1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16. ../conf.sh 17 18DIGOPTS="-p ${PORT}" 19RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" 20 21# 22# Uncomment when creating credential cache files. 23# 24# KRB5_CONFIG="$(pwd)/krb/krb5.conf" 25# 26# Cd krb and run krb/setup.sh to create new keys. 27# Run nsupdate system test. 28# Kill the krb5kdc server started by krb/setup.sh. 29# Check the expiry date on the cached machine.ccache with klist is in 2038. 30# Comment out KRB5_CONFIG. 31# Re-run nsupdate system test to confirm everything still works. 32# git add and commit the resulting ns*/machine.ccache and ns*/dns.keytab files. 33# Clean up krb. 34# 35 36status=0 37n=0 38 39nextpartreset ns3/named.run 40 41# wait for zone transfer to complete 42tries=0 43while true; do 44 if [ $tries -eq 10 ]; then 45 exit 1 46 fi 47 48 if grep "example.nil/IN.*Transfer status" ns2/named.run >/dev/null; then 49 break 50 else 51 echo_i "zones are not fully loaded, waiting..." 52 tries=$((tries + 1)) 53 sleep 1 54 fi 55done 56 57has_positive_response() { 58 zone=$1 59 type=$2 60 ns=$3 61 $DIG $DIGOPTS +tcp +norec $zone $type @$ns >dig.out.post.test$n || return 1 62 grep "status: NOERROR" dig.out.post.test$n >/dev/null || return 1 63 grep "ANSWER: 0," dig.out.post.test$n >/dev/null && return 1 64 return 0 65} 66 67ret=0 68echo_i "fetching first copy of zone before update" 69$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 70[ $ret = 0 ] || { 71 echo_i "failed" 72 status=1 73} 74 75ret=0 76echo_i "fetching second copy of zone before update" 77$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 78[ $ret = 0 ] || { 79 echo_i "failed" 80 status=1 81} 82 83ret=0 84echo_i "comparing pre-update copies to known good data" 85digcomp knowngood.ns1.before dig.out.ns1 || ret=1 86digcomp knowngood.ns1.before dig.out.ns2 || ret=1 87[ $ret = 0 ] || { 88 echo_i "failed" 89 status=1 90} 91 92ret=0 93echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log" 94$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END && ret=1 95server 10.53.0.1 ${PORT} 96zone unconfigured.test 97update add unconfigured.test 600 IN A 10.53.0.1 98send 99END 100grep NOTAUTH nsupdate.out >/dev/null 2>&1 || ret=1 101grep ' unconfigured.test: not authoritative' ns1/named.run \ 102 >/dev/null 2>&1 || ret=1 103[ $ret = 0 ] || { 104 echo_i "failed" 105 status=1 106} 107 108ret=0 109echo_i "ensure a subdomain is mentioned in its NOTAUTH log" 110$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END && ret=1 111server 10.53.0.1 ${PORT} 112zone sub.sub.example.nil 113update add sub.sub.sub.example.nil 600 IN A 10.53.0.1 114send 115END 116grep NOTAUTH nsupdate.out >/dev/null 2>&1 || ret=1 117grep ' sub.sub.example.nil: not authoritative' ns1/named.run \ 118 >/dev/null 2>&1 || ret=1 119[ $ret = 0 ] || { 120 echo_i "failed" 121 status=1 122} 123 124ret=0 125echo_i "updating zone" 126# nsupdate will print a ">" prompt to stdout as it gets each input line. 127$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1 128server 10.53.0.1 ${PORT} 129update add updated.example.nil. 600 A 10.10.10.1 130add updated.example.nil. 600 TXT Foo 131delete t.example.nil. 132 133END 134[ $ret = 0 ] || { 135 echo_i "failed" 136 status=1 137} 138 139echo_i "sleeping 5 seconds for server to incorporate changes" 140sleep 5 141 142ret=0 143echo_i "fetching first copy of zone after update" 144$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 145[ $ret = 0 ] || { 146 echo_i "failed" 147 status=1 148} 149 150ret=0 151echo_i "fetching second copy of zone after update" 152$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 153[ $ret = 0 ] || { 154 echo_i "failed" 155 status=1 156} 157 158ret=0 159echo_i "comparing post-update copies to known good data" 160digcomp knowngood.ns1.after dig.out.ns1 || ret=1 161digcomp knowngood.ns1.after dig.out.ns2 || ret=1 162[ $ret = 0 ] || { 163 echo_i "failed" 164 status=1 165} 166 167ret=0 168echo_i "testing local update policy" 169pre=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1 170[ -z "$pre" ] || ret=1 171[ $ret = 0 ] || { 172 echo_i "failed" 173 status=1 174} 175 176ret=0 177echo_i "updating zone" 178# nsupdate will print a ">" prompt to stdout as it gets each input line. 179$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >/dev/null <<END || ret=1 180zone other.nil. 181update add new.other.nil. 600 IN A 10.10.10.1 182send 183END 184[ $ret = 0 ] || { 185 echo_i "failed" 186 status=1 187} 188 189echo_i "sleeping 5 seconds for server to incorporate changes" 190sleep 5 191 192ret=0 193echo_i "checking result of update" 194post=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1 195[ "$post" = "10.10.10.1" ] || ret=1 196[ $ret = 0 ] || { 197 echo_i "failed" 198 status=1 199} 200 201ret=0 202echo_i "comparing post-update copy to known good data" 203digcomp knowngood.ns1.after dig.out.ns1 || ret=1 204[ $ret = 0 ] || { 205 echo_i "failed" 206 status=1 207} 208 209ret=0 210echo_i "testing zone consistency checks" 211# inserting an NS record without a corresponding A or AAAA record should fail 212$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END && ret=1 213update add other.nil. 600 in ns ns3.other.nil. 214send 215END 216grep REFUSED nsupdate.out >/dev/null 2>&1 || ret=1 217# ...but should work if an A record is inserted first: 218$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1 219update add ns4.other.nil 600 in a 10.53.0.1 220send 221update add other.nil. 600 in ns ns4.other.nil. 222send 223END 224grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 225# ...or if an AAAA record does: 226$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1 227update add ns5.other.nil 600 in aaaa 2001:db8::1 228send 229update add other.nil. 600 in ns ns5.other.nil. 230send 231END 232grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 233# ...or if the NS and A/AAAA are inserted together: 234$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1 235update add other.nil. 600 in ns ns6.other.nil. 236update add ns6.other.nil 600 in a 10.53.0.1 237send 238END 239grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 240[ $ret = 0 ] || { 241 echo_i "failed" 242 status=1 243} 244 245echo_i "sleeping 5 seconds for server to incorporate changes" 246sleep 5 247 248ret=0 249echo_i "checking result of update" 250$DIG $DIGOPTS +short @10.53.0.1 ns other.nil >dig.out.ns1 || ret=1 251grep ns3.other.nil dig.out.ns1 >/dev/null 2>&1 && ret=1 252grep ns4.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 253grep ns5.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 254grep ns6.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 255[ $ret = 0 ] || { 256 echo_i "failed" 257 status=1 258} 259 260ret=0 261echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning" 262$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END || ret=1 263server 10.53.0.1 ${PORT} 264update add mx03.example.nil 600 IN MX 10 10.53.0.1 265send 266END 267grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 268grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 && ret=1 269[ $ret = 0 ] || { 270 echo_i "failed" 271 status=1 272} 273 274ret=0 275echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning" 276$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1 277update add mx03.other.nil 600 IN MX 10 10.53.0.1 278send 279END 280grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 281grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 || ret=1 282[ $ret = 0 ] || { 283 echo_i "failed" 284 status=1 285} 286 287ret=0 288echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning" 289$NSUPDATE >nsupdate.out 2>&1 <<END && ret=1 290server 10.53.0.1 ${PORT} 291update add mx03.update.nil 600 IN MX 10 10.53.0.1 292send 293END 294grep REFUSED nsupdate.out >/dev/null 2>&1 || ret=1 295grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 || ret=1 296[ $ret = 0 ] || { 297 echo_i "failed" 298 status=1 299} 300 301ret=0 302echo_i "check SIG(0) key is accepted" 303key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY -n ENTITY xxx) 304echo "" | $NSUPDATE -k ${key}.private >/dev/null 2>&1 || ret=1 305[ $ret = 0 ] || { 306 echo_i "failed" 307 status=1 308} 309 310n=$((n + 1)) 311ret=0 312echo_i "check TYPE=0 update is rejected by nsupdate ($n)" 313$NSUPDATE <<END >nsupdate.out 2>&1 && ret=1 314 server 10.53.0.1 ${PORT} 315 ttl 300 316 update add example.nil. in type0 "" 317 send 318END 319grep "unknown class/type" nsupdate.out >/dev/null 2>&1 || ret=1 320[ $ret = 0 ] || { 321 echo_i "failed" 322 status=1 323} 324 325n=$((n + 1)) 326ret=0 327echo_i "check TYPE=0 prerequisite is handled ($n)" 328$NSUPDATE -k ns1/ddns.key <<END >nsupdate.out 2>&1 || ret=1 329 server 10.53.0.1 ${PORT} 330 prereq nxrrset example.nil. type0 331 send 332END 333$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n 334grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 335[ $ret = 0 ] || { 336 echo_i "failed" 337 status=1 338} 339 340n=$((n + 1)) 341ret=0 342echo_i "check that TYPE=0 update is handled ($n)" 343echo "a0e4280000010000000100000000060001c00c000000fe000000000000" \ 344 | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 345$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n 346grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 347[ $ret = 0 ] || { 348 echo_i "failed" 349 status=1 350} 351 352n=$((n + 1)) 353ret=0 354echo_i "check that TYPE=0 additional data is handled ($n)" 355echo "a0e4280000010000000000010000060001c00c000000fe000000000000" \ 356 | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 357$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n 358grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 359[ $ret = 0 ] || { 360 echo_i "failed" 361 status=1 362} 363 364n=$((n + 1)) 365ret=0 366echo_i "check that update to undefined class is handled ($n)" 367echo "a0e4280000010001000000000000060101c00c000000fe000000000000" \ 368 | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 369$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n 370grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 371[ $ret = 0 ] || { 372 echo_i "failed" 373 status=1 374} 375 376n=$((n + 1)) 377ret=0 378echo_i "check that address family mismatch is handled ($n)" 379$NSUPDATE <<END >/dev/null 2>&1 && ret=1 380server ::1 381local 127.0.0.1 382update add 600 txt.example.nil in txt "test" 383send 384END 385[ $ret = 0 ] || { 386 echo_i "failed" 387 status=1 388} 389 390n=$((n + 1)) 391ret=0 392echo_i "check that unixtime serial number is correctly generated ($n)" 393$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 >dig.out.old.test$n || ret=1 394oldserial=$(awk '{print $3}' dig.out.old.test$n) || ret=1 395start=$($PERL -e 'print time()."