tests.sh revision 1.1.1.5 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14# ns1 = stealth primary
15# ns2 = secondary with update forwarding disabled; not currently used
16# ns3 = secondary with update forwarding enabled
17
18SYSTEMTESTTOP=..
19. $SYSTEMTESTTOP/conf.sh
20
21DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
22RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf"
23
24status=0
25n=1
26capture_dnstap() {
27	retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n
28	$RNDCCMD -s 10.53.0.3 dnstap -reopen
29}
30
31uq_equals_ur() {
32	"$DNSTAPREAD" dnstap.out.$n |
33        awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' > dnstapread.out$n
34        read UQ UR < dnstapread.out$n
35	echo_i "UQ=$UQ UR=$UR"
36        test $UQ -eq $UR || return 1
37}
38
39echo_i "waiting for servers to be ready for testing ($n)"
40for i in 1 2 3 4 5 6 7 8 9 10
41do
42	ret=0
43	$DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1 || ret=1
44	grep "status: NOERROR" dig.out.ns1 > /dev/null ||  ret=1
45	$DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1
46	grep "status: NOERROR" dig.out.ns2 > /dev/null ||  ret=1
47	$DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1
48	grep "status: NOERROR" dig.out.ns3 > /dev/null ||  ret=1
49	test $ret = 0 && break
50	sleep 1
51done
52if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
53n=`expr $n + 1`
54
55echo_i "fetching primary copy of zone before update ($n)"
56ret=0
57$DIG $DIGOPTS example.\
58	@10.53.0.1 axfr > dig.out.ns1 || ret=1
59if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
60n=`expr $n + 1`
61
62echo_i "fetching secondary 1 copy of zone before update ($n)"
63$DIG $DIGOPTS example.\
64	@10.53.0.2 axfr > dig.out.ns2 || ret=1
65if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
66n=`expr $n + 1`
67
68echo_i "fetching secondary 2 copy of zone before update ($n)"
69ret=0
70$DIG $DIGOPTS example.\
71	@10.53.0.3 axfr > dig.out.ns3 || ret=1
72if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
73n=`expr $n + 1`
74
75echo_i "comparing pre-update copies to known good data ($n)"
76ret=0
77digcomp knowngood.before dig.out.ns1 || ret=1
78digcomp knowngood.before dig.out.ns2 || ret=1
79digcomp knowngood.before dig.out.ns3 || ret=1
80if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
81
82echo_i "updating zone (signed) ($n)"
83ret=0
84$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
85local 10.53.0.1
86server 10.53.0.3 ${PORT}
87update add updated.example. 600 A 10.10.10.1
88update add updated.example. 600 TXT Foo
89send
90EOF
91if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
92n=`expr $n + 1`
93
94echo_i "sleeping 15 seconds for server to incorporate changes"
95sleep 15
96
97echo_i "fetching primary copy of zone after update ($n)"
98ret=0
99$DIG $DIGOPTS example.\
100	@10.53.0.1 axfr > dig.out.ns1 || ret=1
101if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
102n=`expr $n + 1`
103
104echo_i "fetching secondary 1 copy of zone after update ($n)"
105ret=0
106$DIG $DIGOPTS example.\
107	@10.53.0.2 axfr > dig.out.ns2 || ret=1
108if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
109
110echo_i "fetching secondary 2 copy of zone after update ($n)"
111ret=0
112$DIG $DIGOPTS example.\
113	@10.53.0.3 axfr > dig.out.ns3 || ret=1
114if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
115n=`expr $n + 1`
116
117echo_i "comparing post-update copies to known good data ($n)"
118ret=0
119digcomp knowngood.after1 dig.out.ns1 || ret=1
120digcomp knowngood.after1 dig.out.ns2 || ret=1
121digcomp knowngood.after1 dig.out.ns3 || ret=1
122if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
123
124echo_i "checking 'forwarding update for zone' is logged ($n)"
125ret=0
126grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1
127if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
128n=`expr $n + 1`
129
130if $FEATURETEST --enable-dnstap
131then
132	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
133	ret=0
134	capture_dnstap
135	uq_equals_ur || ret=1
136	if [ $ret != 0 ] ; then echo_i "failed"; fi
137	status=`expr $status + $ret`
138	n=`expr $n + 1`
139fi
140
141echo_i "updating zone (unsigned) ($n)"
142ret=0
143$NSUPDATE -- - <<EOF || ret=1
144local 10.53.0.1
145server 10.53.0.3 ${PORT}
146update add unsigned.example. 600 A 10.10.10.1
