103n=`expr $n + 1` 104echo "I:checking negative private type response was properly signed ($n)" 105ret=0 106$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n 107grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 108grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 109grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 110 111if [ $ret != 0 ]; then echo "I:failed"; fi 112status=`expr $status + $ret` 113 114$NSUPDATE << EOF 115zone bits 116server 10.53.0.2 5300 117update add added.bits 0 A 1.2.3.4 118send 119EOF 120 121n=`expr $n + 1` 122echo "I:checking that the record is added on the hidden master ($n)" 123ret=0 124$DIG $DIGOPTS @10.53.0.2 -p 5300 added.bits A > dig.out.ns2.test$n 125grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 126grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 127if [ $ret != 0 ]; then echo "I:failed"; fi 128status=`expr $status + $ret` 129 130n=`expr $n + 1` 131echo "I:checking that update has been transfered and has been signed ($n)" 132ret=0 133for i in 1 2 3 4 5 6 7 8 9 10 134do 135 ret=0 136 $DIG $DIGOPTS @10.53.0.3 -p 5300 added.bits A > dig.out.ns3.test$n 137 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 138 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 139 if [ $ret = 0 ]; then break; fi 140 sleep 1 141done 142if [ $ret != 0 ]; then echo "I:failed"; fi 143status=`expr $status + $ret` 144 145$NSUPDATE << EOF 146zone bits 147server 10.53.0.2 5300 148update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600 149send 150EOF 151 152n=`expr $n + 1` 153echo "I:checking YYYYMMDDVV (2011072400) serial on hidden master ($n)" 154ret=0 155$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n 156grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 157grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 158grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1 159if [ $ret != 0 ]; then echo "I:failed"; fi 160status=`expr $status + $ret` 161 162n=`expr $n + 1` 163echo "I:checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" 164for i in 1 2 3 4 5 6 7 8 9 10 165do 166 ret=0 167 $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n 168 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 169 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 170 grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 171 if [ $ret = 0 ]; then break; fi 172 sleep 1 173done 174if [ $ret != 0 ]; then echo "I:failed"; fi 175status=`expr $status + $ret` 176n=`expr $n + 1` 177 178echo "I:checking that the zone is signed on initial transfer, noixfr ($n)" 179ret=0 180for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 181do 182 ret=0 183 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list noixfr > signing.out.test$n 2>&1 184 keys=`grep '^Done signing' signing.out.test$n | wc -l` 185 [ $keys = 2 ] || ret=1 186 if [ $ret = 0 ]; then break; fi 187 sleep 1 188done 189if [ $ret != 0 ]; then echo "I:failed"; fi 190status=`expr $status + $ret` 191 192$NSUPDATE << EOF 193zone noixfr 194server 10.53.0.4 5300 195update add added.noixfr 0 A 1.2.3.4 196send 197EOF 198 199n=`expr $n + 1` 200echo "I:checking that the record is added on the hidden master, noixfr ($n)" 201ret=0 202$DIG $DIGOPTS @10.53.0.4 -p 5300 added.noixfr A > dig.out.ns4.test$n 203grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 204grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 205if [ $ret != 0 ]; then echo "I:failed"; fi 206status=`expr $status + $ret` 207 208n=`expr $n + 1` 209echo "I:checking that update has been transfered and has been signed, noixfr ($n)" 210ret=0 211for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 212do 213 ret=0 214 $DIG $DIGOPTS @10.53.0.3 -p 5300 added.noixfr A > dig.out.ns3.test$n 215 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 216 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 217 if [ $ret = 0 ]; then break; fi 218 sleep 1 219done 220if [ $ret != 0 ]; then echo "I:failed"; fi 221status=`expr $status + $ret` 222 223$NSUPDATE << EOF 224zone noixfr 225server 10.53.0.4 5300 226update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600 227send 228EOF 229 230n=`expr $n + 1` 231echo "I:checking YYYYMMDDVV (2011072400) serial on hidden master, noixfr ($n)" 232ret=0 233$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n 234grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 235grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 236grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1 237if [ $ret != 0 ]; then echo "I:failed"; fi 238status=`expr $status + $ret` 239 240n=`expr $n + 1` 241echo "I:checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" 242for i in 1 2 3 4 5 6 7 8 9 10 243do 244 ret=0 245 $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n 246 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 247 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 248 grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 249 if [ $ret = 0 ]; then break; fi 250 sleep 1 251done 252if [ $ret != 0 ]; then echo "I:failed"; fi 253status=`expr $status + $ret` 254 255n=`expr $n + 1` 256echo "I:checking that the master zone signed on initial load ($n)" 257ret=0 258for i in 1 2 3 4 5 6 7 8 9 10 259do 260 ret=0 261 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 262 keys=`grep '^Done signing' signing.out.test$n | wc -l` 263 [ $keys = 2 ] || ret=1 264 if [ $ret = 0 ]; then break; fi 265 sleep 1 266done 267if [ $ret != 0 ]; then echo "I:failed"; fi 268 269n=`expr $n + 1` 270echo "I:checking removal of private type record via 'rndc signing -clear' (master) ($n)" 271ret=0 272$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 273keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n` 274for key in $keys; do 275 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} master > /dev/null || ret=1 276 break; # We only want to remove 1 record for now. 277done 2>&1 |sed 's/^/I:ns3 /' 278 279for i in 1 2 3 4 5 6 7 8 9 280do 281 ans=0 282 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 283 num=`grep "Done signing with" signing.out.test$n | wc -l` 284 [ $num = 1 ] && break 285 sleep 1 286done 287[ $ans = 0 ] || ret=1 288 289if [ $ret != 0 ]; then echo "I:failed"; fi 290status=`expr $status + $ret` 291 292n=`expr $n + 1` 293echo "I:checking private type was properly signed (master) ($n)" 294ret=0 295$DIG $DIGOPTS @10.53.0.6 -p 5300 master TYPE65534 > dig.out.ns6.test$n 296grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 297grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 298 299if [ $ret != 0 ]; then echo "I:failed"; fi 300status=`expr $status + $ret` 301 302n=`expr $n + 1` 303echo "I:checking removal of remaining private type record via 'rndc signing -clear' (master) ($n)" 304ret=0 305$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all master > /dev/null || ret=1 306for i in 1 2 3 4 5 6 7 8 9 10 307do 308 ans=0 309 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 310 grep "No signing records found" signing.out.test$n > /dev/null || ans=1 311 [ $ans = 1 ] || break 312 sleep 1 313done 314[ $ans = 0 ] || ret=1 315 316if [ $ret != 0 ]; then echo "I:failed"; fi 317status=`expr $status + $ret` 318 319n=`expr $n + 1` 320echo "I:check adding of record to unsigned master ($n)" 321ret=0 322cp ns3/master2.db.in ns3/master.db 323$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1 324for i in 1 2 3 4 5 6 7 8 9 325do 326 ans=0 327 $DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns3.test$n 328 grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 329 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 330 [ $ans = 1 ] || break 331 sleep 1 332done 333[ $ans = 0 ] || ret=1 334if [ $ret != 0 ]; then echo "I:failed"; fi 335status=`expr $status + $ret` 336 337n=`expr $n + 1` 338echo "I:check adding record fails when SOA serial not changed ($n)" 339ret=0 340echo "c A 10.0.0.3" >> ns3/master.db 341$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload || ret=1 342sleep 1 343$DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n 344grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 345if [ $ret != 0 ]; then echo "I:failed"; fi 346status=`expr $status + $ret` 347 348n=`expr $n + 1` 349echo "I:check adding record works after updating SOA serial ($n)" 350ret=0 351cp ns3/master3.db.in ns3/master.db 352$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1 353for i in 1 2 3 4 5 6 7 8 9 354do 355 ans=0 356 $DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n 357 grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1 358 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 359 [ $ans = 1 ] || break 360 sleep 1 361done 362[ $ans = 0 ] || ret=1 363if [ $ret != 0 ]; then echo "I:failed"; fi 364status=`expr $status + $ret` 365 366n=`expr $n + 1` 367echo "I:check the added record was properly signed ($n)" 368ret=0 