\n";') 396$NSUPDATE <<END >/dev/null 2>&1 || ret=1 397 server 10.53.0.1 ${PORT} 398 ttl 600 399 update add new.unixtime.nil in a 1.2.3.4 400 send 401END 402now=$($PERL -e 'print time()."\n";') 403sleep 1 404$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 >dig.out.new.test$n || ret=1 405serial=$(awk '{print $3}' dig.out.new.test$n) || ret=1 406[ "$oldserial" = "$serial" ] && { 407 echo_i "oldserial == serial" 408 ret=1 409} 410if [ "$serial" -lt "$start" ]; then 411 echo_i "out-of-range serial=$serial < start=$start" 412 ret=1 413elif [ "$serial" -gt "$now" ]; then 414 echo_i "out-of-range serial=$serial > now=$now" 415 ret=1 416fi 417[ $ret = 0 ] || { 418 echo_i "failed" 419 status=1 420} 421 422if $PERL -e 'use Net::DNS;' 2>/dev/null; then 423 n=$((n + 1)) 424 ret=0 425 echo_i "running update.pl test ($n)" 426 $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. >perl.update_test.out || ret=1 427 [ $ret -eq 1 ] && { 428 echo_i "failed" 429 status=1 430 } 431 432 if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' >/dev/null; then 433 n=$((n + 1)) 434 ret=0 435 echo_i "check for too many NSEC3 iterations log ($n)" 436 grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run >/dev/null || ret=1 437 [ $ret -eq 1 ] && { 438 echo_i "failed" 439 status=1 440 } 441 fi 442else 443 echo_i "The second part of this test requires the Net::DNS library." >&2 444fi 445 446n=$((n + 1)) 447ret=0 448echo_i "fetching first copy of test zone ($n)" 449$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 450[ $ret = 0 ] || { 451 echo_i "failed" 452 status=1 453} 454 455n=$((n + 1)) 456ret=0 457echo_i "fetching second copy of test zone ($n)" 458$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 459[ $ret = 0 ] || { 460 echo_i "failed" 461 status=1 462} 463 464n=$((n + 1)) 465ret=0 466echo_i "comparing zones ($n)" 467digcomp dig.out.ns1 dig.out.ns2 || ret=1 468[ $ret = 0 ] || { 469 echo_i "failed" 470 status=1 471} 472 473echo_i "SIGKILL and restart server ns1" 474cd ns1 475kill -KILL $(cat named.pid) 476rm named.pid 477cd .. 478sleep 10 479if 480 start_server --noclean --restart --port ${PORT} ns1 481then 482 echo_i "restarted server ns1" 483else 484 echo_i "could not restart server ns1" 485 exit 1 486fi 487sleep 10 488 489n=$((n + 1)) 490ret=0 491echo_i "fetching ns1 after hard restart ($n)" 492$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1.after || ret=1 493[ $ret = 0 ] || { 494 echo_i "failed" 495 status=1 496} 497 498n=$((n + 1)) 499ret=0 500echo_i "comparing zones ($n)" 501digcomp dig.out.ns1 dig.out.ns1.after || ret=1 502[ $ret = 0 ] || { 503 echo_i "failed" 504 status=1 505} 506 507echo_i "begin RT #482 regression test" 508 509n=$((n + 1)) 510ret=0 511echo_i "update primary ($n)" 512$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1 513server 10.53.0.1 ${PORT} 514update add updated2.example.nil. 600 A 10.10.10.2 515update add updated2.example.nil. 600 TXT Bar 516update delete c.example.nil. 517send 518END 519[ $ret = 0 ] || { 520 echo_i "failed" 521 status=1 522} 523 524sleep 5 525 526echo_i "SIGHUP secondary" 527kill -HUP $(cat ns2/named.pid) 528 529sleep 5 530 531n=$((n + 1)) 532ret=0 533echo_i "update primary again ($n)" 534$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1 535server 10.53.0.1 ${PORT} 536update add updated3.example.nil. 600 A 10.10.10.3 537update add updated3.example.nil. 600 TXT Zap 538del d.example.nil. 539send 540END 541[ $ret = 0 ] || { 542 echo_i "failed" 543 status=1 544} 545 546sleep 5 547 548echo_i "SIGHUP secondary again" 549kill -HUP $(cat ns2/named.pid) 550 551sleep 5 552 553n=$((n + 1)) 554echo_i "check to 'out of sync' message ($n)" 555if grep "out of sync" ns2/named.run; then 556 echo_i "failed (found 'out of sync')" 557 status=1 558fi 559 560echo_i "end RT #482 regression test" 561 562n=$((n + 1)) 563ret=0 564echo_i "remove nonexistent PTR record ($n)" 565$NSUPDATE -k ns1/ddns.key -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 566server 10.53.0.1 ${PORT} 567zone example.nil. 568update delete nonexistent.example.nil. 0 IN PTR foo. 569send 570EOF 571[ $ret = 0 ] || { 572 echo_i "failed" 573 status=1 574} 575 576n=$((n + 1)) 577ret=0 578echo_i "remove nonexistent SRV record ($n)" 579$NSUPDATE -k ns1/ddns.key -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 580server 10.53.0.1 ${PORT} 581zone example.nil. 582update delete nonexistent.example.nil. 0 IN SRV 0 0 0 foo. 583send 584EOF 585[ $ret = 0 ] || { 586 echo_i "failed" 587 status=1 588} 589 590n=$((n + 1)) 591ret=0 592echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)" 593$NSUPDATE <<EOF 594server 10.53.0.3 ${PORT} 595update add example 3600 nsec3param 1 0 0 - 596send 597EOF 598 599# the zone is not signed. The nsec3param records should be removed. 600# this also proves that the server is still running. 601$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example. @10.53.0.3 nsec3param >dig.out.ns3.$n || ret=1 602grep "ANSWER: 0," dig.out.ns3.$n >/dev/null || ret=1 603grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 604[ $ret = 0 ] || { 605 echo_i "failed" 606 status=1 607} 608 609n=$((n + 1)) 610ret=0 611echo_i "change the NSEC3PARAM ttl via update ($n)" 612$NSUPDATE <<EOF 613server 10.53.0.3 ${PORT} 614update add nsec3param.test 3600 NSEC3PARAM 1 0 1 - 615send 616EOF 617 618$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test. @10.53.0.3 nsec3param >dig.out.ns3.$n || ret=1 619grep "ANSWER: 1," dig.out.ns3.$n >/dev/null || ret=1 620grep "3600.*NSEC3PARAM" dig.out.ns3.$n >/dev/null || ret=1 621grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 622[ $ret = 0 ] || { 623 echo_i "failed" 624 status=1 625} 626 627n=$((n + 1)) 628ret=0 629echo_i "add a new NSEC3PARAM via update ($n)" 630$NSUPDATE <<EOF 631server 10.53.0.3 ${PORT} 632update add nsec3param.test 3600 NSEC3PARAM 1 0 4 - 633send 634EOF 635 636_ret=1 637for i in 0 1 2 3 4 5 6 7 8 9; do 638 $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM >dig.out.ns3.$n || _ret=1 639 if grep "ANSWER: 2," dig.out.ns3.$n >/dev/null; then 640 _ret=0 641 break 642 fi 643 sleep 1 644done 645 646if [ $_ret -ne 0 ]; then ret=1; fi 647grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n >/dev/null || ret=1 648grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 649if [ $ret != 0 ]; then 650 echo_i "failed" 651 status=$((ret + status)) 652fi 653 654n=$((n + 1)) 655ret=0 656echo_i "add, delete and change the ttl of the NSEC3PARAM rrset via update ($n)" 657$NSUPDATE <<EOF 658server 10.53.0.3 ${PORT} 659update delete nsec3param.test NSEC3PARAM 660update add nsec3param.test 7200 NSEC3PARAM 1 0 5 - 661send 662EOF 663 664_ret=1 665for i in 0 1 2 3 4 5 6 7 8 9; do 666 $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM >dig.out.ns3.$n || _ret=1 667 if grep "ANSWER: 1," dig.out.ns3.$n >/dev/null; then 668 _ret=0 669 break 670 fi 671 sleep 1 672done 673 674if [ $_ret -ne 0 ]; then ret=1; fi 675grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n >/dev/null || ret=1 676grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 677$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl >jp.out.ns3.$n 678# intermediate TTL changes. 679grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -" jp.out.ns3.$n >/dev/null || ret=1 680grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -" jp.out.ns3.$n >/dev/null || ret=1 681# delayed adds and deletes. 682grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500" jp.out.ns3.$n >/dev/null || ret=1 683grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100" jp.out.ns3.$n >/dev/null || ret=1 684grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400" jp.out.ns3.$n >/dev/null || ret=1 685if [ $ret != 0 ]; then 686 echo_i "failed" 687 status=$((ret + status)) 688fi 689 690ret=0 691echo_i "testing that rndc stop updates the file" 692$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1 693server 10.53.0.1 ${PORT} 694update add updated4.example.nil. 600 A 10.10.10.3 695send 696END 697sleep 3 698stop_server --use-rndc --port ${CONTROLPORT} ns1 699sleep 3 700# Removing the journal file and restarting the server means 701# that the data served by the new server process are exactly 702# those dumped to the file by "rndc stop". 703rm -f ns1/*jnl 704start_server --noclean --restart --port ${PORT} ns1 705for try in 0 1 2 3 4 5 6 7 8 9; do 706 iret=0 707 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ 708 updated4.example.nil. @10.53.0.1 a >dig.out.ns1 || iret=1 709 digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1 710 [ "$iret" -eq 0 ] && break 711 sleep 1 712done 713[ "$iret" -ne 0 ] && ret=1 714[ "$ret" -eq 0 ] || { 715 echo_i "failed" 716 status=1 717} 718 719ret=0 720echo_i "check that 'nsupdate -l' with a missing keyfile reports the missing file" 721$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2>nsupdate.out </dev/null && ret=1 722grep ns1/nonexistent.key nsupdate.out >/dev/null || ret=1 723if test $ret -ne 0; then 724 echo_i "failed" 725 status=1 726fi 727 728n=$((n + 1)) 729ret=0 730echo_i "check that 'update-policy local' works from localhost address ($n)" 731$NSUPDATE -k ns5/session.key >nsupdate.out.$n 2>&1 <<END || ret=1 732server 10.53.0.5 ${PORT} 733local 127.0.0.1 734update add fromlocal.local.nil. 600 A 1.2.3.4 735send 736END 737grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1 738$DIG $DIGOPTS @10.53.0.5 \ 739 +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ 740 fromlocal.local.nil. >dig.out.ns5.$n || ret=1 741grep fromlocal dig.out.ns5.$n >/dev/null 2>&1 || ret=1 742if test $ret -ne 0; then 743 echo_i "failed" 744 status=1 745fi 746 747n=$((n + 1)) 748ret=0 749echo_i "check that 'update-policy local' fails from non-localhost address ($n)" 750grep 'match on session key not from localhost' ns5/named.run >/dev/null && ret=1 751$NSUPDATE -k ns5/session.key >nsupdate.out.