search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove building with NOCRYPTO option
[minix.git] / external / bsd / bind / dist / bin / tests / system / dnssec / tests.sh
blob56866b25902900cc01f0a041dc75ca52b5c535a9
1 #!/bin/sh
2 #
3 # Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
4 # Copyright (C) 2000-2002 Internet Software Consortium.
5 #
6 # Permission to use, copy, modify, and/or distribute this software for any
7 # purpose with or without fee is hereby granted, provided that the above
8 # copyright notice and this permission notice appear in all copies.
9 #
10 # THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11 # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12 # AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13 # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14 # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16 # PERFORMANCE OF THIS SOFTWARE.
17
18 SYSTEMTESTTOP=..
19 . $SYSTEMTESTTOP/conf.sh
20
21 status=0
22 n=1
23
24 rm -f dig.out.*
25
26 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
27 DELVOPTS="-a ns1/trusted.conf -p 5300"
28
29 # convert private-type records to readable form
30 showprivate () {
31 echo "-- $@ --"
32 $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
33 while read record; do
34 $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
35 die "invalid record" unless length($rdata) == 5;
36 my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
37 my $action = "signing";
38 $action = "removing" if $remove;
39 my $state = " (incomplete)";
40 $state = " (complete)" if $complete;
41 print ("$action: alg: $alg, key: $key$state\n");' $record
42 done
43 }
44
45 # check that signing records are marked as complete
46 checkprivate () {
47 ret=0
48 x=`showprivate "$@"`
49 echo $x | grep incomplete >&- 2>&- && ret=1
50 [ $ret = 1 ] && {
51 echo "$x"
52 echo "I:failed"
53 }
54 return $ret
55 }
56
57 # check that a zone file is raw format, version 0
58 israw0 () {
59 cat $1 | $PERL -e 'binmode STDIN;
60 read(STDIN, $input, 8);
61 ($style, $version) = unpack("NN", $input);
62 exit 1 if ($style != 2 || $version != 0);'
63 return $?
64 }
65
66 # check that a zone file is raw format, version 1
67 israw1 () {
68 cat $1 | $PERL -e 'binmode STDIN;
69 read(STDIN, $input, 8);
70 ($style, $version) = unpack("NN", $input);
71 exit 1 if ($style != 2 || $version != 1);'
72 return $?
73 }
74
75 # strip NS and RRSIG NS from input
76 stripns () {
77 awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' $1
78 }
79
80 # Check the example. domain
81
82 echo "I:checking that zone transfer worked ($n)"
83 for i in 1 2 3 4 5 6 7 8 9
84 do
85 ret=0
86 $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
87 $DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
88 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
89 [ $ret = 0 ] && break
90 sleep 1
91 done
92 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
93 n=`expr $n + 1`
94 if [ $ret != 0 ]; then echo "I:failed"; fi
95 status=`expr $status + $ret`
96
97 # test AD bit:
98 # - dig +adflag asks for authentication (ad in response)
99 echo "I:checking AD bit asking for validation ($n)"
100 ret=0
101 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
102 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
103 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
104 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
105 n=`expr $n + 1`
106 if [ $ret != 0 ]; then echo "I:failed"; fi
107 status=`expr $status + $ret`
108
109 # test AD bit:
110 # - dig +noadflag
111 echo "I:checking that AD is not set without +adflag or +dnssec ($n)"
112 ret=0
113 $DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
114 $DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
115 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
116 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
117 n=`expr $n + 1`
118 if [ $ret != 0 ]; then echo "I:failed"; fi
119 status=`expr $status + $ret`
120 echo "I:checking for AD in authoritative answer ($n)"
121 ret=0
122 $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
123 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
124 n=`expr $n + 1`
125 if [ $ret != 0 ]; then echo "I:failed"; fi
126 status=`expr $status + $ret`
127
128 echo "I:checking positive validation NSEC ($n)"
129 ret=0
130 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
131 $DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
132 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
133 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
134 n=`expr $n + 1`
135 if [ $ret != 0 ]; then echo "I:failed"; fi
136 status=`expr $status + $ret`
137
138 if [ -x ${DELV} ] ; then
139 ret=0
140 echo "I:checking postive validation NSEC using dns_client ($n)"
141 $DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1
142 grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
143 grep "a.example..*.RRSIG.A 3 2 300 .*" delv.out$n > /dev/null || ret=1
144 n=`expr $n + 1`
145 if [ $ret != 0 ]; then echo "I:failed"; fi
146 status=`expr $status + $ret`
147 fi
148
149 echo "I:checking positive validation NSEC3 ($n)"
150 ret=0
151 $DIG $DIGOPTS +noauth a.nsec3.example. \
152 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
153 $DIG $DIGOPTS +noauth a.nsec3.example. \
154 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
155 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
156 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
157 n=`expr $n + 1`
158 if [ $ret != 0 ]; then echo "I:failed"; fi
159 status=`expr $status + $ret`
160
161 if [ -x ${DELV} ] ; then
162 ret=0
163 echo "I:checking positive validation NSEC3 using dns_client ($n)"
164 $DELV $DELVOPTS @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1
165 grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
166 grep "a.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1
167 n=`expr $n + 1`
168 if [ $ret != 0 ]; then echo "I:failed"; fi
169 status=`expr $status + $ret`
170 fi
171
172 echo "I:checking positive validation OPTOUT ($n)"
173 ret=0
174 $DIG $DIGOPTS +noauth a.optout.example. \
175 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
176 $DIG $DIGOPTS +noauth a.optout.example. \
177 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
178 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
179 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
180 n=`expr $n + 1`
181 if [ $ret != 0 ]; then echo "I:failed"; fi
182 status=`expr $status + $ret`
183
184 if [ -x ${DELV} ] ; then
185 ret=0
186 echo "I:checking positive validation OPTOUT using dns_client ($n)"
187 $DELV $DELVOPTS @10.53.0.4 a a.optout.example > delv.out$n || ret=1
188 grep "a.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
189 grep "a.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1
190 n=`expr $n + 1`
191 if [ $ret != 0 ]; then echo "I:failed"; fi
192 status=`expr $status + $ret`
193 fi
194
195 echo "I:checking positive wildcard validation NSEC ($n)"
196 ret=0
197 $DIG $DIGOPTS a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
198 $DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
199 stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
200 stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
201 $PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
202 grep "\*\.wild\.example\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1
203 grep "\*\.wild\.example\..*NSEC z\.example" dig.out.ns4.test$n > /dev/null || ret=1
204 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
205 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
206 n=`expr $n + 1`
207 if [ $ret != 0 ]; then echo "I:failed"; fi
208 status=`expr $status + $ret`
209
210 if [ -x ${DELV} ] ; then
211 ret=0
212 echo "I:checking positive wildcard validation NSEC using dns_client ($n)"
213 $DELV $DELVOPTS @10.53.0.4 a a.wild.example > delv.out$n || ret=1
214 grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1
215 grep "a.wild.example..*RRSIG.A 3 2 300.*" delv.out$n > /dev/null || ret=1
216 n=`expr $n + 1`
217 if [ $ret != 0 ]; then echo "I:failed"; fi
218 status=`expr $status + $ret`
219 fi
220
221 echo "I:checking positive wildcard answer NSEC3 ($n)"
222 ret=0
223 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
224 grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1
225 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
226 n=`expr $n + 1`
227 if [ $ret != 0 ]; then echo "I:failed"; fi
228 status=`expr $status + $ret`
229
230 echo "I:checking positive wildcard answer NSEC3 ($n)"
231 ret=0
232 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
233 grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1
234 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
235 n=`expr $n + 1`
236 if [ $ret != 0 ]; then echo "I:failed"; fi
237 status=`expr $status + $ret`
238
239 echo "I:checking positive wildcard validation NSEC3 ($n)"
240 ret=0
241 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
242 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
243 stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
244 stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
245 $PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
246 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
247 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
248 n=`expr $n + 1`
249 if [ $ret != 0 ]; then echo "I:failed"; fi
250 status=`expr $status + $ret`
251
252 if [ -x ${DELV} ] ; then
253 ret=0
254 echo "I:checking positive wildcard validation NSEC3 using dns_client ($n)"
255 $DELV $DELVOPTS @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1
256 grep "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
257 grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1
258 n=`expr $n + 1`
259 if [ $ret != 0 ]; then echo "I:failed"; fi
260 status=`expr $status + $ret`
261 fi
262
263 echo "I:checking positive wildcard validation OPTOUT ($n)"
264 ret=0
265 $DIG $DIGOPTS a.wild.optout.example. \
266 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
267 $DIG $DIGOPTS a.wild.optout.example. \
268 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
269 stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
270 stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
271 $PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
272 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
273 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
274 n=`expr $n + 1`
275 if [ $ret != 0 ]; then echo "I:failed"; fi
276 status=`expr $status + $ret`
277
278 if [ -x ${DELV} ] ; then
279 ret=0
280 echo "I:checking positive wildcard validation OPTOUT using dns_client ($n)"
281 $DELV $DELVOPTS @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1
282 grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
283 grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1
284 n=`expr $n + 1`
285 if [ $ret != 0 ]; then echo "I:failed"; fi
286 status=`expr $status + $ret`
287 fi
288
289 echo "I:checking negative validation NXDOMAIN NSEC ($n)"
290 ret=0
291 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
292 $DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
293 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
294 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
295 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
296 n=`expr $n + 1`
297 if [ $ret != 0 ]; then echo "I:failed"; fi
298 status=`expr $status + $ret`
299
300 if [ -x ${DELV} ] ; then
301 ret=0
302 echo "I:checking negative validation NXDOMAIN NSEC using dns_client ($n)"
303 $DELV $DELVOPTS @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1
304 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
305 n=`expr $n + 1`
306 if [ $ret != 0 ]; then echo "I:failed"; fi
307 status=`expr $status + $ret`
308 fi
309
310 echo "I:checking negative validation NXDOMAIN NSEC3 ($n)"
311 ret=0
312 $DIG $DIGOPTS +noauth q.nsec3.example. \
313 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
314 $DIG $DIGOPTS +noauth q.nsec3.example. \
315 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
316 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
317 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
318 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
319 n=`expr $n + 1`
320 if [ $ret != 0 ]; then echo "I:failed"; fi
321 status=`expr $status + $ret`
322
323 if [ -x ${DELV} ] ; then
324 ret=0
325 echo "I:checking negative validation NXDOMAIN NSEC3 using dns_client ($n)"
326 $DELV $DELVOPTS @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1
327 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
328 n=`expr $n + 1`
329 if [ $ret != 0 ]; then echo "I:failed"; fi
330 status=`expr $status + $ret`
331 fi
332
333 echo "I:checking negative validation NXDOMAIN OPTOUT ($n)"
334 ret=0
335 $DIG $DIGOPTS +noauth q.optout.example. \
336 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
337 $DIG $DIGOPTS +noauth q.optout.example. \
338 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
339 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
340 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
341 # Note - this is looking for failure, hence the &&
342 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
343 n=`expr $n + 1`
344 if [ $ret != 0 ]; then echo "I:failed"; fi
345 status=`expr $status + $ret`
346
347 if [ -x ${DELV} ] ; then
348 ret=0
349 echo "I:checking negative validation NXDOMAIN OPTOUT using dns_client ($n)"
350 $DELV $DELVOPTS @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1
351 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
352 n=`expr $n + 1`
353 if [ $ret != 0 ]; then echo "I:failed"; fi
354 status=`expr $status + $ret`
355 fi
356
357 echo "I:checking negative validation NODATA NSEC ($n)"
358 ret=0
359 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
360 $DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
361 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
362 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
363 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
364 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
365 n=`expr $n + 1`
366 if [ $ret != 0 ]; then echo "I:failed"; fi
367 status=`expr $status + $ret`
368
369 if [ -x ${DELV} ] ; then
370 ret=0
371 echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
372 $DELV $DELVOPTS @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1
373 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
374 n=`expr $n + 1`
375 if [ $ret != 0 ]; then echo "I:failed"; fi
376 status=`expr $status + $ret`
377 fi
378
379 echo "I:checking negative validation NODATA NSEC3 ($n)"
380 ret=0
381 $DIG $DIGOPTS +noauth a.nsec3.example. \
382 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
383 $DIG $DIGOPTS +noauth a.nsec3.example. \
384 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
385 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
386 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
387 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
388 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
389 n=`expr $n + 1`
390 if [ $ret != 0 ]; then echo "I:failed"; fi
391 status=`expr $status + $ret`
392
393 if [ -x ${DELV} ] ; then
394 ret=0
395 echo "I:checking negative validation NODATA NSEC3 using dns_client ($n)"
396 $DELV $DELVOPTS @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1
397 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
398 n=`expr $n + 1`
399 if [ $ret != 0 ]; then echo "I:failed"; fi
400 status=`expr $status + $ret`
401 fi
402
403 echo "I:checking negative validation NODATA OPTOUT ($n)"
404 ret=0
405 $DIG $DIGOPTS +noauth a.optout.example. \
406 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
407 $DIG $DIGOPTS +noauth a.optout.example. \
408 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
409 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
410 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
411 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
412 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
413 n=`expr $n + 1`
414 if [ $ret != 0 ]; then echo "I:failed"; fi
415 status=`expr $status + $ret`
416
417 if [ -x ${DELV} ] ; then
418 ret=0
419 echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
420 $DELV $DELVOPTS @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1
421 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
422 n=`expr $n + 1`
423 if [ $ret != 0 ]; then echo "I:failed"; fi
424 status=`expr $status + $ret`
425 fi
426
427 echo "I:checking negative wildcard validation NSEC ($n)"
428 ret=0
429 $DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