147update add unsigned.example. 600 TXT Foo
148send
149EOF
150if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
151n=`expr $n + 1`
152
153echo_i "sleeping 15 seconds for server to incorporate changes"
154sleep 15
155
156echo_i "fetching primary copy of zone after update ($n)"
157ret=0
158$DIG $DIGOPTS example.\
159	@10.53.0.1 axfr > dig.out.ns1 || ret=1
160if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
161
162echo_i "fetching secondary 1 copy of zone after update ($n)"
163ret=0
164$DIG $DIGOPTS example.\
165	@10.53.0.2 axfr > dig.out.ns2 || ret=1
166if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
167n=`expr $n + 1`
168
169echo_i "fetching secondary 2 copy of zone after update ($n)"
170ret=0
171$DIG $DIGOPTS example.\
172	@10.53.0.3 axfr > dig.out.ns3 || ret=1
173if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
174
175echo_i "comparing post-update copies to known good data ($n)"
176ret=0
177digcomp knowngood.after2 dig.out.ns1 || ret=1
178digcomp knowngood.after2 dig.out.ns2 || ret=1
179digcomp knowngood.after2 dig.out.ns3 || ret=1
180if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
181
182if $FEATURETEST --enable-dnstap
183then
184	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
185	ret=0
186	capture_dnstap
187	uq_equals_ur || ret=1
188	if [ $ret != 0 ] ; then echo_i "failed"; fi
189	status=`expr $status + $ret`
190	n=`expr $n + 1`
191fi
192n=`expr $n + 1`
193
194echo_i "checking update forwarding to dead primary ($n)"
195count=0
196ret=0
197while [ $count -lt 5 -a $ret -eq 0 ]
198do
199(
200$NSUPDATE -- - <<EOF 
201local 10.53.0.1
202server 10.53.0.3 ${PORT}
203zone nomaster
204update add unsigned.nomaster. 600 A 10.10.10.1
205update add unsigned.nomaster. 600 TXT Foo
206send
207EOF
208) > /dev/null 2>&1 &
209	$DIG -p ${PORT} +noadd +notcp +noauth nomaster. @10.53.0.3 soa > dig.out.ns3 || ret=1
210	grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1
211	count=`expr $count + 1`
212done
213if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
214n=`expr $n + 1`
215
216if $FEATURETEST --enable-dnstap
217then
218	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
219	ret=0
220	capture_dnstap
221	uq_equals_ur && ret=1
222	if [ $ret != 0 ] ; then echo_i "failed"; fi
223	status=`expr $status + $ret`
224	n=`expr $n + 1`
225fi
226
227if test -f keyname
228then
229	echo_i "checking update forwarding to with sig0 ($n)"
230	ret=0
231	keyname=`cat keyname`
232	$NSUPDATE -k $keyname.private -- - <<EOF
233	local 10.53.0.1
234	server 10.53.0.3 ${PORT}
235	zone example2
236	update add unsigned.example2. 600 A 10.10.10.1
237	update add unsigned.example2. 600 TXT Foo
238	send
239EOF
240	$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
241	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
242	if [ $ret != 0 ] ; then echo_i "failed"; fi
243	status=`expr $status + $ret`
244	n=`expr $n + 1`
245
246	if $FEATURETEST --enable-dnstap
247	then
248		echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
249		ret=0
250		capture_dnstap
251		uq_equals_ur || ret=1
252		if [ $ret != 0 ] ; then echo_i "failed"; fi
253		status=`expr $status + $ret`
254		n=`expr $n + 1`
255	fi
256fi
257
258echo_i "attempting an update that should be rejected by ACL ($n)"
259ret=0
260{
261        $NSUPDATE -- - << EOF
262        local 10.53.0.2
263        server 10.53.0.3 ${PORT}
264        update add another.unsigned.example. 600 A 10.10.10.2
265        update add another.unsigned.example. 600 TXT Bar
266        send
267EOF
268} > nsupdate.out.$n 2>&1
269grep REFUSED nsupdate.out.$n > /dev/null || ret=1
270if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
271n=`expr $n + 1`
272
273n=$((n + 1))
274ret=0
275echo_i "attempting updates that should exceed quota ($n)"
276# lower the update quota to 1.
277copy_setports ns3/named2.conf.in ns3/named.conf
278rndc_reconfig ns3 10.53.0.3
279nextpart ns3/named.run > /dev/null
280for loop in 1 2 3 4 5 6 7 8 9 10; do
281{
282  $NSUPDATE -- - > /dev/null 2>&1 <<END
283  local 10.53.0.1
284  server 10.53.0.3 ${PORT}
285  update add txt-$loop.unsigned.example 300 IN TXT Whatever
286  send
287END
288} &
289done
290wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
291[ $ret = 0 ] || { echo_i "failed"; status=1; }
292
293echo_i "exit status: $status"
294[ $status -eq 0 ] || exit 1
295