$n 2>&1 <<END && ret=1 752server 10.53.0.5 ${PORT} 753local 10.53.0.1 754update add nonlocal.local.nil. 600 A 4.3.2.1 755send 756END 757grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 758grep 'match on session key not from localhost' ns5/named.run >/dev/null || ret=1 759$DIG $DIGOPTS @10.53.0.5 \ 760 +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ 761 nonlocal.local.nil. >dig.out.ns5.$n || ret=1 762grep nonlocal dig.out.ns5.$n >/dev/null 2>&1 && ret=1 763if test $ret -ne 0; then 764 echo_i "failed" 765 status=1 766fi 767 768n=$((n + 1)) 769ret=0 770echo_i "check that 'update-policy tcp-self' refuses update of records via UDP ($n)" 771$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1 772server 10.53.0.6 ${PORT} 773local 127.0.0.1 774update add 1.0.0.127.in-addr.arpa. 600 PTR localhost. 775send 776END 777grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 778$DIG $DIGOPTS @10.53.0.6 \ 779 +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ 780 -x 127.0.0.1 >dig.out.ns6.$n 781grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 782if test $ret -ne 0; then 783 echo_i "failed" 784 status=1 785fi 786 787n=$((n + 1)) 788ret=0 789echo_i "check that 'update-policy tcp-self' permits update of records for the client's own address via TCP ($n)" 790$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1 791server 10.53.0.6 ${PORT} 792local 127.0.0.1 793update add 1.0.0.127.in-addr.arpa. 600 PTR localhost. 794send 795END 796grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1 797$DIG $DIGOPTS @10.53.0.6 \ 798 +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ 799 -x 127.0.0.1 >dig.out.ns6.$n || ret=1 800grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 801if test $ret -ne 0; then 802 echo_i "failed" 803 status=1 804fi 805 806n=$((n + 1)) 807ret=0 808echo_i "check that 'update-policy tcp-self' refuses update of records for a different address from the client's own address via TCP ($n)" 809$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END && ret=1 810server 10.53.0.6 ${PORT} 811local 127.0.0.1 812update add 1.0.168.192.in-addr.arpa. 600 PTR localhost. 813send 814END 815grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 816$DIG $DIGOPTS @10.53.0.6 \ 817 +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ 818 -x 192.168.0.1 >dig.out.ns6.$n 819grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 820if test $ret -ne 0; then 821 echo_i "failed" 822 status=1 823fi 824 825n=$((n + 1)) 826ret=0 827echo_i "check that 'update-policy subdomain' is properly enforced ($n)" 828# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil" 829# and thus this UPDATE should succeed. 830$NSUPDATE -d <<END >nsupdate.out1-$n 2>&1 || ret=1 831server 10.53.0.1 ${PORT} 832key restricted.example.nil 1234abcd8765 833update add restricted.example.nil 0 IN TXT everywhere. 834send 835END 836$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT >dig.out.1.test$n || ret=1 837grep "TXT.*everywhere" dig.out.1.test$n >/dev/null || ret=1 838# "example.nil" does not match "grant ... subdomain restricted.example.nil" and 839# thus this UPDATE should fail. 840$NSUPDATE -d <<END >nsupdate.out2-$n 2>&1 && ret=1 841server 10.53.0.1 ${PORT} 842key restricted.example.nil 1234abcd8765 843update add example.nil 0 IN TXT everywhere. 844send 845END 846$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT >dig.out.2.test$n || ret=1 847grep "TXT.*everywhere" dig.out.2.test$n >/dev/null && ret=1 848[ $ret = 0 ] || { 849 echo_i "failed" 850 status=1 851} 852 853n=$((n + 1)) 854ret=0 855echo_i "check that 'update-policy zonesub' is properly enforced ($n)" 856# grant zonesub-key.example.nil zonesub TXT; 857# the A record update should be rejected as it is not in the type list 858$NSUPDATE -d <<END >nsupdate.out1-$n 2>&1 && ret=1 859server 10.53.0.1 ${PORT} 860key zonesub-key.example.nil 1234subk8765 861update add zonesub.example.nil 0 IN A 1.2.3.4 862send 863END 864$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A >dig.out.1.test$n || ret=1 865grep "status: REFUSED" nsupdate.out1-$n >/dev/null || ret=1 866grep "ANSWER: 0," dig.out.1.test$n >/dev/null || ret=1 867# the TXT record update should be accepted as it is in the type list 868$NSUPDATE -d <<END >nsupdate.out2-$n 2>&1 || ret=1 869server 10.53.0.1 ${PORT} 870key zonesub-key.example.nil 1234subk8765 871update add zonesub.example.nil 0 IN TXT everywhere. 872send 873END 874$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT >dig.out.2.test$n || ret=1 875grep "status: REFUSED" nsupdate.out2-$n >/dev/null && ret=1 876grep "ANSWER: 1," dig.out.2.test$n >/dev/null || ret=1 877grep "TXT.*everywhere" dig.out.2.test$n >/dev/null || ret=1 878[ $ret = 0 ] || { 879 echo_i "failed" 880 status=1 881} 882 883n=$((n + 1)) 884ret=0 885echo_i "check 'grant' in deny name + grant subdomain ($n)" 886$NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 887key hmac-sha256:subkey 1234abcd8765 888server 10.53.0.9 ${PORT} 889zone denyname.example 890update add foo.denyname.example 3600 IN TXT added 891send 892EOF 893$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT >dig.out.ns9.test$n 894grep "added" dig.out.ns9.test$n >/dev/null || ret=1 895[ $ret = 0 ] || { 896 echo_i "failed" 897 status=1 898} 899 900n=$((n + 1)) 901ret=0 902echo_i "check 'deny' in deny name + grant subdomain ($n)" 903$NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 904key hmac-sha256:subkey 1234abcd8765 905server 10.53.0.9 ${PORT} 906zone denyname.example 907update add denyname.example 3600 IN TXT added 908send 909EOF 910$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT >dig.out.ns9.test$n 911grep "added" dig.out.ns9.test$n >/dev/null && ret=1 912[ $ret = 0 ] || { 913 echo_i "failed" 914 status=1 915} 916 917n=$((n + 1)) 918ret=0 919echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)" 920$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ 921 @10.53.0.3 dnskey \ 922 | awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; } 923 $2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update add", $0 } 924 END { print "send" }' >update.in.$n 925$NSUPDATE update.in.$n 926 927$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ 928 @10.53.0.3 any >dig.out.ns3.$n 929 930grep "600.*DNSKEY" dig.out.ns3.$n >/dev/null || ret=1 931grep TYPE65534 dig.out.ns3.$n >/dev/null && ret=1 932if test $ret -ne 0; then 933 echo_i "failed" 934 status=1 935fi 936 937n=$((n + 1)) 938ret=0 939echo_i "check notify with TSIG worked ($n)" 940# if the alternate view received a notify--meaning, the notify was 941# validly signed by "altkey"--then the zonefile update.alt.bk will 942# will have been created. 943[ -f ns2/update.alt.bk ] || ret=1 944if [ $ret -ne 0 ]; then 945 echo_i "failed" 946 status=1 947fi 948 949n=$((n + 1)) 950ret=0 951echo_i "check type list options ($n)" 952$NSUPDATE -T >typelist.out.T.${n} || { 953 ret=1 954 echo_i "nsupdate -T failed" 955} 956$NSUPDATE -P >typelist.out.P.${n} || { 957 ret=1 958 echo_i "nsupdate -P failed" 959} 960$NSUPDATE -TP >typelist.out.TP.${n} || { 961 ret=1 962 echo_i "nsupdate -TP failed" 963} 964grep ANY typelist.out.T.${n} >/dev/null && { 965 ret=1 966 echo_i "failed: ANY found (-T)" 967} 968grep ANY typelist.out.P.${n} >/dev/null && { 969 ret=1 970 echo_i "failed: ANY found (-P)" 971} 972grep ANY typelist.out.TP.${n} >/dev/null && { 973 ret=1 974 echo_i "failed: ANY found (-TP)" 975} 976grep KEYDATA typelist.out.T.${n} >/dev/null && { 977 ret=1 978 echo_i "failed: KEYDATA found (-T)" 979} 980grep KEYDATA typelist.out.P.${n} >/dev/null && { 981 ret=1 982 echo_i "failed: KEYDATA found (-P)" 983} 984grep KEYDATA typelist.out.TP.${n} >/dev/null && { 985 ret=1 986 echo_i "failed: KEYDATA found (-TP)" 987} 988grep AAAA typelist.out.T.${n} >/dev/null || { 989 ret=1 990 echo_i "failed: AAAA not found (-T)" 991} 992grep AAAA typelist.out.P.${n} >/dev/null && { 993 ret=1 994 echo_i "failed: AAAA found (-P)" 995} 996grep AAAA typelist.out.TP.${n} >/dev/null || { 997 ret=1 998 echo_i "failed: AAAA not found (-TP)" 999} 1000if [ $ret -ne 0 ]; then 1001 echo_i "failed" 1002 status=1 1003fi 1004 1005n=$((n + 1)) 1006ret=0 1007echo_i "check command list ($n)" 1008( 1009 while read cmd; do 1010 { 1011 echo "$cmd" | $NSUPDATE >/dev/null 2>&1 1012 rc=$? 1013 } || true 1014 if test $rc -gt 1; then 1015 echo_i "failed ($cmd)" 1016 ret=1 1017 fi 1018 { 1019 echo "$cmd " | $NSUPDATE >/dev/null 2>&1 1020 rc=$? 1021 } || true 1022 if test $rc -gt 1; then 1023 echo_i "failed ($cmd)" 1024 ret=1 1025 fi 1026 done 1027 exit $ret 1028) <commandlist || ret=1 1029if [ $ret -ne 0 ]; then 1030 status=1 1031fi 1032 1033n=$((n + 1)) 1034ret=0 1035 1036n=$((n + 1)) 1037ret=0 1038echo_i "check TSIG key algorithms using legacy K file pairs (nsupdate -k) ($n)" 1039if $FEATURETEST --md5; then 1040 ALGS="157 161 162 163 164 165" 1041else 1042 ALGS="161 162 163 164 165" 1043 echo_i "skipping disabled md5 (157) algorithm" 1044fi 1045for alg in $ALGS; do 1046 $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key <<END >nsupdate.alg-$alg.out 2>&1 || ret=1 1047server 10.53.0.1 ${PORT} 1048update add ${alg}.keytests.nil. 600 A 10.10.10.3 1049send 1050END 1051done 1052sleep 2 1053for alg in $ALGS; do 1054 $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 >/dev/null 2>&1 || ret=1 1055 grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out >/dev/null || ret=1 1056done 1057if [ $ret -ne 0 ]; then 1058 echo_i "failed" 1059 status=1 1060fi 1061 1062n=$((n + 1)) 1063ret=0 1064 1065echo_i "check TSIG key algorithms (nsupdate -k) ($n)" 1066if $FEATURETEST --md5; then 1067 ALGS="md5 sha1 sha224 sha256 sha384 sha512" 1068else 1069 ALGS="sha1 sha224 sha256 sha384 sha512" 1070 echo_i "skipping disabled md5 algorithm" 1071fi 1072for alg in $ALGS; do 1073 $NSUPDATE -k ns1/${alg}.key <<END >/dev/null || ret=1 1074server 10.53.0.1 ${PORT} 1075update add ${alg}.keytests.nil. 600 A 10.10.10.3 1076send 1077END 1078done 1079sleep 2 1080for alg in $ALGS; do 1081 $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 >/dev/null 2>&1 || ret=1 1082done 1083if [ $ret -ne 0 ]; then 1084 echo_i "failed" 1085 status=1 1086fi 1087 1088n=$((n + 1)) 1089ret=0 1090echo_i "check TSIG