430 $DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
431 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
432 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
433 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
434 n=`expr $n + 1`
435 if [ $ret != 0 ]; then echo "I:failed"; fi
436 status=`expr $status + $ret`
437
438 if [ -x ${DELV} ] ; then
439 ret=0
440 echo "I:checking negative wildcard validation NSEC using dns_client ($n)"
441 $DELV $DELVOPTS @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1
442 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
443 n=`expr $n + 1`
444 if [ $ret != 0 ]; then echo "I:failed"; fi
445 status=`expr $status + $ret`
446 fi
447
448 echo "I:checking negative wildcard validation NSEC3 ($n)"
449 ret=0
450 $DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
451 $DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
452 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
453 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
454 n=`expr $n + 1`
455 if [ $ret != 0 ]; then echo "I:failed"; fi
456 status=`expr $status + $ret`
457
458 if [ -x ${DELV} ] ; then
459 ret=0
460 echo "I:checking negative wildcard validation NSEC3 using dns_client ($n)"
461 $DELV $DELVOPTS @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1
462 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
463 n=`expr $n + 1`
464 if [ $ret != 0 ]; then echo "I:failed"; fi
465 status=`expr $status + $ret`
466 fi
467
468 echo "I:checking negative wildcard validation OPTOUT ($n)"
469 ret=0
470 $DIG $DIGOPTS b.wild.optout.example. \
471 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
472 $DIG $DIGOPTS b.wild.optout.example. \
473 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
474 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
475 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
476 # Note - this is looking for failure, hence the &&
477 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
478 n=`expr $n + 1`
479 if [ $ret != 0 ]; then echo "I:failed"; fi
480 status=`expr $status + $ret`
481
482 if [ -x ${DELV} ] ; then
483 ret=0
484 echo "I:checking negative wildcard validation OPTOUT using dns_client ($n)"
485 $DELV $DELVOPTS @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1
486 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
487 n=`expr $n + 1`
488 if [ $ret != 0 ]; then echo "I:failed"; fi
489 status=`expr $status + $ret`
490 fi
491
492 # Check the insecure.example domain
493
494 echo "I:checking 1-server insecurity proof NSEC ($n)"
495 ret=0
496 $DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
497 $DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
498 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
499 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
500 # Note - this is looking for failure, hence the &&
501 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
502 n=`expr $n + 1`
503 if [ $ret != 0 ]; then echo "I:failed"; fi
504 status=`expr $status + $ret`
505
506 if [ -x ${DELV} ] ; then
507 ret=0
508 echo "I:checking 1-server insecurity proof NSEC using dns_client ($n)"
509 $DELV $DELVOPTS @10.53.0.4 a a.insecure.example > delv.out$n || ret=1
510 grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
511 n=`expr $n + 1`
512 if [ $ret != 0 ]; then echo "I:failed"; fi
513 status=`expr $status + $ret`
514 fi
515
516 echo "I:checking 1-server insecurity proof NSEC3 ($n)"
517 ret=0
518 $DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
519 $DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
520 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
521 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
522 # Note - this is looking for failure, hence the &&
523 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
524 n=`expr $n + 1`
525 if [ $ret != 0 ]; then echo "I:failed"; fi
526 status=`expr $status + $ret`
527
528 if [ -x ${DELV} ] ; then
529 ret=0
530 echo "I:checking 1-server insecurity proof NSEC3 using dns_client ($n)"
531 $DELV $DELVOPTS @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1
532 grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
533 n=`expr $n + 1`
534 if [ $ret != 0 ]; then echo "I:failed"; fi
535 status=`expr $status + $ret`
536 fi
537
538 echo "I:checking 1-server insecurity proof OPTOUT ($n)"
539 ret=0
540 $DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
541 $DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
542 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
543 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
544 # Note - this is looking for failure, hence the &&
545 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
546 n=`expr $n + 1`
547 if [ $ret != 0 ]; then echo "I:failed"; fi
548 status=`expr $status + $ret`
549
550 if [ -x ${DELV} ] ; then
551 ret=0
552 echo "I:checking 1-server insecurity proof OPTOUT using dns_client ($n)"
553 $DELV $DELVOPTS @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1
554 grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
555 n=`expr $n + 1`
556 if [ $ret != 0 ]; then echo "I:failed"; fi
557 status=`expr $status + $ret`
558 fi
559
560 echo "I:checking 1-server negative insecurity proof NSEC ($n)"
561 ret=0
562 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
563 > dig.out.ns3.test$n || ret=1
564 $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
565 > dig.out.ns4.test$n || ret=1
566 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
567 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
568 # Note - this is looking for failure, hence the &&
569 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
570 n=`expr $n + 1`
571 if [ $ret != 0 ]; then echo "I:failed"; fi
572 status=`expr $status + $ret`
573
574 if [ -x ${DELV} ] ; then
575 ret=0
576 echo "I:checking 1-server negative insecurity proof NSEC using dns_client ($n)"
577 $DELV $DELVOPTS @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1
578 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
579 n=`expr $n + 1`
580 if [ $ret != 0 ]; then echo "I:failed"; fi
581 status=`expr $status + $ret`
582 fi
583
584 echo "I:checking 1-server negative insecurity proof NSEC3 ($n)"
585 ret=0
586 $DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \
587 > dig.out.ns3.test$n || ret=1
588 $DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.4 \
589 > dig.out.ns4.test$n || ret=1
590 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
591 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
592 # Note - this is looking for failure, hence the &&
593 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
594 n=`expr $n + 1`
595 if [ $ret != 0 ]; then echo "I:failed"; fi
596 status=`expr $status + $ret`
597
598 if [ -x ${DELV} ] ; then
599 ret=0
600 echo "I:checking 1-server negative insecurity proof NSEC3 using dns_client ($n)"
601 $DELV $DELVOPTS @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1
602 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
603 n=`expr $n + 1`
604 if [ $ret != 0 ]; then echo "I:failed"; fi
605 status=`expr $status + $ret`
606 fi
607
608 echo "I:checking 1-server negative insecurity proof OPTOUT ($n)"
609 ret=0
610 $DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \
611 > dig.out.ns3.test$n || ret=1
612 $DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.4 \
613 > dig.out.ns4.test$n || ret=1
614 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
615 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
616 # Note - this is looking for failure, hence the &&
617 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
618 n=`expr $n + 1`
619 if [ $ret != 0 ]; then echo "I:failed"; fi
620 status=`expr $status + $ret`
621
622 if [ -x ${DELV} ] ; then
623 ret=0
624 echo "I:checking 1-server negative insecurity proof OPTOUT using dns_client ($n)"
625 $DELV $DELVOPTS @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1
626 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
627 n=`expr $n + 1`
628 if [ $ret != 0 ]; then echo "I:failed"; fi
629 status=`expr $status + $ret`
630 fi
631
632 echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
633 ret=0
634 $DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \
635 > dig.out.ns3.test$n || ret=1
636 $DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \
637 > dig.out.ns4.test$n || ret=1
638 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
639 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
640 grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1
641 # Note - this is looking for failure, hence the &&
642 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
643 n=`expr $n + 1`
644 if [ $ret != 0 ]; then echo "I:failed"; fi
645 status=`expr $status + $ret`
646
647 echo "I:checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)"
648 ret=0
649 $DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.3 \
650 > dig.out.ns3.test$n || ret=1
651 $DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.4 \
652 > dig.out.ns4.test$n || ret=1
653 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
654 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
655 grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1
656 # Note - this is looking for failure, hence the &&
657 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
658 n=`expr $n + 1`
659 if [ $ret != 0 ]; then echo "I:failed"; fi
660 status=`expr $status + $ret`
661
662 echo "I:checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)"
663 ret=0
664 $DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.3 \
665 > dig.out.ns3.test$n || ret=1
666 $DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.4 \
667 > dig.out.ns4.test$n || ret=1
668 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
669 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
670 grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1
671 # Note - this is looking for failure, hence the &&
672 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
673 n=`expr $n + 1`
674 if [ $ret != 0 ]; then echo "I:failed"; fi
675 status=`expr $status + $ret`
676
677 # Check the secure.example domain
678
679 echo "I:checking multi-stage positive validation NSEC/NSEC ($n)"
680 ret=0
681 $DIG $DIGOPTS +noauth a.secure.example. \
682 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
683 $DIG $DIGOPTS +noauth a.secure.example. \
684 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
685 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
686 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
687 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
688 n=`expr $n + 1`
689 if [ $ret != 0 ]; then echo "I:failed"; fi
690 status=`expr $status + $ret`
691
692 echo "I:checking multi-stage positive validation NSEC/NSEC3 ($n)"
693 ret=0
694 $DIG $DIGOPTS +noauth a.nsec3.example. \
695 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
696 $DIG $DIGOPTS +noauth a.nsec3.example. \
697 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
698 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
699 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
700 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
701 n=`expr $n + 1`
702 if [ $ret != 0 ]; then echo "I:failed"; fi
703 status=`expr $status + $ret`
704
705 echo "I:checking multi-stage positive validation NSEC/OPTOUT ($n)"
706 ret=0
707 $DIG $DIGOPTS +noauth a.optout.example. \
708 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
709 $DIG $DIGOPTS +noauth a.optout.example. \
710 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
711 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
712 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
713 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
714 n=`expr $n + 1`
715 if [ $ret != 0 ]; then echo "I:failed"; fi
716 status=`expr $status + $ret`
717
718 echo "I:checking multi-stage positive validation NSEC3/NSEC ($n)"
719 ret=0
720 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \
721 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
722 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \
723 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
724 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
725 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
726 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
727 n=`expr $n + 1`
728 if [ $ret != 0 ]; then echo "I:failed"; fi
729 status=`expr $status + $ret`
730
731 echo "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)"
732 ret=0
733 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
734 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
735 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
736 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
737 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
738 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
739 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
740 n=`expr $n + 1`
741 if [ $ret != 0 ]; then echo "I:failed"; fi
742 status=`expr $status + $ret`
743
744 echo "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)"
745 ret=0
746 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \
747 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
748 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \
749 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
750 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
751 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
752 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
753 n=`expr $n + 1`
754 if [ $ret != 0 ]; then echo "I:failed"; fi
755 status=`expr $status + $ret`
756
757 echo "I:checking multi-stage positive validation OPTOUT/NSEC ($n)"
758 ret=0
759 $DIG $DIGOPTS +noauth a.secure.optout.example. \
760 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
761 $DIG $DIGOPTS +noauth a.secure.optout.example. \
762 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
763 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
764 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
765 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
766 n=`expr $n + 1`
767 if [ $ret != 0 ]; then echo "I:failed"; fi
768 status=`expr $status + $ret`
769
770 echo "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
771 ret=0
772 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \
773 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
774 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \
775 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
776 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
777 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
778 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
779 n=`expr $n + 1`
780 if [ $ret != 0 ]; then echo "I:failed"; fi
781 status=`expr $status + $ret`
782
783 echo "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
784 ret=0
785 $DIG $DIGOPTS +noauth a.optout.optout.example. \
786 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
787 $DIG $DIGOPTS +noauth a.optout.optout.example. \
788 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
789 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
790 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
791 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
792 n=`expr $n + 1`
793 if [ $ret != 0 ]; then echo "I:failed"; fi
794 status=`expr $status + $ret`
795
796 echo "I:checking empty NODATA OPTOUT ($n)"
797 ret=0
798 $DIG $DIGOPTS +noauth empty.optout.example. \
799 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
800 $DIG $DIGOPTS +noauth empty.optout.example. \
801 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
802 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
803 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
804 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
805 n=`expr $n + 1`
806 if [ $ret != 0 ]; then echo "I:failed"; fi
807 status=`expr $status + $ret`
808
809 # Check the bogus domain
810
811 echo "I:checking failed validation ($n)"
812 ret=0
813 $DIG $DIGOPTS a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
814 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
815 n=`expr $n + 1`
816 if [ $ret != 0 ]; then echo "I:failed"; fi
817 status=`expr $status + $ret`
818
819 if [ -x ${DELV} ] ; then
820 ret=0
821 echo "I:checking failed validation using dns_client ($n)"
822 $DELV $DELVOPTS +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1
823 grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1
824 n=`expr $n + 1`
825 if [ $ret != 0 ]; then echo "I:failed"; fi
826 status=`expr $status + $ret`
827 fi
828
829 # Try validating with a bad trusted key.