369$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns6.test$n 370grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 371grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 372grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 373 374if [ $ret != 0 ]; then echo "I:failed"; fi 375status=`expr $status + $ret` 376 377n=`expr $n + 1` 378echo "I:checking that the dynamic master zone signed on initial load ($n)" 379ret=0 380for i in 1 2 3 4 5 6 7 8 9 10 381do 382 ret=0 383 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic > signing.out.test$n 2>&1 384 keys=`grep '^Done signing' signing.out.test$n | wc -l` 385 [ $keys = 2 ] || ret=1 386 if [ $ret = 0 ]; then break; fi 387 sleep 1 388done 389if [ $ret != 0 ]; then echo "I:failed"; fi 390 391n=`expr $n + 1` 392echo "I:checking master zone that was updated while offline is correct ($n)" 393ret=0 394serial=`$DIG $DIGOPTS +short @10.53.0.3 -p 5300 updated SOA | awk '{print $3}'` 395# serial should have changed 396[ "$serial" = "2000042407" ] && ret=1 397# e.updated should exist and should be signed 398$DIG $DIGOPTS @10.53.0.3 -p 5300 e.updated A > dig.out.ns3.test$n 399grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 400grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 401# updated.db.signed.jnl should exist, should have the source serial 402# of master2.db, and should show a minimal diff: no more than 8 added 403# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records 404# (SOA/RRSIG, NSEC/RRSIG). 405serial=`$JOURNALPRINT ns3/updated.db.signed.jnl | head -1 | awk '{print $4}'` 406[ "$serial" = "2000042408" ] || ret=1 407diffsize=`$JOURNALPRINT ns3/updated.db.signed.jnl | wc -l` 408[ "$diffsize" -le 13 ] || ret=1 409if [ $ret != 0 ]; then echo "I:failed"; fi 410status=`expr $status + $ret` 411 412n=`expr $n + 1` 413echo "I:checking adding of record to unsigned master using UPDATE ($n)" 414ret=0 415 416[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo "I:journal exists (pretest)" ; } 417 418$NSUPDATE << EOF 419zone dynamic 420server 10.53.0.3 5300 421update add e.dynamic 0 A 1.2.3.4 422send 423EOF 424 425[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo "I:journal does not exist (posttest)" ; } 426 427for i in 1 2 3 4 5 6 7 8 9 10 428do 429 ans=0 430 $DIG $DIGOPTS @10.53.0.3 -p 5300 e.dynamic > dig.out.ns3.test$n 431 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 432 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 433 grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 434 [ $ans = 0 ] && break 435 sleep 1 436done 437[ $ans = 0 ] || { ret=1; echo "I:signed record not found"; cat dig.out.ns3.test$n ; } 438 439if [ $ret != 0 ]; then echo "I:failed"; fi 440status=`expr $status + $ret` 441 442n=`expr $n + 1` 443echo "I:stop bump in the wire signer server ($n)" 444ret=0 445$PERL ../stop.pl . ns3 || ret=1 446if [ $ret != 0 ]; then echo "I:failed"; fi 447status=`expr $status + $ret` 448 449n=`expr $n + 1` 450echo "I:restart bump in the wire signer server ($n)" 451ret=0 452$PERL ../start.pl --noclean --restart . ns3 || ret=1 453if [ $ret != 0 ]; then echo "I:failed"; fi 454status=`expr $status + $ret` 455 456$NSUPDATE << EOF 457zone bits 458server 10.53.0.2 5300 459update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600 460send 461EOF 462 463n=`expr $n + 1` 464echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master ($n)" 465ret=0 466$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n 467grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 468grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 469grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1 470if [ $ret != 0 ]; then echo "I:failed"; fi 471status=`expr $status + $ret` 472 473n=`expr $n + 1` 474echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" 475for i in 1 2 3 4 5 6 7 8 9 10 476do 477 ret=0 478 $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n 479 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 480 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 481 grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 482 if [ $ret = 0 ]; then break; fi 483 sleep 1 484done 485if [ $ret != 0 ]; then echo "I:failed"; fi 486status=`expr $status + $ret` 487 488$NSUPDATE << EOF 489zone noixfr 490server 10.53.0.4 5300 491update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600 492send 493EOF 494 495n=`expr $n + 1` 496echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master, noixfr ($n)" 497ret=0 498$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n 499grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 500grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 501grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1 502if [ $ret != 0 ]; then echo "I:failed"; fi 503status=`expr $status + $ret` 504 505n=`expr $n + 1` 506echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" 507for i in 1 2 3 4 5 6 7 8 9 10 508do 509 ret=0 510 $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n 511 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 512 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 513 grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 514 if [ $ret = 0 ]; then break; fi 515 sleep 1 516done 517if [ $ret != 0 ]; then echo "I:failed"; fi 518status=`expr $status + $ret` 519 520$NSUPDATE << EOF 521zone bits 522server 10.53.0.3 5300 523update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600 524send 525EOF 526 527n=`expr $n + 1` 528echo "I:checking forwarded update on hidden master ($n)" 529ret=0 530$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n 531grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 532grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 533grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1 534if [ $ret != 0 ]; then echo "I:failed"; fi 535status=`expr $status + $ret` 536 537n=`expr $n + 1` 538echo "I:checking forwarded update on signed zone ($n)" 539for i in 1 2 3 4 5 6 7 8 9 10 540do 541 ret=0 542 $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n 543 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 544 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 545 grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 546 if [ $ret = 0 ]; then break; fi 547 sleep 1 548done 549if [ $ret != 0 ]; then echo "I:failed"; fi 550status=`expr $status + $ret` 551 552$NSUPDATE << EOF 553zone noixfr 554server 10.53.0.3 5300 555update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600 556send 557EOF 558 559n=`expr $n + 1` 560echo "I:checking forwarded update on hidden master, noixfr ($n)" 561ret=0 562$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n 563grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 564grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 565grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1 566if [ $ret != 0 ]; then echo "I:failed"; fi 567status=`expr $status + $ret` 568 569n=`expr $n + 1` 570echo "I:checking forwarded update on signed zone, noixfr ($n)" 571for i in 1 2 3 4 5 6 7 8 9 10 572do 573 ret=0 574 $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n 575 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 576 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 577 grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 578 if [ $ret = 0 ]; then break; fi 579 sleep 1 580done 581if [ $ret != 0 ]; then echo "I:failed"; fi 582status=`expr $status + $ret` 583 584n=`expr $n + 1` 585echo "I:checking turning on of inline signing in a slave zone via reload ($n)" 586$DIG $DIGOPTS @10.53.0.5 -p 5300 +dnssec bits SOA > dig.out.ns5.test$n 587grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 588grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 589if [ $ret != 0 ]; then echo "I:setup broken"; fi 590status=`expr $status + $ret` 591cp ns5/named.conf.post ns5/named.conf 592(cd ns5; $KEYGEN -q -r ../$RANDFILE bits) > /dev/null 2>&1 593(cd ns5; $KEYGEN -q -r ../$RANDFILE -f KSK bits) > /dev/null 2>&1 594$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /' 595for i in 1 2 3 4 5 6 7 8 9 10 596do 597 ret=0 598 $DIG $DIGOPTS @10.53.0.5 -p 5300 bits SOA > dig.out.ns5.test$n 599 grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 600 grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1 601 if [ $ret = 0 ]; then break; fi 602 sleep 1 603done 604if [ $ret != 0 ]; then echo "I:failed"; fi 605status=`expr $status + $ret` 606 607n=`expr $n + 1` 608echo "I:checking rndc freeze/thaw of dynamic inline zone no change ($n)" 609ret=0 610$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || { echo "I: rndc freeze dynamic failed" ; sed 's/^/I:/' < freeze.test$n ; ret=1; } 611sleep 1 612$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || { echo "I: rndc thaw dynamic failed" ; ret=1; } 613sleep 1 614grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1 615if [ $ret != 0 ]; then echo "I:failed"; fi 616status=`expr $status + $ret` 617 618 619n=`expr $n + 1` 620echo "I:checking rndc freeze/thaw of dynamic inline zone ($n)" 621ret=0 622$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || ret=1 623sleep 1 624awk '$2 == ";" && $3 == "serial" { print $1 + 1, $2, $3; next; } 625 { print; } 626 END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new 627mv ns3/dynamic.db.new ns3/dynamic.db 628$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || ret=1 629if [ $ret != 0 ]; then echo "I:failed"; fi 630status=`expr $status + $ret` 631 632n=`expr $n + 1` 633echo "I:check added record freeze1.dynamic ($n)" 634for i in 1 2 3 4 5 6 7 8 9 635do 636 ret=0 637 $DIG $DIGOPTS @10.53.0.3 -p 5300 freeze1.dynamic TXT > dig.out.ns3.test$n 638 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 639 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 640 test $ret = 0 && break 641 sleep 1 642done 643if [ $ret != 0 ]; then echo "I:failed"; fi 644status=`expr $status + $ret` 645 646# allow 1 second so that file time stamps change 647sleep 1 648 649n=`expr $n + 1` 650echo "I:checking rndc freeze/thaw of server ($n)" 651ret=0 652$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze > freeze.test$n 2>&1 || ret=1 653sleep 1 654awk '$2 == ";" && $3 == "serial" { print $1 + 1, $2, $3; next; } 655 { print; } 656 END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new 657mv ns3/dynamic.db.new ns3/dynamic.db 658$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw > thaw.test$n 2>&1 || ret=1 659if [ $ret != 0 ]; then echo "I:failed"; fi 660status=`expr $status + $ret` 661 662n=`expr $n + 1` 663echo "I:check added record freeze2.dynamic ($n)" 664for i in 1 2 3 4 5 6 7 8 9 665do 666 ret=0 667 $DIG $DIGOPTS @10.53.0.3 -p 5300 freeze2.dynamic TXT > dig.out.ns3.test$n 668 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 669 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 670 test $ret = 0 && break 671 sleep 1 672done 673if [ $ret != 0 ]; then echo "I:failed"; fi 674status=`expr $status + $ret` 675 676n=`expr $n + 1` 677echo "I:check rndc reload allows reuse of inline-signing zones ($n)" 678ret=0 679{ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 || ret=1 ; } | 680sed 's/^/I:ns3 /' 681grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1 682if [ $ret != 0 ]; then echo "I:failed"; fi 683status=`expr $status + $ret` 684 685n=`expr $n + 1` 686echo "I:check rndc sync removes both signed and unsigned journals ($n)" 687ret=0 688[ -f ns3/dynamic.db.jnl ] || ret=1 689[ -f ns3/dynamic.db.signed.jnl ] || ret=1 690$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sync -clean dynamic 2>&1 || ret=1 691[ -f ns3/dynamic.db.jnl ] && ret=1 692[ -f ns3/dynamic.db.signed.jnl ] && ret=1 693if [ $ret != 0 ]; then echo "I:failed"; fi 694status=`expr $status + $ret` 695 696$NSUPDATE << EOF 697zone retransfer 698server 10.53.0.2 5300 699update add added.retransfer 0 A 1.2.3.4 700send 701 702EOF 703 704n=`expr $n + 1` 705echo "I:checking that the retransfer record is added on the hidden master ($n)" 706ret=0 707$DIG $DIGOPTS @10.53.0.2 -p 5300 added.retransfer A > dig.out.ns2.test$n 708grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 709grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 710if [ $ret != 0 ]; then echo "I:failed"; fi 711status=`expr $status + $ret` 712 713n=`expr $n + 1` 714echo "I:checking that the change has not been transfered due to notify ($n)" 715ret=0 716for i in 0 1 2 3 4 5 6 7 8 9 717do 718 ans=0 719 $DIG $DIGOPTS @10.53.0.3 -p 5300 added.retransfer A > dig.out.ns3.test$n 720 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 721 [ $ans = 0 ] && break 722 sleep 1 723done 724if [ $ans != 1 ]; then echo "I:failed"; ret=1; fi 725status=`expr $status + $ret` 726n=`expr $n + 1` 727 728echo "I:check rndc retransfer of a inline slave zone works ($n)" 729ret=0 730$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 retransfer retransfer 2>&1 || ret=1 731for i in 0 1 2 3 4 5 6 7 8 9 732do 733 ans=0 734 $DIG $DIGOPTS @10.53.0.3 -p 5300 added.retransfer A > dig.out.ns3.test$n 735 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 736 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 737 [ $ans = 0 ] && break 738 sleep 1 739done 740[ $ans = 1 ] && ret=1 741n=`expr $n + 1` 742if [ $ret != 0 ]; then echo "I:failed"; fi 743status=`expr $status + $ret` 744 745exit $status 746