key algorithms (nsupdate -y) ($n)" 1091for alg in md5 sha1 sha224 sha256 sha384 sha512; do 1092 secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) 1093 $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END >/dev/null || ret=1 1094server 10.53.0.1 ${PORT} 1095update add ${alg}.keytests.nil. 600 A 10.10.10.50 1096send 1097END 1098done 1099sleep 2 1100for alg in md5 sha1 sha224 sha256 sha384 sha512; do 1101 $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 >/dev/null 2>&1 || ret=1 1102done 1103if [ $ret -ne 0 ]; then 1104 echo_i "failed" 1105 status=1 1106fi 1107 1108n=$((n + 1)) 1109ret=0 1110echo_i "check that ttl is capped by max-ttl ($n)" 1111$NSUPDATE <<END >/dev/null || ret=1 1112server 10.53.0.1 ${PORT} 1113update add cap.max-ttl.nil. 600 A 10.10.10.3 1114update add nocap.max-ttl.nil. 150 A 10.10.10.3 1115send 1116END 1117sleep 2 1118$DIG $DIGOPTS @10.53.0.1 cap.max-ttl.nil | grep "^cap.max-ttl.nil. 300" >/dev/null 2>&1 || ret=1 1119$DIG $DIGOPTS @10.53.0.1 nocap.max-ttl.nil | grep "^nocap.max-ttl.nil. 150" >/dev/null 2>&1 || ret=1 1120if [ $ret -ne 0 ]; then 1121 echo_i "failed" 1122 status=1 1123fi 1124 1125n=$((n + 1)) 1126ret=0 1127echo_i "add a record which is truncated when logged. ($n)" 1128$NSUPDATE verylarge || ret=1 1129$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil >dig.out.ns1.test$n 1130grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 1131grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]" ns1/named.run >/dev/null || ret=1 1132if [ $ret -ne 0 ]; then 1133 echo_i "failed" 1134 status=1 1135fi 1136 1137n=$((n + 1)) 1138ret=0 1139echo_i "check that yyyymmddvv serial number is correctly generated ($n)" 1140oldserial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1 1141$NSUPDATE <<END >/dev/null 2>&1 || ret=1 1142 server 10.53.0.1 ${PORT} 1143 ttl 600 1144 update add new.yyyymmddvv.nil in a 1.2.3.4 1145 send 1146END 1147now=$($PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') 1148sleep 1 1149serial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1 1150[ "$oldserial" -ne "$serial" ] || ret=1 1151[ "$serial" -eq "$now" ] || ret=1 1152[ $ret = 0 ] || { 1153 echo_i "failed" 1154 status=1 1155} 1156 1157# 1158# Refactor to use perl to launch the parallel updates. 1159# 1160if false; then 1161 n=$((n + 1)) 1162 echo_i "send many simultaneous updates via a update forwarder ($n)" 1163 ret=0 1164 for i in 0 1 2 3 4 5 6 7; do 1165 ( 1166 for j in 0 1 2 3 4 5 6 7; do 1167 ( 1168 $NSUPDATE <<EOF 1169server 10.53.0.3 ${PORT} 1170zone many.test 1171update add $i-$j.many.test 0 IN A 1.2.3.4 1172send 1173EOF 1174 ) & 1175 done 1176 wait 1177 ) & 1178 done 1179 wait 1180 dig axfr many.test @10.53.0.1 >dig.out.test$n 1181 lines=$(awk '$4 == "A" { l++ } END { print l }' dig.out.test$n) 1182 test ${lines:-0} -eq 64 || ret=1 1183 [ $ret = 0 ] || { 1184 echo_i "failed" 1185 status=1 1186 } 1187fi 1188 1189n=$((n + 1)) 1190echo_i "check max-journal-size limits ($n)" 1191ret=0 1192rm -f nsupdate.out1-$n 1193# add one record 1194$NSUPDATE <<EOF >>nsupdate.out1-$n 2>&1 1195server 10.53.0.1 ${PORT} 1196zone maxjournal.test 1197update add z.maxjournal.test 300 IN A 10.20.30.40 1198send 1199EOF 1200for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do 1201 # repeatedly add and remove the same set of records to fill up 1202 # the journal file without changing the zone content 1203 $NSUPDATE <<EOF >>nsupdate.out1-$n 2>&1 1204server 10.53.0.1 ${PORT} 1205zone maxjournal.test 1206update add a.maxjournal.test 300 IN A 1.2.3.4 1207update add b.maxjournal.test 300 IN A 1.2.3.4 1208update add c.maxjournal.test 300 IN A 1.2.3.4 1209update add d.maxjournal.test 300 IN A 1.2.3.4 1210send 1211update del a.maxjournal.test 1212update del b.maxjournal.test 1213update del c.maxjournal.test 1214update del d.maxjournal.test 1215send 1216EOF 1217done 1218# check that the journal is big enough to require truncation. 1219size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl) 1220[ "$size" -gt 6000 ] || ret=1 1221sleep 1 1222$RNDCCMD 10.53.0.1 sync maxjournal.test 1223check_size_lt_5000() ( 1224 size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl) 1225 [ "$size" -lt 5000 ] 1226) 1227retry_quiet 20 check_size_lt_5000 || ret=1 1228[ $ret = 0 ] || { 1229 echo_i "failed" 1230 status=1 1231} 1232 1233n=$((n + 1)) 1234echo_i "check check-names processing ($n)" 1235ret=0 1236$NSUPDATE <<EOF >nsupdate.out1-$n 2>&1 && ret=1 1237update add # 0 in a 1.2.3.4 1238EOF 1239grep "bad owner" nsupdate.out1-$n >/dev/null || ret=1 1240 1241$NSUPDATE <<EOF >nsupdate.out2-$n 2>&1 || ret=1 1242check-names off 1243update add # 0 in a 1.2.3.4 1244EOF 1245grep "bad owner" nsupdate.out2-$n >/dev/null && ret=1 1246 1247$NSUPDATE <<EOF >nsupdate.out3-$n 2>&1 && ret=1 1248update add . 0 in mx 0 # 1249EOF 1250grep "bad name" nsupdate.out3-$n >/dev/null || ret=1 1251 1252$NSUPDATE <<EOF >nsupdate.out4-$n 2>&1 || ret=1 1253check-names off 1254update add . 0 in mx 0 # 1255EOF 1256grep "bad name" nsupdate.out4-$n >/dev/null && ret=1 1257 1258[ $ret = 0 ] || { 1259 echo_i "failed" 1260 status=1 1261} 1262 1263n=$((n + 1)) 1264echo_i "check adding of delegating NS records processing ($n)" 1265ret=0 1266$NSUPDATE -v <<EOF >nsupdate.out.test$n 2>&1 || ret=1 1267server 10.53.0.3 ${PORT} 1268zone delegation.test. 1269update add child.delegation.test. 3600 NS foo.example.net. 1270update add child.delegation.test. 3600 NS bar.example.net. 1271send 1272EOF 1273$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test >dig.out.ns1.test$n 1274grep "status: NOERROR" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 1275grep "AUTHORITY: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 1276[ $ret = 0 ] || { 1277 echo_i "failed" 1278 status=1 1279} 1280 1281n=$((n + 1)) 1282echo_i "check deleting of delegating NS records processing ($n)" 1283ret=0 1284$NSUPDATE -v <<EOF >nsupdate.out.test$n 2>&1 || ret=1 1285server 10.53.0.3 ${PORT} 1286zone delegation.test. 1287update del child.delegation.test. 3600 NS foo.example.net. 1288update del child.delegation.test. 3600 NS bar.example.net. 1289send 1290EOF 1291$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test >dig.out.ns1.test$n 1292grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 1293[ $ret = 0 ] || { 1294 echo_i "failed" 1295 status=1 1296} 1297 1298n=$((n + 1)) 1299echo_i "check that adding too many records is blocked ($n)" 1300ret=0 1301$NSUPDATE -v <<EOF >nsupdate.out.test$n 2>&1 && ret=1 1302server 10.53.0.3 ${PORT} 1303zone too-big.test. 1304update add r1.too-big.test 3600 IN TXT r1.too-big.test 1305send 1306EOF 1307grep "update failed: SERVFAIL" nsupdate.out.test$n >/dev/null || ret=1 1308$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT >dig.out.ns3.test$n 1309grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 1310grep "records in zone (4) exceeds max-records (3)" ns3/named.run >/dev/null || ret=1 1311[ $ret = 0 ] || { 1312 echo_i "failed" 1313 status=1 1314} 1315 1316n=$((n + 1)) 1317ret=0 1318echo_i "check whether valid addresses are used for primary failover (UDP with defaults) ($n)" 1319t1=$($PERL -e 'print time()') 1320$NSUPDATE <<END >nsupdate.out.test$n 2>&1 && ret=1 1321server 10.53.0.4 ${PORT} 1322zone unreachable. 1323update add unreachable. 600 A 192.0.2.1 1324send 1325END 1326t2=$($PERL -e 'print time()') 1327grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1328grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 1329elapsed=$((t2 - t1)) 1330# Check that default timeout value is respected, there should be 4 tries with 3 seconds each. 1331test $elapsed -lt 12 && ret=1 1332test $elapsed -gt 15 && ret=1 1333[ $ret = 0 ] || { 1334 echo_i "failed" 1335 status=1 1336} 1337 1338n=$((n + 1)) 1339ret=0 1340echo_i "check whether valid addresses are used for primary failover (UDP with -u udptimeout) ($n)" 1341t1=$($PERL -e 'print time()') 1342$NSUPDATE -u 4 -r 1 <<END >nsupdate.out.test$n 2>&1 && ret=1 1343server 10.53.0.4 ${PORT} 1344zone unreachable. 1345update add unreachable. 600 A 192.0.2.1 1346send 1347END 1348t2=$($PERL -e 'print time()') 1349grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1350grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 1351elapsed=$((t2 - t1)) 1352# Check that given timeout value is respected, there should be 2 tries with 4 seconds each. 1353test $elapsed -lt 8 && ret=1 1354test $elapsed -gt 12 && ret=1 1355[ $ret = 0 ] || { 1356 echo_i "failed" 1357 status=1 1358} 1359 1360n=$((n + 1)) 1361ret=0 1362echo_i "check whether valid addresses are used for primary failover (UDP with -t timeout) ($n)" 1363t1=$($PERL -e 'print time()') 1364$NSUPDATE -u 0 -t 8 -r 1 <<END >nsupdate.out.test$n 2>&1 && ret=1 1365server 10.53.0.4 ${PORT} 1366zone unreachable. 1367update add unreachable. 600 A 192.0.2.1 1368send 1369END 1370t2=$($PERL -e 'print time()') 1371grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1372grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 1373elapsed=$((t2 - t1)) 1374# Check that given timeout value is respected, there should be 2 tries with 4 seconds each. 1375test $elapsed -lt 8 && ret=1 1376test $elapsed -gt 12 && ret=1 1377[ $ret = 0 ] || { 1378 echo_i "failed" 1379 status=1 1380} 1381 1382n=$((n + 1)) 1383ret=0 1384echo_i "check whether valid addresses are used for primary failover (UDP with -u udptimeout -t timeout) ($n)" 1385t1=$($PERL -e 'print time()') 1386$NSUPDATE -u 4 -t 30 -r 1 <<END >nsupdate.out.test$n 2>&1 && ret=1 1387server 10.53.0.4 ${PORT} 1388zone unreachable. 1389update add unreachable. 600 A 192.0.2.1 1390send 1391END 1392t2=$($PERL -e 'print time()') 1393grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1394grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 1395elapsed=$((t2 - t1)) 1396# Check that given timeout value is respected, there should be 2 tries with 4 seconds each, as -u takes precedence over -t. 1397test $elapsed -lt 8 && ret=1 1398test $elapsed -gt 12 && ret=1 1399[ $ret = 0 ] || { 1400 echo_i "failed" 1401 status=1 1402} 1403 1404n=$((n + 1)) 1405ret=0 1406echo_i "check whether valid addresses are used for primary failover (TCP with -t timeout) ($n)" 1407t1=$($PERL -e 'print time()') 1408$NSUPDATE -t 8 -v <<END >nsupdate.out.test$n 2>&1 && ret=1 1409server 10.53.0.4 ${PORT} 1410zone unreachable. 