830 # This should fail.
831
832 echo "I:checking that validation fails with a misconfigured trusted key ($n)"
833 ret=0
834 $DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
835 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
836 n=`expr $n + 1`
837 if [ $ret != 0 ]; then echo "I:failed"; fi
838 status=`expr $status + $ret`
839
840 echo "I:checking that negative validation fails with a misconfigured trusted key ($n)"
841 ret=0
842 $DIG $DIGOPTS example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1
843 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
844 n=`expr $n + 1`
845 if [ $ret != 0 ]; then echo "I:failed"; fi
846 status=`expr $status + $ret`
847
848 echo "I:checking that insecurity proofs fail with a misconfigured trusted key ($n)"
849 ret=0
850 $DIG $DIGOPTS a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
851 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
852 n=`expr $n + 1`
853 if [ $ret != 0 ]; then echo "I:failed"; fi
854 status=`expr $status + $ret`
855
856 echo "I:checking that validation fails when key record is missing ($n)"
857 ret=0
858 $DIG $DIGOPTS a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1
859 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
860 n=`expr $n + 1`
861 if [ $ret != 0 ]; then echo "I:failed"; fi
862 status=`expr $status + $ret`
863
864 if [ -x ${DELV} ] ; then
865 ret=0
866 echo "I:checking that validation fails when key record is missing using dns_client ($n)"
867 $DELV $DELVOPTS +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1
868 grep "resolution failed: broken trust chain" delv.out$n > /dev/null || ret=1
869 n=`expr $n + 1`
870 if [ $ret != 0 ]; then echo "I:failed"; fi
871 status=`expr $status + $ret`
872 fi
873
874 echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
875 ret=0
876 #prime
877 $DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
878 #check: requery with +CD. pending data should be returned even if it's bogus
879 expect="a.example.
880 10.0.0.1"
881 ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1
882 test "$ans" = "$expect" || ret=1
883 test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
884 #check: requery without +CD. bogus cached data should be rejected.
885 $DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
886 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
887 n=`expr $n + 1`
888 if [ $ret != 0 ]; then echo "I:failed"; fi
889 status=`expr $status + $ret`
890
891 echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)"
892 ret=0
893 #prime
894 $DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
895 #check: requery with +CD. pending data should be returned even if it's bogus
896 expect="example.
897 a.example.
898 10.0.0.1"
899 ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1
900 test "$ans" = "$expect" || ret=1
901 test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
902 #check: requery without +CD. bogus cached data should be rejected.
903 $DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
904 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
905 n=`expr $n + 1`
906 if [ $ret != 0 ]; then echo "I:failed"; fi
907 status=`expr $status + $ret`
908
909 # Check the insecure.secure.example domain (insecurity proof)
910
911 echo "I:checking 2-server insecurity proof ($n)"
912 ret=0
913 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
914 > dig.out.ns2.test$n || ret=1
915 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
916 > dig.out.ns4.test$n || ret=1
917 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
918 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
919 # Note - this is looking for failure, hence the &&
920 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
921 n=`expr $n + 1`
922 if [ $ret != 0 ]; then echo "I:failed"; fi
923 status=`expr $status + $ret`
924
925 # Check a negative response in insecure.secure.example
926
927 echo "I:checking 2-server insecurity proof with a negative answer ($n)"
928 ret=0
929 $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
930 || ret=1
931 $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
932 || ret=1
933 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
934 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
935 # Note - this is looking for failure, hence the &&
936 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
937 n=`expr $n + 1`
938 if [ $ret != 0 ]; then echo "I:failed"; fi
939 status=`expr $status + $ret`
940
941 echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)"
942 ret=0
943 $DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \
944 || ret=1
945 $DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \
946 || ret=1
947 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
948 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
949 # Note - this is looking for failure, hence the &&
950 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
951 n=`expr $n + 1`
952 if [ $ret != 0 ]; then echo "I:failed"; fi
953 status=`expr $status + $ret`
954
955 # Check that the query for a security root is successful and has ad set
956
957 echo "I:checking security root query ($n)"
958 ret=0
959 $DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
960 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
961 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
962 n=`expr $n + 1`
963 if [ $ret != 0 ]; then echo "I:failed"; fi
964 status=`expr $status + $ret`
965
966 # Check that the setting the cd bit works
967
968 echo "I:checking cd bit on a positive answer ($n)"
969 ret=0
970 $DIG $DIGOPTS +noauth example. soa @10.53.0.4 \
971 > dig.out.ns4.test$n || ret=1
972 $DIG $DIGOPTS +noauth +cdflag example. soa @10.53.0.5 \
973 > dig.out.ns5.test$n || ret=1
974 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
975 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
976 # Note - this is looking for failure, hence the &&
977 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
978 n=`expr $n + 1`
979 if [ $ret != 0 ]; then echo "I:failed"; fi
980 status=`expr $status + $ret`
981
982 echo "I:checking cd bit on a negative answer ($n)"
983 ret=0
984 $DIG $DIGOPTS q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1
985 $DIG $DIGOPTS +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
986 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
987 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
988 # Note - this is looking for failure, hence the &&
989 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
990 n=`expr $n + 1`
991 if [ $ret != 0 ]; then echo "I:failed"; fi
992 status=`expr $status + $ret`
993
994 echo "I:checking positive validation RSASHA256 NSEC ($n)"
995 ret=0
996 $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
997 $DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
998 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
999 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1000 n=`expr $n + 1`
1001 if [ $ret != 0 ]; then echo "I:failed"; fi
1002 status=`expr $status + $ret`
1003
1004 echo "I:checking positive validation RSASHA512 NSEC ($n)"
1005 ret=0
1006 $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
1007 $DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
1008 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
1009 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1010 n=`expr $n + 1`
1011 if [ $ret != 0 ]; then echo "I:failed"; fi
1012 status=`expr $status + $ret`
1013
1014 echo "I:checking positive validation with KSK-only DNSKEY signature ($n)"
1015 ret=0
1016 $DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
1017 $DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
1018 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
1019 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1020 n=`expr $n + 1`
1021 if [ $ret != 0 ]; then echo "I:failed"; fi
1022 status=`expr $status + $ret`
1023
1024 echo "I:checking cd bit on a query that should fail ($n)"
1025 ret=0
1026 $DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \
1027 > dig.out.ns4.test$n || ret=1
1028 $DIG $DIGOPTS +cdflag a.bogus.example. soa @10.53.0.5 \
1029 > dig.out.ns5.test$n || ret=1
1030 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
1031 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1032 # Note - this is looking for failure, hence the &&
1033 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
1034 n=`expr $n + 1`
1035 if [ $ret != 0 ]; then echo "I:failed"; fi
1036 status=`expr $status + $ret`
1037
1038 echo "I:checking cd bit on an insecurity proof ($n)"
1039 ret=0
1040 $DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \
1041 > dig.out.ns4.test$n || ret=1
1042 $DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \
1043 > dig.out.ns5.test$n || ret=1
1044 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
1045 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1046 # Note - these are looking for failure, hence the &&
1047 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
1048 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
1049 n=`expr $n + 1`
1050 if [ $ret != 0 ]; then echo "I:failed"; fi
1051 status=`expr $status + $ret`
1052
1053 echo "I:checking cd bit on a negative insecurity proof ($n)"
1054 ret=0
1055 $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
1056 > dig.out.ns4.test$n || ret=1
1057 $DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \
1058 > dig.out.ns5.test$n || ret=1
1059 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
1060 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
1061 # Note - these are looking for failure, hence the &&
1062 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
1063 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
1064 n=`expr $n + 1`
1065 if [ $ret != 0 ]; then echo "I:failed"; fi
1066 status=`expr $status + $ret`
1067
1068 echo "I:checking that validation of an ANY query works ($n)"
1069 ret=0
1070 $DIG $DIGOPTS +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1
1071 $DIG $DIGOPTS +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1
1072 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1073 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1074 # 2 records in the zone, 1 NXT, 3 SIGs
1075 grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1
1076 n=`expr $n + 1`
1077 if [ $ret != 0 ]; then echo "I:failed"; fi
1078 status=`expr $status + $ret`
1079
1080 echo "I:checking that validation of a query returning a CNAME works ($n)"
1081 ret=0
1082 $DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.2 \
1083 > dig.out.ns2.test$n || ret=1
1084 $DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.4 \
1085 > dig.out.ns4.test$n || ret=1
1086 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1087 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1088 # the CNAME & its sig, the TXT and its SIG
1089 grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1
1090 n=`expr $n + 1`
1091 if [ $ret != 0 ]; then echo "I:failed"; fi
1092 status=`expr $status + $ret`
1093
1094 echo "I:checking that validation of a query returning a DNAME works ($n)"
1095 ret=0
1096 $DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.2 \
1097 > dig.out.ns2.test$n || ret=1
1098 $DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.4 \
1099 > dig.out.ns4.test$n || ret=1
1100 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1101 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1102 # The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME.
