tests.sh revision 1.1.1.5
1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# ns1 = stealth primary 15# ns2 = secondary with update forwarding disabled; not currently used 16# ns3 = secondary with update forwarding enabled 17 18SYSTEMTESTTOP=.. 19. $SYSTEMTESTTOP/conf.sh 20 21DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" 22RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" 23 24status=0 25n=1 26capture_dnstap() { 27 retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n 28 $RNDCCMD -s 10.53.0.3 dnstap -reopen 29} 30 31uq_equals_ur() { 32 "$DNSTAPREAD" dnstap.out.$n | 33 awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' > dnstapread.out$n 34 read UQ UR < dnstapread.out$n 35 echo_i "UQ=$UQ UR=$UR" 36 test $UQ -eq $UR || return 1 37} 38 39echo_i "waiting for servers to be ready for testing ($n)" 40for i in 1 2 3 4 5 6 7 8 9 10 41do 42 ret=0 43 $DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1 || ret=1 44 grep "status: NOERROR" dig.out.ns1 > /dev/null || ret=1 45 $DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1 46 grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 47 $DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1 48 grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 49 test $ret = 0 && break 50 sleep 1 51done 52if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 53n=`expr $n + 1` 54 55echo_i "fetching primary copy of zone before update ($n)" 56ret=0 57$DIG $DIGOPTS example.\ 58 @10.53.0.1 axfr > dig.out.ns1 || ret=1 59if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 60n=`expr $n + 1` 61 62echo_i "fetching secondary 1 copy of zone before update ($n)" 63$DIG $DIGOPTS example.\ 64 @10.53.0.2 axfr > dig.out.ns2 || ret=1 65if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 66n=`expr $n + 1` 67 68echo_i "fetching secondary 2 copy of zone before update ($n)" 69ret=0 70$DIG $DIGOPTS example.\ 71 @10.53.0.3 axfr > dig.out.ns3 || ret=1 72if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 73n=`expr $n + 1` 74 75echo_i "comparing pre-update copies to known good data ($n)" 76ret=0 77digcomp knowngood.before dig.out.ns1 || ret=1 78digcomp knowngood.before dig.out.ns2 || ret=1 79digcomp knowngood.before dig.out.ns3 || ret=1 80if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 81 82echo_i "updating zone (signed) ($n)" 83ret=0 84$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1 85local 10.53.0.1 86server 10.53.0.3 ${PORT} 87update add updated.example. 600 A 10.10.10.1 88update add updated.example. 600 TXT Foo 89send 90EOF 91if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 92n=`expr $n + 1` 93 94echo_i "sleeping 15 seconds for server to incorporate changes" 95sleep 15 96 97echo_i "fetching primary copy of zone after update ($n)" 98ret=0 99$DIG $DIGOPTS example.\ 100 @10.53.0.1 axfr > dig.out.ns1 || ret=1 101if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 102n=`expr $n + 1` 103 104echo_i "fetching secondary 1 copy of zone after update ($n)" 105ret=0 106$DIG $DIGOPTS example.\ 107 @10.53.0.2 axfr > dig.out.ns2 || ret=1 108if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 109 110echo_i "fetching secondary 2 copy of zone after update ($n)" 111ret=0 112$DIG $DIGOPTS example.\ 113 @10.53.0.3 axfr > dig.out.ns3 || ret=1 114if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 115n=`expr $n + 1` 116 117echo_i "comparing post-update copies to known good data ($n)" 118ret=0 119digcomp knowngood.after1 dig.out.ns1 || ret=1 120digcomp knowngood.after1 dig.out.ns2 || ret=1 121digcomp knowngood.after1 dig.out.ns3 || ret=1 122if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 123 124echo_i "checking 'forwarding update for zone' is logged ($n)" 125ret=0 126grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1 127if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 128n=`expr $n + 1` 129 130if $FEATURETEST --enable-dnstap 131then 132 echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" 133 ret=0 134 capture_dnstap 135 uq_equals_ur || ret=1 136 if [ $ret != 0 ] ; then echo_i "failed"; fi 137 status=`expr $status + $ret` 138 n=`expr $n + 1` 139fi 140 141echo_i "updating zone (unsigned) ($n)" 142ret=0 143$NSUPDATE -- - <<EOF || ret=1 144local 10.53.0.1 145server 10.53.0.3 ${PORT} 146update add unsigned.example. 