1411update add unreachable. 600 A 192.0.2.1 1412send 1413END 1414t2=$($PERL -e 'print time()') 1415grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1416grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 1417elapsed=$((t2 - t1)) 1418# Check that given timeout value is respected, there should be 1 try with 8 seconds. 1419test $elapsed -lt 8 && ret=1 1420test $elapsed -gt 12 && ret=1 1421[ $ret = 0 ] || { 1422 echo_i "failed" 1423 status=1 1424} 1425 1426n=$((n + 1)) 1427ret=0 1428echo_i "ensure bad owner name is fatal in non-interactive mode ($n)" 1429$NSUPDATE <<END >nsupdate.out 2>&1 && ret=1 1430 update add emptylabel..nil. 600 A 10.10.10.1 1431END 1432grep "invalid owner name: empty label" nsupdate.out >/dev/null || ret=1 1433grep "syntax error" nsupdate.out >/dev/null || ret=1 1434[ $ret = 0 ] || { 1435 echo_i "failed" 1436 status=1 1437} 1438 1439n=$((n + 1)) 1440ret=0 1441echo_i "ensure bad owner name is not fatal in interactive mode ($n)" 1442$NSUPDATE -i <<END >nsupdate.out 2>&1 || ret=1 1443 update add emptylabel..nil. 600 A 10.10.10.1 1444END 1445grep "invalid owner name: empty label" nsupdate.out >/dev/null || ret=1 1446[ $ret = 0 ] || { 1447 echo_i "failed" 1448 status=1 1449} 1450 1451n=$((n + 1)) 1452ret=0 1453echo_i "ensure invalid key type is fatal in non-interactive mode ($n)" 1454$NSUPDATE <<END >nsupdate.out 2>&1 && ret=1 1455 key badkeytype:example abcd12345678 1456END 1457grep "unknown key type 'badkeytype'" nsupdate.out >/dev/null || ret=1 1458grep "syntax error" nsupdate.out >/dev/null || ret=1 1459[ $ret = 0 ] || { 1460 echo_i "failed" 1461 status=1 1462} 1463 1464n=$((n + 1)) 1465ret=0 1466echo_i "ensure invalid key type is not fatal in interactive mode ($n)" 1467$NSUPDATE -i <<END >nsupdate.out 2>&1 || ret=1 1468 key badkeytype:example abcd12345678 1469END 1470grep "unknown key type 'badkeytype'" nsupdate.out >/dev/null || ret=1 1471[ $ret = 0 ] || { 1472 echo_i "failed" 1473 status=1 1474} 1475 1476n=$((n + 1)) 1477ret=0 1478echo_i "ensure unresolvable server name is fatal in non-interactive mode ($n)" 1479$NSUPDATE <<END >nsupdate.out 2>&1 && ret=1 1480 server unresolvable.. 1481END 1482grep "couldn't get address for 'unresolvable..':" nsupdate.out >/dev/null || ret=1 1483grep "syntax error" nsupdate.out >/dev/null || ret=1 1484[ $ret = 0 ] || { 1485 echo_i "failed" 1486 status=1 1487} 1488 1489n=$((n + 1)) 1490ret=0 1491echo_i "ensure unresolvable server name is not fatal in interactive mode ($n)" 1492$NSUPDATE -i <<END >nsupdate.out 2>&1 || ret=1 1493 server unresolvable.. 1494END 1495grep "couldn't get address for 'unresolvable..':" nsupdate.out >/dev/null || ret=1 1496grep "syntax error" nsupdate.out >/dev/null && ret=1 1497[ $ret = 0 ] || { 1498 echo_i "failed" 1499 status=1 1500} 1501 1502n=$((n + 1)) 1503ret=0 1504echo_i "check nsupdate -4 -6 ($n)" 1505$NSUPDATE -4 -6 <<END >nsupdate.out.test$n 2>&1 && ret=1 1506server 10.53.0.3 ${PORT} 1507zone delegation.test. 1508update del child.delegation.test. 3600 NS foo.example.net. 1509update del child.delegation.test. 3600 NS bar.example.net. 1510send 1511END 1512grep "only one of -4 and -6 allowed" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1513[ $ret = 0 ] || { 1514 echo_i "failed" 1515 status=1 1516} 1517 1518n=$((n + 1)) 1519ret=0 1520echo_i "check nsupdate -4 with an IPv6 server address ($n)" 1521$NSUPDATE -4 <<END >nsupdate.out.test$n 2>&1 && ret=1 1522server fd92:7065:b8e:ffff::2 ${PORT} 1523zone delegation.test. 1524update del child.delegation.test. 3600 NS foo.example.net. 1525update del child.delegation.test. 3600 NS bar.example.net. 1526send 1527END 1528grep "address family not supported" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1529[ $ret = 0 ] || { 1530 echo_i "failed" 1531 status=1 1532} 1533 1534n=$((n + 1)) 1535ret=0 1536echo_i "check that TKEY in a update is rejected ($n)" 1537$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1 1538server 10.53.0.3 ${PORT} 1539update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw== 1540send 1541END 1542grep "UPDATE, status: NOERROR" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1543grep "UPDATE, status: FORMERR" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 1544[ $ret = 0 ] || { 1545 echo_i "failed" 1546 status=1 1547} 1548 1549n=$((n + 1)) 1550ret=0 1551echo_i "check that max records is enforced ($n)" 1552nextpart ns6/named.run >/dev/null 1553$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END 1554server 10.53.0.6 ${PORT} 1555local 10.53.0.5 1556update del 5.0.53.10.in-addr.arpa. 1557update add 5.0.53.10.in-addr.arpa. 600 PTR localhost. 1558update add 5.0.53.10.in-addr.arpa. 600 PTR other. 1559send 1560END 1561$DIG $DIGOPTS @10.53.0.6 \ 1562 +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ 1563 -x 10.53.0.5 >dig.out.ns6.$n 1564# the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so only the 1565# first PTR record should be added. 1566grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 1567grep other. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 1568nextpart ns6/named.run >nextpart.out.$n 1569grep "attempt to add more records than permitted by policy" nextpart.out.$n >/dev/null || ret=1 1570if test $ret -ne 0; then 1571 echo_i "failed" 1572 status=1 1573fi 1574 1575n=$((n + 1)) 1576ret=0 1577echo_i "check that max records for ANY is enforced ($n)" 1578nextpart ns6/named.run >/dev/null 1579$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END 1580server 10.53.0.6 ${PORT} 1581local 10.53.0.5 1582update del 5.0.53.10.in-addr.arpa. 1583update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.4 1584update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.3 1585update add 5.0.53.10.in-addr.arpa. 600 A 1.2.3.2 1586update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.4 1587update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.3 1588update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.2 1589send 1590END 1591$DIG $DIGOPTS @10.53.0.6 \ 1592 +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ 1593 ANY -x 10.53.0.5 >dig.out.ns6.test$n 1594nextpart ns6/named.run >nextpart.out.test$n 1595grep "attempt to add more records than permitted by policy" nextpart.out.test$n >/dev/null || ret=1 1596# the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so all the A 1597# records should have been added as there is no limit and the first 2 1598# of the AAAA records added as they match ANY(2). 1599c1=$(awk '$4 == "A" { print }' dig.out.ns6.test$n | wc -l) 1600c2=$(awk '$4 == "AAAA" { print }' dig.out.ns6.test$n | wc -l) 1601test "$c1" -eq 3 -a "$c2" -eq 2 || ret=1 1602grep "::ffff:1.2.3.2" dig.out.ns6.test$n && ret=1 1603if test $ret -ne 0; then 1604 echo_i "failed" 1605 status=1 1606fi 1607 1608n=$((n + 1)) 1609ret=0 1610echo_i "check that DS to the zone apex is ignored ($n)" 1611$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 >dig.out.pre.test$n || ret=1 1612grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 1613grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 1614nextpart ns3/named.run >/dev/null 1615# specify zone to override the default of adding to parent zone 1616$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 1617server 10.53.0.3 ${PORT} 1618zone example 1619update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C 1620send 1621END 1622msg=": attempt to add a DS record at zone apex ignored" 1623nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 1624$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 >dig.out.post.test$n || ret=1 1625grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 1626grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 1627[ $ret = 0 ] || { 1628 echo_i "failed" 1629 status=1 1630} 1631 1632n=$((n + 1)) 1633ret=0 1634echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" 1635$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.pre.test$n || ret=1 1636grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 1637grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 1638$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1 1639server 10.53.0.3 ${PORT} 1640zone multisigner.test 1641update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C 1642send 1643END 1644msg=": bad CDS RRset" 1645nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 1646$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.post.test$n || ret=1 1647grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 1648grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 1649[ $ret = 0 ] || { 1650 echo_i "failed" 1651 status=1 1652} 1653 1654n=$((n + 1)) 1655ret=0 1656echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" 1657$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.pre.test$n || ret=1 1658grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 1659grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 1660nextpart ns3/named.run >/dev/null 1661$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1 1662server 10.53.0.3 ${PORT} 1663zone multisigner.test 1664update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== 1665send 1666END 1667msg=": bad CDNSKEY RRset" 1668nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 1669$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.post.test$n || ret=1 1670grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 1671grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 1672[ $ret = 0 ] || { 1673 echo_i "failed" 1674 status=1 1675} 1676 1677n=$((n + 1)) 1678ret=0 1679echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)" 1680$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.pre.test$n || ret=1 1681grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 1682grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 1683$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 1684server 10.53.0.3 ${PORT} 1685zone multisigner.test 1686update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C 1687send 1688END 1689retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1 1690[ $ret = 0 ] || { 1691 echo_i "failed" 1692 status=1 1693} 1694 1695n=$((n + 1)) 1696ret=0 1697echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)" 1698$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.pre.test$n || ret=1 1699grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 1700grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 1701$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 1702server 10.53.0.3 ${PORT} 1703zone multisigner.test 1704update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== 1705send 1706END 1707retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1 1708[ $ret = 0 ] || { 1709 echo_i "failed" 1710 status=1 1711} 1712 1713n=$((n + 1)) 1714ret=0 1715echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)" 1716$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1 1717server 10.53.0.3 ${PORT} 1718zone example 1719update add example 0 in NSEC3PARAM 1 0 151 - 1720END 1721grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out.test$n >/dev/null || ret=1 1722[ $ret = 0 ] || { 1723 echo_i "failed" 1724 status=1 1725} 1726 1727n=$((n + 1)) 1728ret=0 1729echo_i "check nsupdate retries with another server on REFUSED response ($n)" 1730# resolv.conf uses 10.53.0.1 followed by 10.53.0.3; example is only 1731# served by 10.53.0.3, so we should fail over to the second server; 1732# that's what we're testing for. (failure is still expected, however, 1733# because the address lookup for the primary doesn't use the overridden 1734# resolv.conf file). 