1103 # It would be nice to test that the CNAME is being synthesized by the
1104 # recursive server and not cached, but I don't know how.
1105 grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1
1106 n=`expr $n + 1`
1107 if [ $ret != 0 ]; then echo "I:failed"; fi
1108 status=`expr $status + $ret`
1109
1110 echo "I:checking that validation of an ANY query returning a CNAME works ($n)"
1111 ret=0
1112 $DIG $DIGOPTS +noauth cname2.example. any @10.53.0.2 \
1113 > dig.out.ns2.test$n || ret=1
1114 $DIG $DIGOPTS +noauth cname2.example. any @10.53.0.4 \
1115 > dig.out.ns4.test$n || ret=1
1116 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1117 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1118 # The CNAME, NXT, and their SIGs
1119 grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1
1120 n=`expr $n + 1`
1121 if [ $ret != 0 ]; then echo "I:failed"; fi
1122 status=`expr $status + $ret`
1123
1124 echo "I:checking that validation of an ANY query returning a DNAME works ($n)"
1125 ret=0
1126 $DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.2 \
1127 > dig.out.ns2.test$n || ret=1
1128 $DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.4 \
1129 > dig.out.ns4.test$n || ret=1
1130 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1131 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1132 n=`expr $n + 1`
1133 if [ $ret != 0 ]; then echo "I:failed"; fi
1134 status=`expr $status + $ret`
1135
1136 echo "I:checking that positive validation in a privately secure zone works ($n)"
1137 ret=0
1138 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
1139 > dig.out.ns2.test$n || ret=1
1140 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
1141 > dig.out.ns4.test$n || ret=1
1142 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1143 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1144 # Note - this is looking for failure, hence the &&
1145 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
1146 n=`expr $n + 1`
1147 if [ $ret != 0 ]; then echo "I:failed"; fi
1148 status=`expr $status + $ret`
1149
1150 echo "I:checking that negative validation in a privately secure zone works ($n)"
1151 ret=0
1152 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
1153 > dig.out.ns2.test$n || ret=1
1154 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
1155 > dig.out.ns4.test$n || ret=1
1156 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1157 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
1158 # Note - this is looking for failure, hence the &&
1159 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
1160 n=`expr $n + 1`
1161 if [ $ret != 0 ]; then echo "I:failed"; fi
1162 status=`expr $status + $ret`
1163
1164 echo "I:checking that lookups succeed after disabling a algorithm works ($n)"
1165 ret=0
1166 $DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \
1167 > dig.out.ns2.test$n || ret=1
1168 $DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \
1169 > dig.out.ns6.test$n || ret=1
1170 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
1171 # Note - this is looking for failure, hence the &&
1172 grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1
1173 n=`expr $n + 1`
1174 if [ $ret != 0 ]; then echo "I:failed"; fi
1175 status=`expr $status + $ret`
1176
1177 echo "I:checking privately secure to nxdomain works ($n)"
1178 ret=0
1179 $DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
1180 > dig.out.ns2.test$n || ret=1
1181 $DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
1182 > dig.out.ns4.test$n || ret=1
1183 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1184 # Note - this is looking for failure, hence the &&
1185 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
1186 n=`expr $n + 1`
1187 if [ $ret != 0 ]; then echo "I:failed"; fi
1188 status=`expr $status + $ret`
1189
1190 echo "I:checking privately secure wildcard to nxdomain works ($n)"
1191 ret=0
1192 $DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \
1193 > dig.out.ns2.test$n || ret=1
1194 $DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
1195 > dig.out.ns4.test$n || ret=1
1196 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1197 # Note - this is looking for failure, hence the &&
1198 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
1199 n=`expr $n + 1`
1200 if [ $ret != 0 ]; then echo "I:failed"; fi
1201 status=`expr $status + $ret`
1202
1203 echo "I:checking a non-cachable NODATA works ($n)"
1204 ret=0
1205 $DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.7 \
1206 > dig.out.ns7.test$n || ret=1
1207 grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1
1208 $DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.4 \
1209 > dig.out.ns4.test$n || ret=1
1210 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1211 n=`expr $n + 1`
1212 if [ $ret != 0 ]; then echo "I:failed"; fi
1213 status=`expr $status + $ret`
1214
1215 echo "I:checking a non-cachable NXDOMAIN works ($n)"
1216 ret=0
1217 $DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.7 \
1218 > dig.out.ns7.test$n || ret=1
1219 grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1
1220 $DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.4 \
1221 > dig.out.ns4.test$n || ret=1
1222 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
1223 n=`expr $n + 1`
1224 if [ $ret != 0 ]; then echo "I:failed"; fi
1225 status=`expr $status + $ret`
1226
1227 #
1228 # private.secure.example is served by the same server as its
1229 # grand parent and there is not a secure delegation from secure.example
1230 # to private.secure.example. In addition secure.example is using a
1231 # algorithm which the validation does not support.
1232 #
1233 echo "I:checking dnssec-lookaside-validation works ($n)"
1234 ret=0
1235 $DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \
1236 > dig.out.ns6.test$n || ret=1
1237 grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1
1238 n=`expr $n + 1`
1239 if [ $ret != 0 ]; then echo "I:failed"; fi
1240 status=`expr $status + $ret`
1241
1242 echo "I:checking that we can load a rfc2535 signed zone ($n)"
1243 ret=0
1244 $DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \
1245 > dig.out.ns2.test$n || ret=1
1246 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
1247 n=`expr $n + 1`
1248 if [ $ret != 0 ]; then echo "I:failed"; fi
1249 status=`expr $status + $ret`
1250
1251 echo "I:checking that we can transfer a rfc2535 signed zone ($n)"
1252 ret=0
1253 $DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \
1254 > dig.out.ns3.test$n || ret=1
1255 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
1256 n=`expr $n + 1`
1257 if [ $ret != 0 ]; then echo "I:failed"; fi
1258 status=`expr $status + $ret`
1259
1260 echo "I:checking that we can sign a zone with out-of-zone records ($n)"
1261 ret=0
1262 zone=example
1263 key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
1264 key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
1265 (
1266 cd signer
1267 cat example.db.in $key1.key $key2.key > example.db
1268 $SIGNER -o example -f example.db example.db > /dev/null 2>&1
1269 ) || ret=1
1270 n=`expr $n + 1`
1271 if [ $ret != 0 ]; then echo "I:failed"; fi
1272 status=`expr $status + $ret`
1273
1274 echo "I:checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
1275 ret=0
1276 zone=example
1277 key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
1278 key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
1279 (
1280 cd signer
1281 cat example.db.in $key1.key $key2.key > example.db
1282 $SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1
1283 awk '/^IQF9LQTLK/ {
1284 printf("%s", $0);
1285 while (!index($0, ")")) {
1286 if (getline <= 0)
1287 break;
1288 printf (" %s", $0);
1289 }
1290 printf("\n");
1291 }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out
1292
1293 grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
1294 ) || ret=1
1295 n=`expr $n + 1`
1296 if [ $ret != 0 ]; then echo "I:failed"; fi
1297 status=`expr $status + $ret`
1298
1299 echo "I:checking NSEC3 signing with empty nonterminals above a delegation ($n)"
1300 ret=0
1301 zone=example
1302 key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
1303 key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
1304 (
1305 cd signer
1306 cat example.db.in $key1.key $key2.key > example3.db
1307 echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db
1308 $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1
1309 awk '/^IQF9LQTLK/ {
1310 printf("%s", $0);
1311 while (!index($0, ")")) {
1312 if (getline <= 0)
1313 break;
1314 printf (" %s", $0);
1315 }
1316 printf("\n");
1317 }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out
1318
1319 grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
1320 ) || ret=1
1321 n=`expr $n + 1`
1322 if [ $ret != 0 ]; then echo "I:failed"; fi
1323 status=`expr $status + $ret`
1324
1325 echo "I:checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
1326 ret=0
1327 zone=example
1328 key1=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
1329 key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone`
1330 (
1331 cd signer
1332 cat example.db.in $key1.key $key2.key > example.db
1333 $SIGNER -o example -f example.db.before example.db > /dev/null 2>&1
1334 sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed
1335 $SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1
1336 )
1337 grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1
1338 n=`expr $n + 1`
1339 if [ $ret != 0 ]; then echo "I:failed"; fi
1340 status=`expr $status + $ret`
1341
1342 echo "I:checking dnssec-signzone keeps valid signatures from removed keys ($n)"
1343 ret=0
1344 zone=example
1345 key1=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone`
1346 key2=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
1347 keyid2=`echo $key2 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'`
1348 key3=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
1349 keyid3=`echo $key3 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'`
1350 (
1351 cd signer
1352 cat example.db.in $key1.key $key2.key > example.db
1353 $SIGNER -D -o example example.db > /dev/null 2>&1
1354
1355 # now switch out key2 for key3 and resign the zone
1356 cat example.db.in $key1.key $key3.key > example.db
1357 echo '$INCLUDE "example.db.signed"' >> example.db
1358 $SIGNER -D -o example example.db > /dev/null 2>&1
1359 ) || ret=1
1360 grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1
1361 grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
1362 n=`expr $n + 1`
1363 if [ $ret != 0 ]; then echo "I:failed"; fi
1364 status=`expr $status + $ret`
1365
1366 echo "I:checking dnssec-signzone -R purges signatures from removed keys ($n)"
1367 ret=0
1368 (
1369 cd signer
1370 $SIGNER -RD -o example example.db > /dev/null 2>&1
1371 ) || ret=1
1372 grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1
1373 grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
1374 n=`expr $n + 1`
1375 if [ $ret != 0 ]; then echo "I:failed"; fi
1376 status=`expr $status + $ret`
1377
1378 echo "I:checking dnssec-signzone keeps valid signatures from inactive keys ($n)"
1379 ret=0
1380 zone=example
1381 (
1382 cd signer
1383 cp -f example.db.in example.db
1384 $SIGNER -SD -o example example.db > /dev/null 2>&1
1385 echo '$INCLUDE "example.db.signed"' >> example.db
1386 # now retire key2 and resign the zone
1387 $SETTIME -I now $key2 > /dev/null 2>&1
1388 $SIGNER -SD -o example example.db > /dev/null 2>&1
1389 ) || ret=1
1390 grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1
1391 grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
1392 n=`expr $n + 1`
1393 if [ $ret != 0 ]; then echo "I:failed"; fi
1394 status=`expr $status + $ret`
1395
1396 echo "I:checking dnssec-signzone -Q purges signatures from inactive keys ($n)"
1397 ret=0
1398 (
1399 cd signer
1400 $SIGNER -SDQ -o example example.db > /dev/null 2>&1
1401 ) || ret=1
1402 grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1
1403 grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1
1404 n=`expr $n + 1`
1405 if [ $ret != 0 ]; then echo "I:failed"; fi
1406 status=`expr $status + $ret`
1407
1408 echo "I:checking dnssec-signzone retains unexpired signatures ($n)"
1409 ret=0
1410 (
1411 cd signer
1412 $SIGNER -Sxt -o example example.db > signer.out.1 2>&1
1413 $SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1
1414 ) || ret=1
1415 gen1=`awk '/generated/ {print $3}' signer/signer.out.1`
1416 retain1=`awk '/retained/ {print $3}' signer/signer.out.1`
1417 drop1=`awk '/dropped/ {print $3}' signer/signer.out.1`
1418 gen2=`awk '/generated/ {print $3}' signer/signer.out.2`
1419 retain2=`awk '/retained/ {print $3}' signer/signer.out.2`
1420 drop2=`awk '/dropped/ {print $3}' signer/signer.out.2`
1421 [ "$retain2" -eq `expr "$gen1" + "$retain1"` ] || ret=1
1422 [ "$gen2" -eq 0 ] || ret=1
1423 [ "$drop2" -eq 0 ] || ret=1
1424 n=`expr $n + 1`
1425 if [ $ret != 0 ]; then echo "I:failed"; fi
1426 status=`expr $status + $ret`
1427
1428 echo "I:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)"
1429 ret=0
1430 (
1431 cd signer
1432 # remove NSEC-only keys
1433 rm -f Kexample.+005*
1434 cp -f example.db.in example2.db
1435 cat << EOF >> example2.db
1436 sub1.example. IN A 10.53.0.1
1437 ns.sub2.example. IN A 10.53.0.2
1438 EOF
1439 echo '$INCLUDE "example2.db.signed"' >> example2.db
1440 touch example2.db.signed
1441 $SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
1442 ) || ret=1
1443 grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
1444 grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
1445 (
1446 cd signer
1447 cp -f example.db.in example2.db
1448 cat << EOF >> example2.db
1449 sub1.example. IN NS sub1.example.