600 A 10.10.10.1 147update add unsigned.example. 600 TXT Foo 148send 149EOF 150if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 151n=`expr $n + 1` 152 153echo_i "sleeping 15 seconds for server to incorporate changes" 154sleep 15 155 156echo_i "fetching primary copy of zone after update ($n)" 157ret=0 158$DIG $DIGOPTS example.\ 159 @10.53.0.1 axfr > dig.out.ns1 || ret=1 160if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 161 162echo_i "fetching secondary 1 copy of zone after update ($n)" 163ret=0 164$DIG $DIGOPTS example.\ 165 @10.53.0.2 axfr > dig.out.ns2 || ret=1 166if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 167n=`expr $n + 1` 168 169echo_i "fetching secondary 2 copy of zone after update ($n)" 170ret=0 171$DIG $DIGOPTS example.\ 172 @10.53.0.3 axfr > dig.out.ns3 || ret=1 173if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 174 175echo_i "comparing post-update copies to known good data ($n)" 176ret=0 177digcomp knowngood.after2 dig.out.ns1 || ret=1 178digcomp knowngood.after2 dig.out.ns2 || ret=1 179digcomp knowngood.after2 dig.out.ns3 || ret=1 180if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 181 182if $FEATURETEST --enable-dnstap 183then 184 echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" 185 ret=0 186 capture_dnstap 187 uq_equals_ur || ret=1 188 if [ $ret != 0 ] ; then echo_i "failed"; fi 189 status=`expr $status + $ret` 190 n=`expr $n + 1` 191fi 192n=`expr $n + 1` 193 194echo_i "checking update forwarding to dead primary ($n)" 195count=0 196ret=0 197while [ $count -lt 5 -a $ret -eq 0 ] 198do 199( 200$NSUPDATE -- - <<EOF 201local 10.53.0.1 202server 10.53.0.3 ${PORT} 203zone nomaster 204update add unsigned.nomaster. 600 A 10.10.10.1 205update add unsigned.nomaster. 600 TXT Foo 206send 207EOF 208) > /dev/null 2>&1 & 209 $DIG -p ${PORT} +noadd +notcp +noauth nomaster. @10.53.0.3 soa > dig.out.ns3 || ret=1 210 grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 211 count=`expr $count + 1` 212done 213if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 214n=`expr $n + 1` 215 216if $FEATURETEST --enable-dnstap 217then 218 echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" 219 ret=0 220 capture_dnstap 221 uq_equals_ur && ret=1 222 if [ $ret != 0 ] ; then echo_i "failed"; fi 223 status=`expr $status + $ret` 224 n=`expr $n + 1` 225fi 226 227if test -f keyname 228then 229 echo_i "checking update forwarding to with sig0 ($n)" 230 ret=0 231 keyname=`cat keyname` 232 $NSUPDATE -k $keyname.private -- - <<EOF 233 local 10.53.0.1 234 server 10.53.0.3 ${PORT} 235 zone example2 236 update add unsigned.example2. 600 A 10.10.10.1 237 update add unsigned.example2. 600 TXT Foo 238 send 239EOF 240 $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n 241 grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 242 if [ $ret != 0 ] ; then echo_i "failed"; fi 243 status=`expr $status + $ret` 244 n=`expr $n + 1` 245 246 if $FEATURETEST --enable-dnstap 247 then 248 echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" 249 ret=0 250 capture_dnstap 251 uq_equals_ur || ret=1 252 if [ $ret != 0 ] ; then echo_i "failed"; fi 253 status=`expr $status + $ret` 254 n=`expr $n + 1` 255 fi 256fi 257 258echo_i "attempting an update that should be rejected by ACL ($n)" 259ret=0 260{ 261 $NSUPDATE -- - << EOF 262 local 10.53.0.2 263 server 10.53.0.3 ${PORT} 264 update add another.unsigned.example. 600 A 10.10.10.2 265 update add another.unsigned.example. 600 TXT Bar 266 send 267EOF 268} > nsupdate.out.$n 2>&1 269grep REFUSED nsupdate.out.$n > /dev/null || ret=1 270if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi 271n=`expr $n + 1` 272 273n=$((n + 1)) 274ret=0 275echo_i "attempting updates that should exceed quota ($n)" 276# lower the update quota to 1. 277copy_setports ns3/named2.conf.in ns3/named.conf 278rndc_reconfig ns3 10.53.0.3 279nextpart ns3/named.run > /dev/null 280for loop in 1 2 3 4 5 6 7 8 9 10; do 281{ 282 $NSUPDATE -- - > /dev/null 2>&1 <<END 283 local 10.53.0.1 284 server 10.53.0.3 ${PORT} 285 update add txt-$loop.unsigned.example 300 IN TXT Whatever 286 send 287END 288} & 289done 290wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1 291[ $ret = 0 ] || { echo_i "failed"; status=1; } 292 293echo_i "exit status: $status" 294[ $status -eq 0 ] || exit 1 295