1735$NSUPDATE -D -C resolv.conf -p ${PORT} <<EOF >nsupdate.out.test$n 2>&1 && ret=1 1736zone example 1737update add a 3600 IN A 1.2.3.4 1738send 1739EOF 1740grep '10.53.0.1.*REFUSED' nsupdate.out.test$n >/dev/null || ret=1 1741grep 'Reply from SOA query' nsupdate.out.test$n >/dev/null || ret=1 1742[ $ret = 0 ] || { 1743 echo_i "failed" 1744 status=1 1745} 1746 1747n=$((n + 1)) 1748ret=0 1749echo_i "check that update is rejected if query is not allowed ($n)" 1750{ 1751 $NSUPDATE -d <<END && ret=1 1752 local 10.53.0.2 1753 server 10.53.0.1 ${PORT} 1754 update add reject.other.nil 3600 IN TXT Whatever 1755 send 1756END 1757} >nsupdate.out.test$n 2>&1 1758grep 'failed: REFUSED' nsupdate.out.test$n >/dev/null || ret=1 1759[ $ret = 0 ] || { 1760 echo_i "failed" 1761 status=1 1762} 1763 1764n=$((n + 1)) 1765ret=0 1766echo_i "check that update is rejected if quota is exceeded ($n)" 1767for loop in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do 1768 { 1769 $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >/dev/null 2>&1 <<END 1770 update add txt-$loop.other.nil 3600 IN TXT Whatever 1771 send 1772END 1773 } & 1774done 1775wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1 1776[ $ret = 0 ] || { 1777 echo_i "failed" 1778 status=1 1779} 1780 1781if ! $FEATURETEST --gssapi; then 1782 echo_i "SKIPPED: GSSAPI tests" 1783else 1784 n=$((n + 1)) 1785 ret=0 1786 echo_i "check GSS-API TKEY request rcode against a non configured server ($n)" 1787 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1788 export KRB5CCNAME 1789 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 1790 gsstsig 1791 realm EXAMPLE.COM 1792 server 10.53.0.7 ${PORT} 1793 zone example.com 1794 send 1795EOF 1796 grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n >/dev/null || ret=1 1797 [ $ret = 0 ] || { 1798 echo_i "failed" 1799 status=1 1800 } 1801 1802 copy_setports ns7/named2.conf.in ns7/named.conf 1803 rndc_reload ns7 10.53.0.7 1804 1805 n=$((n + 1)) 1806 ret=0 1807 echo_i "check krb5-self match ($n)" 1808 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1809 export KRB5CCNAME 1810 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 1811 gsstsig 1812 realm EXAMPLE.COM 1813 server 10.53.0.7 ${PORT} 1814 zone example.com 1815 update add machine.example.com 3600 IN A 10.53.0.7 1816 send 1817EOF 1818 $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A >dig.out.ns7.test$n 1819 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 1820 grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n >/dev/null || ret=1 1821 [ $ret = 0 ] || { 1822 echo_i "failed" 1823 status=1 1824 } 1825 1826 n=$((n + 1)) 1827 ret=0 1828 echo_i "check krb5-self no-match ($n)" 1829 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1830 export KRB5CCNAME 1831 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 1832 gsstsig 1833 realm EXAMPLE.COM 1834 server 10.53.0.7 ${PORT} 1835 zone example.com 1836 update add foo.example.com 3600 IN A 10.53.0.7 1837 send 1838EOF 1839 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 1840 $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A >dig.out.ns7.test$n 1841 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 1842 [ $ret = 0 ] || { 1843 echo_i "failed" 1844 status=1 1845 } 1846 1847 n=$((n + 1)) 1848 ret=0 1849 echo_i "check krb5-subdomain match ($n)" 1850 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1851 export KRB5CCNAME 1852 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 1853 gsstsig 1854 realm EXAMPLE.COM 1855 server 10.53.0.7 ${PORT} 1856 zone example.com 1857 update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com 1858 send 1859EOF 1860 $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV >dig.out.ns7.test$n 1861 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 1862 grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 1863 [ $ret = 0 ] || { 1864 echo_i "failed" 1865 status=1 1866 } 1867 1868 n=$((n + 1)) 1869 ret=0 1870 echo_i "check krb5-subdomain no-match ($n)" 1871 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1872 export KRB5CCNAME 1873 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 1874 gsstsig 1875 realm EXAMPLE.COM 1876 server 10.53.0.7 ${PORT} 1877 zone example.com 1878 update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com 1879 send 1880EOF 1881 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 1882 $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV >dig.out.ns7.test$n 1883 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 1884 [ $ret = 0 ] || { 1885 echo_i "failed" 1886 status=1 1887 } 1888 1889 n=$((n + 1)) 1890 ret=0 1891 echo_i "check krb5-subdomain-self-rhs match PTR ($n)" 1892 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1893 export KRB5CCNAME 1894 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 1895 gsstsig 1896 realm EXAMPLE.COM 1897 server 10.53.0.7 ${PORT} 1898 zone in-addr.arpa 1899 update add 4.3.2.1.in-addr.arpa 3600 IN PTR machine.example.com 1900 send 1901EOF 1902 $DIG $DIGOPTS +tcp @10.53.0.7 4.3.2.1.in-addr.arpa PTR >dig.out.ns7.test$n 1903 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 1904 grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 1905 [ $ret = 0 ] || { 1906 echo_i "failed" 1907 status=1 1908 } 1909 1910 n=$((n + 1)) 1911 ret=0 1912 echo_i "check krb5-subdomain-self-rhs no-match PTR ($n)" 1913 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1914 export KRB5CCNAME 1915 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 1916 gsstsig 1917 realm EXAMPLE.COM 1918 server 10.53.0.7 ${PORT} 1919 zone in-addr.arpa 1920 update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com 1921 send 1922EOF 1923 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 1924 $DIG $DIGOPTS +tcp @10.53.0.7 5.3.2.1.in-addr.arpa PTR >dig.out.ns7.test$n 1925 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 1926 [ $ret = 0 ] || { 1927 echo_i "failed" 1928 status=1 1929 } 1930 1931 n=$((n + 1)) 1932 ret=0 1933 echo_i "check krb5-subdomain-self-rhs match SRV ($n)" 1934 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1935 export KRB5CCNAME 1936 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 1937 gsstsig 1938 realm EXAMPLE.COM 1939 server 10.53.0.7 ${PORT} 1940 zone example.com 1941 update add _xxx.self-srv.example.com 3600 IN SRV 0 0 0 machine.example.com 1942 send 1943EOF 1944 $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv.example.com ANY >dig.out.ns7.test$n 1945 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 1946 grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 1947 [ $ret = 0 ] || { 1948 echo_i "failed" 1949 status=1 1950 } 1951 1952 n=$((n + 1)) 1953 ret=0 1954 echo_i "check krb5-subdomain-self-rhs no listed types match (SRV & TXT) ($n)" 1955 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1956 export KRB5CCNAME 1957 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 1958 gsstsig 1959 realm EXAMPLE.COM 1960 server 10.53.0.7 ${PORT} 1961 zone example.com 1962 update add _xxx.self-srv-no-type.example.com 3600 IN SRV 0 0 0 machine.example.com 1963 update add _xxx.self-srv-no-type.example.com 3600 IN TXT a txt record 1964 send 1965EOF 1966 $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv-no-type.example.com ANY >dig.out.ns7.test$n 1967 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 1968 grep '_xxx.self-srv-no-type.example.com.*SRV.*0 0 0 machine.example.com' dig.out.ns7.test$n >/dev/null || ret=1 1969 grep '_xxx.self-srv-no-type.example.com.*TXT.*"a" "txt" "record"' dig.out.ns7.test$n >/dev/null || ret=1 1970 [ $ret = 0 ] || { 1971 echo_i "failed" 1972 status=1 1973 } 1974 1975 n=$((n + 1)) 1976 ret=0 1977 echo_i "check krb5-subdomain-self-rhs no-match RDATA (SRV) ($n)" 1978 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 1979 export KRB5CCNAME 1980 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 1981 gsstsig 1982 realm EXAMPLE.COM 1983 server 10.53.0.7 ${PORT} 1984 zone example.com 1985 update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com 1986 send 1987EOF 1988 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 1989 $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com SRV >dig.out.ns7.test$n 1990 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 1991 [ $ret = 0 ] || { 1992 echo_i "failed" 1993 status=1 1994 } 1995 1996 n=$((n + 1)) 1997 ret=0 1998 echo_i "check krb5-subdomain-self-rhs no-match TYPE (TXT) ($n)" 1999 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2000 export KRB5CCNAME 2001 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2002 gsstsig 2003 realm EXAMPLE.COM 2004 server 10.53.0.7 ${PORT} 2005 zone example.com 2006 update add _yyy.self-srv.example.com 3600 IN TXT a-txt-record 2007 send 2008EOF 2009 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2010 $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com TXT >dig.out.ns7.test$n 2011 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 2012 [ $ret = 0 ] || { 2013 echo_i "failed" 2014 status=1 2015 } 2016 2017 n=$((n + 1)) 2018 ret=0 2019 echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR) ($n)" 2020 $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.pre.test$n 2021 grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 2022 grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 2023 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2024 export KRB5CCNAME 2025 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2026 gsstsig 2027 realm EXAMPLE.COM 2028 server 10.53.0.7 ${PORT} 2029 zone in-addr.arpa 2030 update delete single.ptr.self-ptr.in-addr.arpa PTR 2031 send 2032EOF 2033 $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n 2034 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 2035 [ $ret = 0 ] || { 2036 echo_i "failed" 2037 status=1 2038 } 2039 2040 n=$((n + 1)) 2041 ret=0 2042 echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)" 2043 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2044 export KRB5CCNAME 2045 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2046 gsstsig 2047 realm EXAMPLE.COM 2048 server 10.53.0.7 ${PORT} 2049 zone in-addr.arpa 2050 update delete many.ptr.self-ptr.in-addr.arpa PTR 2051 send 2052EOF 2053 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2054 $DIG $DIGOPTS +tcp @10.53.0.7 many.