1450 sub1.example. IN A 10.53.0.1
1451 sub2.example. IN NS ns.sub2.example.
1452 ns.sub2.example. IN A 10.53.0.2
1453 EOF
1454 echo '$INCLUDE "example2.db.signed"' >> example2.db
1455 $SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
1456 ) || ret=1
1457 grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
1458 grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
1459 n=`expr $n + 1`
1460 if [ $ret != 0 ]; then echo "I:failed"; fi
1461 status=`expr $status + $ret`
1462
1463 echo "I:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)"
1464 ret=0
1465 (
1466 cd signer
1467 rm -f example2.db.signed
1468 cp -f example.db.in example2.db
1469 cat << EOF >> example2.db
1470 sub1.example. IN A 10.53.0.1
1471 ns.sub2.example. IN A 10.53.0.2
1472 EOF
1473 echo '$INCLUDE "example2.db.signed"' >> example2.db
1474 touch example2.db.signed
1475 $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
1476 ) || ret=1
1477 grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
1478 grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
1479 (
1480 cd signer
1481 cp -f example.db.in example2.db
1482 cat << EOF >> example2.db
1483 sub1.example. IN NS sub1.example.
1484 sub1.example. IN A 10.53.0.1
1485 sub2.example. IN NS ns.sub2.example.
1486 ns.sub2.example. IN A 10.53.0.2
1487 EOF
1488 echo '$INCLUDE "example2.db.signed"' >> example2.db
1489 $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
1490 ) || ret=1
1491 grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
1492 grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
1493 n=`expr $n + 1`
1494 if [ $ret != 0 ]; then echo "I:failed"; fi
1495 status=`expr $status + $ret`
1496
1497 echo "I:checking dnssec-signzone output format ($n)"
1498 ret=0
1499 (
1500 cd signer
1501 $SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null
1502 $SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null
1503 $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1
1504 $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1
1505 $SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null
1506 ) || ret=1
1507 awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1
1508 awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1
1509 israw1 signer/signer.out.5 || ret=1
1510 israw0 signer/signer.out.6 || ret=1
1511 israw1 signer/signer.out.7 || ret=1
1512 if [ $ret != 0 ]; then echo "I:failed"; fi
1513 status=`expr $status + $ret`
1514
1515 echo "I:checking dnssec-signzone output format ($n)"
1516 ret=0
1517 (
1518 cd signer
1519 $SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2>&1
1520 $SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2>&1
1521 ) || ret=1
1522 awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1
1523 awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1
1524 if [ $ret != 0 ]; then echo "I:failed"; fi
1525 status=`expr $status + $ret`
1526
1527 echo "I:checking TTLs are capped by dnssec-signzone -M ($n)"
1528 ret=0
1529 (
1530 cd signer
1531 $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1
1532 ) || ret=1
1533 awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1
1534 if [ $ret != 0 ]; then echo "I:failed"; fi
1535 status=`expr $status + $ret`
1536
1537 echo "I:checking validated data are not cached longer than originalttl ($n)"
1538 ret=0
1539 $DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
1540 $DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
1541 grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1
1542 grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1
1543 grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1
1544 grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1
1545 n=`expr $n + 1`
1546 if [ $ret != 0 ]; then echo "I:failed"; fi
1547 status=`expr $status + $ret`
1548
1549 # Test that "rndc secroots" is able to dump trusted keys
1550 echo "I:checking rndc secroots ($n)"
1551 ret=0
1552 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /'
1553 keyid=`cat ns1/managed.key.id`
1554 cp ns4/named.secroots named.secroots.test$n
1555 linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l`
1556 [ "$linecount" -eq 1 ] || ret=1
1557 linecount=`cat named.secroots.test$n | wc -l`
1558 [ "$linecount" -eq 5 ] || ret=1
1559 n=`expr $n + 1`
1560 if [ $ret != 0 ]; then echo "I:failed"; fi
1561 status=`expr $status + $ret`
1562
1563 # Check direct query for RRSIG. If we first ask for normal (non RRSIG)
1564 # record, the corresponding RRSIG should be cached and subsequent query
1565 # for RRSIG will be returned with the cached record.
1566 echo "I:checking RRSIG query from cache ($n)"
1567 ret=0
1568 $DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1
1569 ans=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.4 rrsig` || ret=1
1570 expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1
1571 test "$ans" = "$expect" || ret=1
1572 # also check that RA is set
1573 $DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1
1574 grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1575 n=`expr $n + 1`
1576 if [ $ret != 0 ]; then echo "I:failed"; fi
1577 status=`expr $status + $ret`
1578
1579 # Check direct query for RRSIG: If it's not cached with other records,
1580 # it should result in an empty response.
1581 echo "I:checking RRSIG query not in cache ($n)"
1582 ret=0
1583 ans=`$DIG $DIGOPTS +short rrsigonly.secure.example. @10.53.0.4 rrsig` || ret=1
1584 test -z "$ans" || ret=1
1585 # also check that RA is cleared
1586 $DIG $DIGOPTS rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1
1587 grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
1588 n=`expr $n + 1`
1589 if [ $ret != 0 ]; then echo "I:failed"; fi
1590 status=`expr $status + $ret`
1591
1592 #
1593 # RT21868 regression test.
1594 #
1595 echo "I:checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)"
1596 ret=0
1597 $DIG $DIGOPTS non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
1598 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
1599 n=`expr $n + 1`
1600 if [ $ret != 0 ]; then echo "I:failed"; fi
1601 status=`expr $status + $ret`
1602
1603 #
1604 # RT22007 regression test.
1605 #
1606 echo "I:checking optout NSEC3 referral with only insecure delegations ($n)"
1607 ret=0
1608 $DIG $DIGOPTS +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
1609 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
1610 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
1611 n=`expr $n + 1`
1612 if [ $ret != 0 ]; then echo "I:failed"; fi
1613 status=`expr $status + $ret`
1614
1615 echo "I:checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)"
1616 ret=0
1617 $DIG $DIGOPTS +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
1618 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
1619 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
1620 n=`expr $n + 1`
1621 if [ $ret != 0 ]; then echo "I:failed"; fi
1622
1623 status=`expr $status + $ret`
1624 echo "I:checking optout NSEC3 nodata with only insecure delegations ($n)"
1625 ret=0
1626 $DIG $DIGOPTS +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
1627 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
1628 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
1629 n=`expr $n + 1`
1630 if [ $ret != 0 ]; then echo "I:failed"; fi
1631 status=`expr $status + $ret`
1632
1633 echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)"
1634 ret=0
1635 $DIG $DIGOPTS ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1
1636 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1637 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1
1638 if [ $ret != 0 ]; then echo "I:failed"; fi
1639 status=`expr $status + $ret`
1640
1641 # Run a minimal update test if possible. This is really just
1642 # a regression test for RT #2399; more tests should be added.
1643
1644 if $PERL -e 'use Net::DNS;' 2>/dev/null
1645 then
1646 echo "I:running DNSSEC update test"
1647 $PERL dnssec_update_test.pl -s 10.53.0.3 -p 5300 dynamic.example. || status=1
1648 else
1649 echo "I:The DNSSEC update test requires the Net::DNS library." >&2
1650 fi
1651
1652 echo "I:checking managed key maintenance has not started yet ($n)"
1653 ret=0
1654 [ -f "ns4/managed-keys.bind.jnl" ] && ret=1
1655 n=`expr $n + 1`
1656 if [ $ret != 0 ]; then echo "I:failed"; fi
1657 status=`expr $status + $ret`
1658
1659 # Reconfigure caching server to use "dnssec-validation auto", and repeat
1660 # some of the DNSSEC validation tests to ensure that it works correctly.