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n 2055 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 2056 grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 2057 [ $ret = 0 ] || { 2058 echo_i "failed" 2059 status=1 2060 } 2061 2062 n=$((n + 1)) 2063 ret=0 2064 echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR) ($n)" 2065 $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.pre.test$n 2066 grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 2067 grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 2068 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2069 export KRB5CCNAME 2070 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2071 gsstsig 2072 realm EXAMPLE.COM 2073 server 10.53.0.7 ${PORT} 2074 zone in-addr.arpa 2075 update delete single.any.self-ptr.in-addr.arpa 2076 send 2077EOF 2078 $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n 2079 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 2080 [ $ret = 0 ] || { 2081 echo_i "failed" 2082 status=1 2083 } 2084 2085 n=$((n + 1)) 2086 ret=0 2087 echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)" 2088 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2089 export KRB5CCNAME 2090 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2091 gsstsig 2092 realm EXAMPLE.COM 2093 server 10.53.0.7 ${PORT} 2094 zone in-addr.arpa 2095 update delete many.any.self-ptr.in-addr.arpa 2096 send 2097EOF 2098 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2099 $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n 2100 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 2101 grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 2102 [ $ret = 0 ] || { 2103 echo_i "failed" 2104 status=1 2105 } 2106 2107 n=$((n + 1)) 2108 ret=0 2109 echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV) ($n)" 2110 $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV >dig.out.ns7.pre.test$n 2111 grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 2112 grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 2113 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2114 export KRB5CCNAME 2115 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2116 gsstsig 2117 realm EXAMPLE.COM 2118 server 10.53.0.7 ${PORT} 2119 zone example.com 2120 update delete single.srv.self-srv.example.com SRV 2121 send 2122EOF 2123 $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV >dig.out.ns7.test$n 2124 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 2125 [ $ret = 0 ] || { 2126 echo_i "failed" 2127 status=1 2128 } 2129 2130 n=$((n + 1)) 2131 ret=0 2132 echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)" 2133 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2134 export KRB5CCNAME 2135 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2136 gsstsig 2137 realm EXAMPLE.COM 2138 server 10.53.0.7 ${PORT} 2139 zone example.com 2140 update delete many.srv.self-srv.example.com SRV 2141 send 2142EOF 2143 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2144 $DIG $DIGOPTS +tcp @10.53.0.7 many.srv.self-srv.example.com SRV >dig.out.ns7.test$n 2145 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 2146 grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 2147 [ $ret = 0 ] || { 2148 echo_i "failed" 2149 status=1 2150 } 2151 2152 n=$((n + 1)) 2153 ret=0 2154 echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV) ($n)" 2155 $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV >dig.out.ns7.pre.test$n 2156 grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 2157 grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 2158 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2159 export KRB5CCNAME 2160 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2161 gsstsig 2162 realm EXAMPLE.COM 2163 server 10.53.0.7 ${PORT} 2164 zone example.com 2165 update delete single.any.self-srv.example.com 2166 send 2167EOF 2168 $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV >dig.out.ns7.test$n 2169 grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 2170 [ $ret = 0 ] || { 2171 echo_i "failed" 2172 status=1 2173 } 2174 2175 n=$((n + 1)) 2176 ret=0 2177 echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)" 2178 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" 2179 export KRB5CCNAME 2180 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2181 gsstsig 2182 realm EXAMPLE.COM 2183 server 10.53.0.7 ${PORT} 2184 zone example.com 2185 update delete many.any.self-srv.example.com 2186 send 2187EOF 2188 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2189 $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-srv.example.com SRV >dig.out.ns7.test$n 2190 grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 2191 grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 2192 [ $ret = 0 ] || { 2193 echo_i "failed" 2194 status=1 2195 } 2196 2197 n=$((n + 1)) 2198 ret=0 2199 echo_i "check krb5-selfsub match ($n)" 2200 KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" 2201 export KRB5CCNAME 2202 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2203 gsstsig 2204 realm EXAMPLE.COM 2205 server 10.53.0.8 ${PORT} 2206 zone example.com 2207 update add xxx.machine.example.com 3600 IN A 10.53.0.8 2208 send 2209EOF 2210 $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A >dig.out.ns8.test$n 2211 grep "status: NOERROR" dig.out.ns8.test$n >/dev/null || ret=1 2212 grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n >/dev/null || ret=1 2213 [ $ret = 0 ] || { 2214 echo_i "failed" 2215 status=1 2216 } 2217 2218 n=$((n + 1)) 2219 ret=0 2220 echo_i "check krb5-selfsub no-match ($n)" 2221 KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" 2222 export KRB5CCNAME 2223 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2224 gsstsig 2225 realm EXAMPLE.COM 2226 server 10.53.0.8 ${PORT} 2227 zone example.com 2228 update add foo.example.com 3600 IN A 10.53.0.8 2229 send 2230EOF 2231 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2232 $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A >dig.out.ns8.test$n 2233 grep "status: NXDOMAIN" dig.out.ns8.test$n >/dev/null || ret=1 2234 [ $ret = 0 ] || { 2235 echo_i "failed" 2236 status=1 2237 } 2238 2239 n=$((n + 1)) 2240 ret=0 2241 echo_i "check ms-self match ($n)" 2242 KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" 2243 export KRB5CCNAME 2244 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2245 gsstsig 2246 realm EXAMPLE.COM 2247 server 10.53.0.9 ${PORT} 2248 zone example.com 2249 update add machine.example.com 3600 IN A 10.53.0.9 2250 send 2251EOF 2252 $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A >dig.out.ns9.test$n 2253 grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 2254 grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n >/dev/null || ret=1 2255 [ $ret = 0 ] || { 2256 echo_i "failed" 2257 status=1 2258 } 2259 2260 n=$((n + 1)) 2261 ret=0 2262 echo_i "check ms-self no-match ($n)" 2263 KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" 2264 export KRB5CCNAME 2265 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2266 gsstsig 2267 realm EXAMPLE.COM 2268 server 10.53.0.9 ${PORT} 2269 zone example.com 2270 update add foo.example.com 3600 IN A 10.53.0.9 2271 send 2272EOF 2273 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2274 $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A >dig.out.ns9.test$n 2275 grep "status: NXDOMAIN" dig.out.ns9.test$n >/dev/null || ret=1 2276 [ $ret = 0 ] || { 2277 echo_i "failed" 2278 status=1 2279 } 2280 2281 n=$((n + 1)) 2282 ret=0 2283 echo_i "check ms-subdomain match ($n)" 2284 KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" 2285 export KRB5CCNAME 2286 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2287 gsstsig 2288 realm EXAMPLE.COM 2289 server 10.53.0.9 ${PORT} 2290 zone example.com 2291 update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com 2292 send 2293EOF 2294 $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV >dig.out.ns9.test$n 2295 grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 2296 grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n >/dev/null || ret=1 2297 [ $ret = 0 ] || { 2298 echo_i "failed" 2299 status=1 2300 } 2301 2302 n=$((n + 1)) 2303 ret=0 2304 echo_i "check ms-subdomain no-match ($n)" 2305 KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" 2306 export KRB5CCNAME 2307 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2308 gsstsig 2309 realm EXAMPLE.COM 2310 server 10.53.0.9 ${PORT} 2311 zone example.com 2312 update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com 2313 send 2314EOF 2315 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2316 $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV >dig.out.ns9.test$n 2317 grep "status: NXDOMAIN" dig.out.ns9.test$n >/dev/null || ret=1 2318 [ $ret = 0 ] || { 2319 echo_i "failed" 2320 status=1 2321 } 2322 2323 n=$((n + 1)) 2324 ret=0 2325 echo_i "check ms-subdomain-self-rhs match (PTR) ($n)" 