1661 echo "I:switching to automatic root key configuration"
1662 cp ns4/named2.conf ns4/named.conf
1663 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
1664 sleep 5
1665
1666 echo "I:checking managed key maintenance timer has now started ($n)"
1667 ret=0
1668 [ -f "ns4/managed-keys.bind.jnl" ] || ret=1
1669 n=`expr $n + 1`
1670 if [ $ret != 0 ]; then echo "I:failed"; fi
1671 status=`expr $status + $ret`
1672
1673 echo "I:checking positive validation NSEC ($n)"
1674 ret=0
1675 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
1676 $DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
1677 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1678 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1679 n=`expr $n + 1`
1680 if [ $ret != 0 ]; then echo "I:failed"; fi
1681 status=`expr $status + $ret`
1682
1683 echo "I:checking positive validation NSEC3 ($n)"
1684 ret=0
1685 $DIG $DIGOPTS +noauth a.nsec3.example. \
1686 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
1687 $DIG $DIGOPTS +noauth a.nsec3.example. \
1688 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
1689 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
1690 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1691 n=`expr $n + 1`
1692 if [ $ret != 0 ]; then echo "I:failed"; fi
1693 status=`expr $status + $ret`
1694
1695 echo "I:checking positive validation OPTOUT ($n)"
1696 ret=0
1697 $DIG $DIGOPTS +noauth a.optout.example. \
1698 @10.53.0.3 a > dig.out.ns3.test$n || ret=1
1699 $DIG $DIGOPTS +noauth a.optout.example. \
1700 @10.53.0.4 a > dig.out.ns4.test$n || ret=1
1701 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
1702 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1703 n=`expr $n + 1`
1704 if [ $ret != 0 ]; then echo "I:failed"; fi
1705 status=`expr $status + $ret`
1706
1707 echo "I:checking negative validation ($n)"
1708 ret=0
1709 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
1710 $DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
1711 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
1712 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1713 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
1714 n=`expr $n + 1`
1715 if [ $ret != 0 ]; then echo "I:failed"; fi
1716 status=`expr $status + $ret`
1717
1718 echo "I:checking that root DS queries validate ($n)"
1719 ret=0
1720 $DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1
1721 $DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1
1722 $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns4.test$n || ret=1
1723 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
1724 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1725 n=`expr $n + 1`
1726 if [ $ret != 0 ]; then echo "I:failed"; fi
1727 status=`expr $status + $ret`
1728
1729 echo "I:checking that DS at a RFC 1918 empty zone lookup succeeds ($n)"
1730 ret=0
1731 $DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1
1732 $DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1
1733 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
1734 grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
1735 n=`expr $n + 1`
1736 if [ $ret != 0 ]; then echo "I:failed"; fi
1737 status=`expr $status + $ret`
1738
1739 echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
1740 ret=0
1741 $DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
1742 grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1
1743 n=`expr $n + 1`
1744 if [ $ret != 0 ]; then echo "I:failed"; fi
1745
1746 status=`expr $status + $ret`
1747 echo "I:checking expired signatures do not validate ($n)"
1748 ret=0
1749 $DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1
1750 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
1751 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
1752 grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1
1753 n=`expr $n + 1`
1754 if [ $ret != 0 ]; then echo "I:failed"; fi
1755 status=`expr $status + $ret`
1756
1757 echo "I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)"
1758 ret=0
1759 (
1760 cd ns3
1761 kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example`
1762 (
1763 echo zone update-nsec3.example
1764 echo server 10.53.0.3 5300
1765 grep DNSKEY ${kskname}.key | sed -e 's/^/update add /' -e 's/IN/300 IN/'
1766 echo send
1767 ) | $NSUPDATE
1768 )
1769 $DIG $DIGOPTS +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
1770 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1771 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
1772 grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1
1773 n=`expr $n + 1`
1774 if [ $ret != 0 ]; then echo "I:failed"; fi
1775 status=`expr $status + $ret`
1776
1777 echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
1778 ret=0
1779 $DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
1780 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1781 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
1782 grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1
1783 n=`expr $n + 1`
1784 if [ $ret != 0 ]; then echo "I:failed"; fi
1785 status=`expr $status + $ret`
1786
1787 echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
1788 ret=0
1789 $DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
1790 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1791 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
1792 grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1
1793 n=`expr $n + 1`
1794 if [ $ret != 0 ]; then echo "I:failed"; fi
1795 status=`expr $status + $ret`
1796
1797 echo "I:checking that signing records have been marked as complete ($n)"
1798 ret=0
1799 checkprivate dynamic.example 10.53.0.3 || ret=1
1800 checkprivate update-nsec3.example 10.53.0.3 || ret=1
1801 checkprivate auto-nsec3.example 10.53.0.3 || ret=1
1802 checkprivate expiring.example 10.53.0.3 || ret=1
1803 checkprivate auto-nsec.example 10.53.0.3 || ret=1
1804 n=`expr $n + 1`
1805 if [ $ret != 0 ]; then echo "I:failed"; fi
1806 status=`expr $status + $ret`
1807
1808 echo "I:check that 'rndc signing' without arguments is handled ($n)"
1809 ret=0
1810 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing > /dev/null 2>&1 && ret=1
1811 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1812 n=`expr $n + 1`
1813 if [ $ret != 0 ]; then echo "I:failed"; fi
1814 status=`expr $status + $ret`
1815
1816 echo "I:check that 'rndc signing -list' without zone is handled ($n)"
1817 ret=0
1818 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list > /dev/null 2>&1 && ret=1
1819 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1820 n=`expr $n + 1`
1821 if [ $ret != 0 ]; then echo "I:failed"; fi
1822 status=`expr $status + $ret`
1823
1824 echo "I:check that 'rndc signing -clear' without additional arguments is handled ($n)"
1825 ret=0
1826 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear > /dev/null 2>&1 && ret=1
1827 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1828 n=`expr $n + 1`
1829 if [ $ret != 0 ]; then echo "I:failed"; fi
1830 status=`expr $status + $ret`
1831
1832 echo "I:check that 'rndc signing -clear all' without zone is handled ($n)"
1833 ret=0
1834 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all > /dev/null 2>&1 && ret=1
1835 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1836 n=`expr $n + 1`
1837 if [ $ret != 0 ]; then echo "I:failed"; fi
1838 status=`expr $status + $ret`
1839
1840 echo "I:check that 'rndc signing -nsec3param' without additional arguments is handled ($n)"
1841 ret=0
1842 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param > /dev/null 2>&1 && ret=1
1843 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1844 n=`expr $n + 1`
1845 if [ $ret != 0 ]; then echo "I:failed"; fi
1846 status=`expr $status + $ret`
1847
1848 echo "I:check that 'rndc signing -nsec3param none' without zone is handled ($n)"
1849 ret=0
1850 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none > /dev/null 2>&1 && ret=1
1851 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1852 n=`expr $n + 1`
1853 if [ $ret != 0 ]; then echo "I:failed"; fi
1854 status=`expr $status + $ret`
1855
1856 echo "I:check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)"
1857 ret=0
1858 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 > /dev/null 2>&1 && ret=1
1859 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1860 n=`expr $n + 1`
1861 if [ $ret != 0 ]; then echo "I:failed"; fi
1862 status=`expr $status + $ret`
1863
1864 echo "I:check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)"
1865 ret=0
1866 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1
1867 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1868 n=`expr $n + 1`
1869 if [ $ret != 0 ]; then echo "I:failed"; fi
1870 status=`expr $status + $ret`
1871
1872 echo "I:check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)"
1873 ret=0
1874 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1
1875 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1876 n=`expr $n + 1`
1877 if [ $ret != 0 ]; then echo "I:failed"; fi
1878 status=`expr $status + $ret`
1879
1880 echo "I:check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)"
1881 ret=0
1882 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1
1883 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1884 n=`expr $n + 1`
1885 if [ $ret != 0 ]; then echo "I:failed"; fi
1886 status=`expr $status + $ret`
1887
1888 echo "I:check that 'rndc signing -nsec3param' works with salt ($n)"
1889 ret=0
1890 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1
1891 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1892 for i in 1 2 3 4 5 6 7 8 9 10 ; do
1893 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
1894 if [ "$salt" = "FFFF" ]; then
1895 break;
1896 fi
1897 echo "I:sleeping ...."
1898 sleep 1
1899 done;
1900 [ "$salt" = "FFFF" ] || ret=1
1901 n=`expr $n + 1`
1902 if [ $ret != 0 ]; then echo "I:failed"; fi
1903 status=`expr $status + $ret`
1904
1905 echo "I:check that 'rndc signing -nsec3param' works without salt ($n)"
1906 ret=0
1907 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1
1908 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1909 for i in 1 2 3 4 5 6 7 8 9 10 ; do
1910 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
1911 if [ "$salt" = "-" ]; then
1912 break;
1913 fi
1914 echo "I:sleeping ...."
1915 sleep 1
1916 done;
1917 [ "$salt" = "-" ] || ret=1
1918 n=`expr $n + 1`
1919 if [ $ret != 0 ]; then echo "I:failed"; fi
1920 status=`expr $status + $ret`
1921
1922 echo "I:check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)"
1923 ret=0
1924 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
1925 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1926 for i in 1 2 3 4 5 6 7 8 9 10 ; do
1927 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
1928 [ -n "$salt" -a "$salt" != "-" ] && break
1929 echo "I:sleeping ...."
1930 sleep 1
1931 done;
1932 [ "$salt" != "-" ] || ret=1
1933 [ `expr "${salt}" : ".*"` -eq 16 ] || ret=1
1934 n=`expr $n + 1`
1935 if [ $ret != 0 ]; then echo "I:failed"; fi
1936 status=`expr $status + $ret`
1937
1938 echo "I:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)"
1939 ret=0
1940 oldsalt=$salt
1941 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
1942 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
1943 for i in 1 2 3 4 5 6 7 8 9 10 ; do
1944 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
1945 [ -n "$salt" -a "$salt" != "$oldsalt" ] && break
1946 echo "I:sleeping ...."
1947 sleep 1
1948 done;
1949 [ "$salt" != "$oldsalt" ] || ret=1
1950 [ `expr "$salt" : ".*"` -eq 16 ] || ret=1
1951 n=`expr $n + 1`
1952 if [ $ret != 0 ]; then echo "I:failed"; fi
1953 status=`expr $status + $ret`
1954
1955 echo "I:check rndc signing -list output ($n)"
1956 ret=0
1957 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic.example 2>&1 > signing.out
1958 grep "No signing records found" signing.out > /dev/null 2>&1 || {
1959 ret=1
1960 sed 's/^/I:ns3 /' signing.out
1961 }
1962 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out
1963 grep "Done signing with key .*/NSEC3RSASHA1" signing.out > /dev/null 2>&1 || {
1964 ret=1
1965 sed 's/^/I:ns3 /' signing.out
1966 }
1967 n=`expr $n + 1`
1968 if [ $ret != 0 ]; then echo "I:failed"; fi
1969 status=`expr $status + $ret`
1970
1971 echo "I:clear signing records ($n)"
1972 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all update-nsec3.example > /dev/null || ret=1
1973 sleep 1
1974 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out
1975 grep "No signing records found" signing.out > /dev/null 2>&1 || {
1976 ret=1
1977 sed 's/^/I:ns3 /' signing.out
1978 }
1979 n=`expr $n + 1`
1980 if [ $ret != 0 ]; then echo "I:failed"; fi
1981 status=`expr $status + $ret`
1982
1983 echo "I:checking that a insecure zone beneath a cname resolves ($n)"
1984 ret=0
1985 $DIG $DIGOPTS soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
1986 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1987 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
1988 n=`expr $n + 1`
1989 if [ $ret != 0 ]; then echo "I:failed"; fi
1990 status=`expr $status + $ret`
1991
1992 echo "I:checking that a secure zone beneath a cname resolves ($n)"
1993 ret=0
1994 $DIG $DIGOPTS soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
1995 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
1996 grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
1997 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
1998 n=`expr $n + 1`
1999 if [ $ret != 0 ]; then echo "I:failed"; fi
2000 status=`expr $status + $ret`
2001
2002 echo "I:checking dnskey query with no data still gets put in cache ($n)"
2003 ret=0
2004 myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 @10.53.0.4"
2005 firstVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'`
2006 sleep 1
2007 secondVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'`
2008 if [ ${firstVal:-0} -eq ${secondVal:-0} ]
2009 then
2010 sleep 1
2011 thirdVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '$1 != ";;" { print $2 }'`
2012 if [ ${firstVal:-0} -eq ${thirdVal:-0} ]
2013 then
2014 echo "I: cannot confirm query answer still in cache"
2015 ret=1
2016 fi
2017 fi
2018 n=`expr $n + 1`
2019 if [ $ret != 0 ]; then echo "I:failed"; fi
2020 status=`expr $status + $ret`
2021
2022 echo "I:check that a split dnssec dnssec-signzone work ($n)"
2023 ret=0
2024 $DIG $DIGOPTS soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
2025 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
2026 grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
2027 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
2028 n=`expr $n + 1`
2029 if [ $ret != 0 ]; then echo "I:failed"; fi
2030 status=`expr $status + $ret`
2031
2032 echo "I:check that a smart split dnssec dnssec-signzone work ($n)"
2033 ret=0
2034 $DIG $DIGOPTS soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
2035 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
2036 grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
2037 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
2038 n=`expr $n + 1`
2039 if [ $ret != 0 ]; then echo "I:failed"; fi
2040 status=`expr $status + $ret`
2041
2042 echo "I:check that NOTIFY is sent at the end of NSEC3 chain generation ($n)"
2043 ret=0
2044 (
2045 echo zone nsec3chain-test
2046 echo server 10.53.0.2 5300
2047 echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456
2048 echo send
2049 ) | $NSUPDATE
2050 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
2051 do
2052 $DIG $DIGOPTS nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1
2053 if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null
2054 then
2055 break;
2056 fi
2057 echo "I:sleeping ...."
2058 sleep 3
2059 done;
2060 grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1
2061 if [ $ret != 0 ]; then echo "I:nsec3 chain generation not complete"; fi
2062 sleep 3
2063 $DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1
2064 $DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1
2065 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
2066 n=`expr $n + 1`
2067 if [ $ret != 0 ]; then echo "I:failed"; fi
2068 status=`expr $status + $ret`
2069
2070 echo "I:check dnssec-dsfromkey from stdin ($n)"
2071 ret=0
2072 $DIG $DIGOPTS dnskey algroll. @10.53.0.2 | \
2073 $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1
2074 NF=`awk '{print NF}' dig.out.ns2.test$n | sort -u`
2075 [ "${NF}" = 7 ] || ret=1
2076 # make canonical
2077 awk '{
2078 for (i=1;i<7;i++) printf("%s ", $i);
2079 for (i=7;i<=NF;i++) printf("%s", $i);
2080 printf("\n");
2081 }' < dig.out.ns2.test$n > canonical1.$n || ret=1
2082 awk '{
2083 for (i=1;i<7;i++) printf("%s ", $i);
2084 for (i=7;i<=NF;i++) printf("%s", $i);
2085 printf("\n");
2086 }' < ns1/dsset-algroll. > canonical2.$n || ret=1
2087 diff -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1
2088 n=`expr $n + 1`
2089 if [ $ret != 0 ]; then echo "I:failed"; fi
2090 status=`expr $status + $ret`
2091
2092 echo "I:testing soon-to-expire RRSIGs without a replacement private key ($n)"
2093 ret=0
2094 $DIG +noall +answer +dnssec +nottl -p 5300 expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1
2095 # there must be a signature here
2096 [ -s dig.out.ns3.test$n ] || ret=1
2097 n=`expr $n + 1`
2098 if [ $ret != 0 ]; then echo "I:failed"; fi
2099 status=`expr $status + $ret`
2100
2101 echo "I:testing new records are signed with 'no-resign' ($n)"
2102 ret=0
2103 (
2104 echo zone nosign.example
2105 echo server 10.53.0.3 5300
2106 echo update add new.nosign.example 300 in txt "hi there"
2107 echo send
2108 ) | $NSUPDATE
2109 sleep 1
2110 $DIG +noall +answer +dnssec -p 5300 txt new.nosign.example @10.53.0.3 \
2111 > dig.out.ns3.test$n 2>&1
2112 grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
2113 n=`expr $n + 1`
2114 if [ $ret != 0 ]; then echo "I:failed"; fi
2115 status=`expr $status + $ret`
2116
2117 echo "I:testing expiring records aren't resigned with 'no-resign' ($n)"
2118 ret=0
2119 $DIG +noall +answer +dnssec +nottl -p 5300 nosign.example ns @10.53.0.3 | \
2120 grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1
2121 # the NS RRSIG should not be changed
2122 cmp -s nosign.before dig.out.ns3.test$n || ret=1
2123 n=`expr $n + 1`
2124 if [ $ret != 0 ]; then echo "I:failed"; fi
2125 status=`expr $status + $ret`
2126
2127 echo "I:testing updates fail with no private key ($n)"
2128 ret=0
2129 rm -f ns3/Knosign.example.*.private
2130 (
2131 echo zone nosign.example
2132 echo server 10.53.0.3 5300
2133 echo update add fail.nosign.example 300 in txt "reject me"
2134 echo send
2135 ) | $NSUPDATE > /dev/null 2>&1 && ret=1
2136 $DIG +tcp +noall +answer +dnssec -p 5300 fail.nosign.example txt @10.53.0.3 \
2137 > dig.out.ns3.test$n 2>&1
2138 [ -s dig.out.ns3.test$n ] && ret=1
2139 n=`expr $n + 1`
2140 if [ $ret != 0 ]; then echo "I:failed"; fi
2141 status=`expr $status + $ret`
2142
2143 echo "I:testing legacy upper case signer name validation ($n)"
2144 ret=0
2145 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa upper.example @10.53.0.4 \
2146 > dig.out.ns4.test$n 2>&1
2147 grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1
2148 grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1
2149 n=`expr $n + 1`
2150 if [ $ret != 0 ]; then echo "I:failed"; fi
2151 status=`expr $status + $ret`
2152
2153 echo "I:testing that we lower case signer name ($n)"
2154 ret=0
2155 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa LOWER.EXAMPLE @10.53.0.4 \
2156 > dig.out.ns4.test$n 2>&1
2157 grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1
2158 grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1
2159 n=`expr $n + 1`
2160 if [ $ret != 0 ]; then echo "I:failed"; fi
2161 status=`expr $status + $ret`
2162
2163 echo "I:testing TTL is capped at RRSIG expiry time ($n)"
2164 ret=0
2165 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze expiring.example 2>&1 | sed 's/^/I:ns3 /'
2166 (
2167 cd ns3
2168 for file in K*.moved; do
2169 mv $file `basename $file .moved`
2170 done
2171 $SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1
2172 ) || ret=1
2173 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload expiring.example 2>&1 | sed 's/^/I:ns3 /'
2174
2175 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
2176 $DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
2177 $DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
2178 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
2179 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
2180 for ttl in ${ttls:-0}; do
2181 [ ${ttl:-0} -eq 300 ] || ret=1
2182 done
2183 for ttl in ${ttls2:-0}; do
2184 [ ${ttl:-0} -le 60 ] || ret=1
2185 done
2186 n=`expr $n + 1`
2187 if [ $ret != 0 ]; then echo "I:failed"; fi
2188 status=`expr $status + $ret`
2189
2190 echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section ($n)"
2191 ret=0
2192 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
2193 sleep 1
2194 $DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
2195 $DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
2196 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
2197 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
2198 for ttl in ${ttls:-300}; do
2199 [ ${ttl:-0} -eq 300 ] || ret=1
2200 done
2201 for ttl in ${ttls2:-0}; do
2202 [ ${ttl:-0} -le 60 ] || ret=1
2203 done
2204 n=`expr $n + 1`
2205 if [ $ret != 0 ]; then echo "I:failed"; fi
2206 status=`expr $status + $ret`
2207
2208 cp ns4/named3.conf ns4/named.conf
2209 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
2210 sleep 3
2211
2212 echo "I:testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)"
2213 ret=0
2214 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
2215 $DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
2216 $DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
2217 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
2218 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
2219 for ttl in ${ttls:-0}; do
2220 [ $ttl -eq 300 ] || ret=1
2221 done
2222 for ttl in ${ttls2:-0}; do
2223 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
2224 done
2225 n=`expr $n + 1`
2226 if [ $ret != 0 ]; then echo "I:failed"; fi
2227 status=`expr $status + $ret`
2228
2229 echo "I:testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)"
2230 ret=0
2231 $DIG +noall +answer +dnssec +cd -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.1.$n
2232 $DIG +noall +answer +dnssec -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.2.$n
2233 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
2234 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
2235 for ttl in ${ttls:-0}; do
2236 [ $ttl -eq 300 ] || ret=1
2237 done
2238 for ttl in ${ttls2:-0}; do
2239 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
2240 done
2241 n=`expr $n + 1`
2242 if [ $ret != 0 ]; then echo "I:failed"; fi
2243 status=`expr $status + $ret`
2244
2245 echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
2246 ret=0
2247 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
2248 $DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
2249 $DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
2250 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
2251 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
2252 for ttl in ${ttls:-300}; do
2253 [ $ttl -eq 300 ] || ret=1
2254 done
2255 for ttl in ${ttls2:-0}; do
2256 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
2257 done
2258 n=`expr $n + 1`
2259 if [ $ret != 0 ]; then echo "I:failed"; fi
2260 status=`expr $status + $ret`
2261
2262 echo "I:testing DNSKEY lookup via CNAME ($n)"
2263 ret=0
2264 $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
2265 @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1
2266 $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
2267 @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1
2268 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
2269 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
2270 grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1
2271 n=`expr $n + 1`
2272 if [ $ret != 0 ]; then echo "I:failed"; fi
2273 status=`expr $status + $ret`
2274
2275 echo "I:testing KEY lookup at CNAME (present) ($n)"
2276 ret=0
2277 $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
2278 @10.53.0.3 key > dig.out.ns3.test$n || ret=1
2279 $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
2280 @10.53.0.4 key > dig.out.ns4.test$n || ret=1
2281 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
2282 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
2283 grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1
2284 n=`expr $n + 1`
2285 if [ $ret != 0 ]; then echo "I:failed"; fi
2286 status=`expr $status + $ret`
2287
2288 echo "I:testing KEY lookup at CNAME (not present) ($n)"
2289 ret=0
2290 $DIG $DIGOPTS +noauth cnamenokey.secure.example. \
2291 @10.53.0.3 key > dig.out.ns3.test$n || ret=1
2292 $DIG $DIGOPTS +noauth cnamenokey.secure.example. \
2293 @10.53.0.4 key > dig.out.ns4.test$n || ret=1
2294 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
2295 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
2296 grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1
2297 n=`expr $n + 1`
2298 if [ $ret != 0 ]; then echo "I:failed"; fi
2299 status=`expr $status + $ret`
2300
2301 echo "I:testing DNSKEY lookup via DNAME ($n)"
2302 ret=0
2303 $DIG $DIGOPTS a.dnameandkey.secure.example. \
2304 @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1
2305 $DIG $DIGOPTS a.dnameandkey.secure.example. \
2306 @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1
2307 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
2308 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
2309 grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1
2310 grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1
2311 n=`expr $n + 1`
2312 if [ $ret != 0 ]; then echo "I:failed"; fi
2313 status=`expr $status + $ret`
2314
2315 echo "I:testing KEY lookup via DNAME ($n)"
2316 ret=0
2317 $DIG $DIGOPTS b.dnameandkey.secure.example. \
2318 @10.53.0.3 key > dig.out.ns3.test$n || ret=1
2319 $DIG $DIGOPTS b.dnameandkey.secure.example. \
2320 @10.53.0.4 key > dig.out.ns4.test$n || ret=1
2321 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
2322 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
2323 grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1
2324 n=`expr $n + 1`
2325 if [ $ret != 0 ]; then echo "I:failed"; fi
2326 status=`expr $status + $ret`
2327
2328 echo "I:check that named doesn't loop when all private keys are not available ($n)"
2329 ret=0
2330 lines=`grep "reading private key file expiring.example" ns3/named.run | wc -l`
2331 test ${lines:-1000} -lt 15 || ret=1
2332 n=`expr $n + 1`
2333 if [ $ret != 0 ]; then echo "I:failed"; fi
2334 status=`expr $status + $ret`
2335
2336 echo "I:check against against missing nearest provable proof ($n)"
2337 $DIG $DIGOPTS +norec b.c.d.optout-tld. \
2338 @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1
2339 nsec3=`grep "IN.NSEC3" dig.out.ds.ns6.test$n | wc -l`
2340 [ $nsec3 -eq 2 ] || ret=1