2326 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2327 export KRB5CCNAME 2328 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2329 gsstsig 2330 realm EXAMPLE.COM 2331 server 10.53.0.10 ${PORT} 2332 zone in-addr.arpa 2333 update add 4.3.2.1.in-addr.arpa 3600 IN PTR machine.example.com 2334 send 2335EOF 2336 $DIG $DIGOPTS +tcp @10.53.0.10 4.3.2.1.in-addr.arpa PTR >dig.out.ns10.test$n 2337 grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 2338 grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns10.test$n >/dev/null || ret=1 2339 [ $ret = 0 ] || { 2340 echo_i "failed" 2341 status=1 2342 } 2343 2344 n=$((n + 1)) 2345 ret=0 2346 echo_i "check ms-subdomain-self-rhs no-match (PTR) ($n)" 2347 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2348 export KRB5CCNAME 2349 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2350 gsstsig 2351 realm EXAMPLE.COM 2352 server 10.53.0.10 ${PORT} 2353 zone in-addr.arpa 2354 update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com 2355 send 2356EOF 2357 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2358 $DIG $DIGOPTS +tcp @10.53.0.10 5.3.2.1.in-addr.arpa PTR >dig.out.ns10.test$n 2359 grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 2360 [ $ret = 0 ] || { 2361 echo_i "failed" 2362 status=1 2363 } 2364 2365 n=$((n + 1)) 2366 ret=0 2367 echo_i "check ms-subdomain-self-rhs match (SRV) ($n)" 2368 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2369 export KRB5CCNAME 2370 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2371 gsstsig 2372 realm EXAMPLE.COM 2373 server 10.53.0.10 ${PORT} 2374 zone example.com 2375 update add _xxx.self-srv.example.com 3600 IN SRV 0 0 0 machine.example.com 2376 send 2377EOF 2378 $DIG $DIGOPTS +tcp @10.53.0.10 _xxx.self-srv.example.com SRV >dig.out.ns10.test$n 2379 grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 2380 grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns10.test$n >/dev/null || ret=1 2381 [ $ret = 0 ] || { 2382 echo_i "failed" 2383 status=1 2384 } 2385 2386 n=$((n + 1)) 2387 ret=0 2388 echo_i "check ms-subdomain-self-rhs no-match (SRV) ($n)" 2389 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2390 export KRB5CCNAME 2391 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2392 gsstsig 2393 realm EXAMPLE.COM 2394 server 10.53.0.10 ${PORT} 2395 zone example.com 2396 update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com 2397 send 2398EOF 2399 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2400 $DIG $DIGOPTS +tcp @10.53.0.10 _yyy.self-srv.example.com SRV >dig.out.ns10.test$n 2401 grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 2402 [ $ret = 0 ] || { 2403 echo_i "failed" 2404 status=1 2405 } 2406 2407 n=$((n + 1)) 2408 ret=0 2409 echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV) ($n)" 2410 $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV >dig.out.ns10.pre.test$n 2411 grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 2412 grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 2413 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2414 export KRB5CCNAME 2415 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2416 gsstsig 2417 realm EXAMPLE.COM 2418 server 10.53.0.10 ${PORT} 2419 zone example.com 2420 update delete single.srv.self-srv.example.com SRV 2421 send 2422EOF 2423 $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV >dig.out.ns10.test$n 2424 grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 2425 [ $ret = 0 ] || { 2426 echo_i "failed" 2427 status=1 2428 } 2429 2430 n=$((n + 1)) 2431 ret=0 2432 echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)" 2433 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2434 export KRB5CCNAME 2435 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2436 gsstsig 2437 realm EXAMPLE.COM 2438 server 10.53.0.10 ${PORT} 2439 zone example.com 2440 update delete many.srv.self-srv.example.com SRV 2441 send 2442EOF 2443 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2444 $DIG $DIGOPTS +tcp @10.53.0.10 many.srv.self-srv.example.com SRV >dig.out.ns10.test$n 2445 grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 2446 grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 2447 [ $ret = 0 ] || { 2448 echo_i "failed" 2449 status=1 2450 } 2451 2452 n=$((n + 1)) 2453 ret=0 2454 echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR) ($n)" 2455 $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.pre.test$n 2456 grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 2457 grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 2458 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2459 export KRB5CCNAME 2460 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2461 gsstsig 2462 realm EXAMPLE.COM 2463 server 10.53.0.10 ${PORT} 2464 zone in-addr.arpa 2465 update delete single.ptr.self-ptr.in-addr.arpa PTR 2466 send 2467EOF 2468 $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n 2469 grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 2470 [ $ret = 0 ] || { 2471 echo_i "failed" 2472 status=1 2473 } 2474 2475 n=$((n + 1)) 2476 ret=0 2477 echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)" 2478 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2479 export KRB5CCNAME 2480 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2481 gsstsig 2482 realm EXAMPLE.COM 2483 server 10.53.0.10 ${PORT} 2484 zone in-addr.arpa 2485 update delete many.ptr.self-ptr.in-addr.arpa PTR 2486 send 2487EOF 2488 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2489 $DIG $DIGOPTS +tcp @10.53.0.10 many.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n 2490 grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 2491 grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 2492 [ $ret = 0 ] || { 2493 echo_i "failed" 2494 status=1 2495 } 2496 2497 n=$((n + 1)) 2498 ret=0 2499 echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR) ($n)" 2500 $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.pre.test$n 2501 grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 2502 grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 2503 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2504 export KRB5CCNAME 2505 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2506 gsstsig 2507 realm EXAMPLE.COM 2508 server 10.53.0.10 ${PORT} 2509 zone in-addr.arpa 2510 update delete single.any.self-ptr.in-addr.arpa 2511 send 2512EOF 2513 $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n 2514 grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 2515 [ $ret = 0 ] || { 2516 echo_i "failed" 2517 status=1 2518 } 2519 2520 n=$((n + 1)) 2521 ret=0 2522 echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)" 2523 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2524 export KRB5CCNAME 2525 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2526 gsstsig 2527 realm EXAMPLE.COM 2528 server 10.53.0.10 ${PORT} 2529 zone in-addr.arpa 2530 update delete many.any.self-ptr.in-addr.arpa 2531 send 2532EOF 2533 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2534 $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n 2535 grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 2536 grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 2537 [ $ret = 0 ] || { 2538 echo_i "failed" 2539 status=1 2540 } 2541 2542 n=$((n + 1)) 2543 ret=0 2544 echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV) ($n)" 2545 $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV >dig.out.ns10.pre.test$n 2546 grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 2547 grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 2548 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2549 export KRB5CCNAME 2550 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2551 gsstsig 2552 realm EXAMPLE.COM 2553 server 10.53.0.10 ${PORT} 2554 zone example.com 2555 update delete single.any.self-srv.example.com 2556 send 2557EOF 2558 $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV >dig.out.ns10.test$n 2559 grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 2560 [ $ret = 0 ] || { 2561 echo_i "failed" 2562 status=1 2563 } 2564 2565 n=$((n + 1)) 2566 ret=0 2567 echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)" 2568 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2569 export KRB5CCNAME 2570 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2571 gsstsig 2572 realm EXAMPLE.COM 2573 server 10.53.0.10 ${PORT} 2574 zone example.com 2575 update delete many.any.self-srv.example.com 2576 send 2577EOF 2578 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2579 $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-srv.example.com SRV >dig.out.ns10.test$n 2580 grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 2581 grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 2582 [ $ret = 0 ] || { 2583 echo_i "failed" 2584 status=1 2585 } 2586 2587 n=$((n + 1)) 2588 ret=0 2589 echo_i "check ms-selfsub match ($n)" 2590 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2591 export KRB5CCNAME 2592 $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 2593 gsstsig 2594 realm EXAMPLE.COM 2595 server 10.53.0.10 ${PORT} 2596 zone example.com 2597 update add xxx.machine.example.com 3600 IN A 10.53.0.10 2598 send 2599EOF 2600 $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A >dig.out.ns10.test$n 2601 grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 2602 grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n >/dev/null || ret=1 2603 [ $ret = 0 ] || { 2604 echo_i "failed" 2605 status=1 2606 } 2607 2608 n=$((n + 1)) 2609 ret=0 2610 echo_i "check ms-selfsub no-match ($n)" 2611 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" 2612 export KRB5CCNAME 2613 $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 2614 gsstsig 2615 realm EXAMPLE.COM 2616 server 10.53.0.10 ${PORT} 2617 zone example.com 2618 update add foo.example.com 3600 IN A 10.53.0.10 2619 send 2620EOF 2621 grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 2622 $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A >dig.out.ns10.test$n 2623 grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 2624 [ $ret = 0 ] || { 2625 echo_i "failed" 2626 status=1 2627 } 2628 2629fi 2630 2631echo_i "exit status: $status" 2632[ $status -eq 0 ] || exit 1 2633