2341 $DIG $DIGOPTS +norec b.c.d.optout-tld. \
2342 @10.53.0.6 A > dig.out.ns6.test$n || ret=1
2343 nsec3=`grep "IN.NSEC3" dig.out.ns6.test$n | wc -l`
2344 [ $nsec3 -eq 1 ] || ret=1
2345 $DIG $DIGOPTS optout-tld. \
2346 @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1
2347 grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1
2348 $DIG $DIGOPTS b.c.d.optout-tld. \
2349 @10.53.0.4 A > dig.out.ns4.test$n || ret=1
2350 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
2351 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
2352 n=`expr $n + 1`
2353 if [ $ret != 0 ]; then echo "I:failed"; fi
2354 status=`expr $status + $ret`
2355
2356 echo "I:check that key id are logged when dumping the cache ($n)"
2357 ret=0
2358 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 dumpdb 2>&1 | sed 's/^/I:ns1 /'
2359 sleep 1
2360 grep "; key id = " ns4/named_dump.db > /dev/null || ret=1
2361 n=`expr $n + 1`
2362 if [ $ret != 0 ]; then echo "I:failed"; fi
2363 status=`expr $status + $ret`
2364
2365 echo "I:check KEYDATA records are printed in human readable form in key zone ($n)"
2366 # force the managed-keys zone to be written out
2367 $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns4
2368 ret=0
2369 grep KEYDATA ns4/managed-keys.bind > /dev/null || ret=1
2370 grep "next refresh:" ns4/managed-keys.bind > /dev/null || ret=1
2371 # restart the server
2372 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
2373 n=`expr $n + 1`
2374 if [ $ret != 0 ]; then echo "I:failed"; fi
2375 status=`expr $status + $ret`
2376
2377 echo "I:check dig's +nocrypto flag ($n)"
2378 ret=0
2379 $DIG $DIGOPTS +norec +nocrypto DNSKEY . \
2380 @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
2381 grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
2382 grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
2383 $DIG $DIGOPTS +norec +nocrypto DS example \
2384 @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
2385 grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
2386 n=`expr $n + 1`
2387 if [ $ret != 0 ]; then echo "I:failed"; fi
2388 status=`expr $status + $ret`
2389
2390 echo "I:check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)"
2391 ret=0
2392 cnt=0
2393 while :
2394 do
2395 $DIG $DIGOPTS publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n
2396 keys=`awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l`
2397 test $keys -gt 2 && break
2398 cnt=`expr $cnt + 1`
2399 test $cnt -gt 120 && break
2400 sleep 1
2401 done
2402 test $keys -gt 2 || ret=1
2403 sigs=`grep RRSIG dig.out.ns3.test$n | wc -l`
2404 sigs=`expr $sigs + 0`
2405 n=`expr $n + 1`
2406 test $sigs -eq 2 || ret=1
2407 if test $ret != 0 ; then echo "I:failed"; fi
2408 status=`expr $status + $ret`
2409
2410 echo "I:check that increasing the sig-validity-interval resigning triggers re-signing"
2411 ret=0
2412 before=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA`
2413 cp ns3/siginterval2.conf ns3/siginterval.conf
2414 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /'
2415 for i in 1 2 3 4 5 6 7 8 9 0
2416 do
2417 after=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA`
2418 test "$before" != "$after" && break
2419 sleep 1
2420 done
2421 n=`expr $n + 1`
2422 if test "$before" = "$after" ; then echo "I:failed"; ret=1; fi
2423 status=`expr $status + $ret`
2424
2425 cp ns4/named4.conf ns4/named.conf
2426 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
2427 sleep 3
2428
2429 echo "I:check insecure delegation between static-stub zones ($n)"
2430 ret=0
2431 $DIG $DIGOPTS ns insecure.secure.example \
2432 @10.53.0.4 > dig.out.ns4.1.test$n || ret=1
2433 grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1
2434 $DIG $DIGOPTS ns secure.example \
2435 @10.53.0.4 > dig.out.ns4.2.test$n || ret=1
2436 grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1
2437 n=`expr $n + 1`
2438 if [ $ret != 0 ]; then echo "I:failed"; fi
2439 status=`expr $status + $ret`
2440
2441 echo "I:check the acceptance of seconds as inception and expiration times ($n)"
2442 ret=0
2443 in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo="
2444
2445 exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo="
2446
2447 out=`echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//'`
2448 [ "$out" = "$exp" ] || ret=1
2449 n=`expr $n + 1`
2450 if [ $ret != 0 ]; then echo "I:failed"; fi
2451 status=`expr $status + $ret`
2452
2453 echo "I:check the correct resigning time is reported in zonestatus ($n)"
2454 ret=0
2455 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 \
2456 zonestatus secure.example > rndc.out.test$n
2457 # next resign node: secure.example/DNSKEY
2458 name=`awk '/next resign node:/ { print $4 }' rndc.out.test$n | sed 's;/; ;'`
2459 # next resign time: Thu, 24 Apr 2014 10:38:16 GMT
2460 time=`awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03";
2461 m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06";
2462 m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09";
2463 m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";}
2464 /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.test$n | sed 's/://g'`
2465 $DIG $DIGOPTS +noall +answer $name @10.53.0.3 -p 5300 > dig.out.test$n
2466 expire=`awk '$4 == "RRSIG" { print $9 }' dig.out.test$n`
2467 inception=`awk '$4 == "RRSIG" { print $10 }' dig.out.test$n`
2468 $PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1
2469 n=`expr $n + 1`
2470 if [ $ret != 0 ]; then echo "I:failed"; fi
2471 status=`expr $status + $ret`
2472
2473 echo "I:check that split rrsigs are handled ($n)"
2474 ret=0
2475 $DIG $DIGOPTS split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1
2476 awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1
2477 n=`expr $n + 1`
2478 if [ $ret != 0 ]; then echo "I:failed"; fi
2479 status=`expr $status + $ret`
2480
2481 echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
2482 ret=0
2483 alg=1
2484 until test $alg = 256
2485 do
2486 size=
2487 case $alg in
2488 1) size="-b 512";;
2489 2) # Diffie Helman
2490 alg=`expr $alg + 1`
2491 continue;;
2492 3) size="-b 512";;
2493 5) size="-b 512";;
2494 6) size="-b 512";;
2495 7) size="-b 512";;
2496 8) size="-b 512";;
2497 10) size="-b 1024";;
2498 157|160|161|162|163|164|165) # private - non standard
2499 alg=`expr $alg + 1`
2500 continue;;
2501 esac
2502 key1=`$KEYGEN -a $alg $size -n zone -r $RANDFILE example 2> keygen.err`
2503 if grep "unsupported algorithm" keygen.err > /dev/null
2504 then
2505 alg=`expr $alg + 1`
2506 continue
2507 fi
2508 if test -z "$key1"
2509 then
2510 echo "I: '$KEYGEN -a $alg': failed"
2511 cat keygen.err
2512 ret=1
2513 alg=`expr $alg + 1`
2514 continue
2515 fi
2516 $SETTIME -I now+4d $key1.private > /dev/null
2517 key2=`$KEYGEN -v 10 -r $RANDFILE -i 3d -S $key1.private 2> /dev/null`
2518 test -f $key2.key -a -f $key2.private || {
2519 ret=1
2520 echo "I: 'dnssec-keygen -S' failed for algorithm: $alg"
2521 }
2522 alg=`expr $alg + 1`
2523 done
2524 n=`expr $n + 1`
2525 if [ $ret != 0 ]; then echo "I:failed"; fi
2526 status=`expr $status + $ret`
2527
2528 #
2529 # Test for +sigchase with a null set of trusted keys.
2530 #
2531 $DIG -p 5300 @10.53.0.3 +sigchase +trusted-key=/dev/null > dig.out.ns3.test$n 2>&1
2532 if grep "Invalid option: +sigchase" dig.out.ns3.test$n > /dev/null
2533 then
2534 echo "I:Skipping 'dig +sigchase' tests"
2535 n=`expr $n + 1`
2536 else
2537 echo "I:checking that 'dig +sigchase' doesn't loop with future inception ($n)"
2538 ret=0
2539 $DIG -p 5300 @10.53.0.3 dnskey future.example +sigchase \
2540 +trusted-key=ns3/trusted-future.key > dig.out.ns3.test$n &
2541 pid=$!
2542 sleep 1
2543 kill -9 $pid 2> /dev/null
2544 wait $pid
2545 grep ";; No DNSKEY is valid to check the RRSIG of the RRset: FAILED" dig.out.ns3.test$n > /dev/null || ret=1
2546 if [ $ret != 0 ]; then echo "I:failed"; fi
2547 status=`expr $status + $ret`
2548 n=`expr $n + 1`
2549 fi
2550
2551 echo "I:checking that positive unknown NSEC3 hash algorithm does validate ($n)"
2552 ret=0
2553 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n
2554 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n
2555 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
2556 grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
2557 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
2558 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
2559 n=`expr $n + 1`
2560 if [ $ret != 0 ]; then echo "I:failed"; fi
2561 status=`expr $status + $ret`
2562
2563 echo "I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
2564 ret=0
2565 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
2566 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n
2567 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
2568 grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
2569 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
2570 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
2571 n=`expr $n + 1`
2572 if [ $ret != 0 ]; then echo "I:failed"; fi
2573 status=`expr $status + $ret`
2574
2575 echo "I:checking that negative unknown NSEC3 hash algorithm does not validate ($n)"
2576 ret=0
2577 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n
2578 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n
2579 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
2580 grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1
2581 n=`expr $n + 1`
2582 if [ $ret != 0 ]; then echo "I:failed"; fi
2583 status=`expr $status + $ret`
2584
2585 echo "I:checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)"
2586 ret=0
2587 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n
2588 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n
2589 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
2590 grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1
2591 n=`expr $n + 1`
2592 if [ $ret != 0 ]; then echo "I:failed"; fi
2593 status=`expr $status + $ret`
2594
2595 echo "I:checking that unknown DNSKEY algorithm validates as insecure ($n)"
2596 ret=0
2597 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n
2598 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n
2599 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
2600 grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
2601 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
2602 n=`expr $n + 1`
2603 if [ $ret != 0 ]; then echo "I:failed"; fi
2604 status=`expr $status + $ret`
2605
2606 echo "I:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)"
2607 ret=0
2608 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n
2609 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n
2610 grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
2611 grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
2612 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
2613 n=`expr $n + 1`
2614 if [ $ret != 0 ]; then echo "I:failed"; fi
2615 status=`expr $status + $ret`
2616
2617 echo "I:checking initialization with a revoked managed key ($n)"
2618 ret=0
2619 cp ns5/named2.conf ns5/named.conf
2620 $RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reconfig 2>&1 | sed 's/^/I:ns5 /'
2621 sleep 3
2622 $DIG $DIGOPTS +dnssec -p 5300 @10.53.0.5 SOA . > dig.out.ns5.test$n
2623 grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
2624 n=`expr $n + 1`
2625 if [ $ret != 0 ]; then echo "I:failed"; fi
2626 status=`expr $status + $ret`
2627
2628 echo "I:exit status: $status"
2629 exit $status
MINIX 3 (repo.or.cz mirror)