Version in base suite: 9.16.44-1~deb11u1 Base version: bind9_9.16.44-1~deb11u1 Target version: bind9_9.16.48-1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bind9/bind9_9.16.44-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bind9/bind9_9.16.48-1.dsc .editorconfig | 5 .gitlab-ci.yml | 427 .reuse/dep5 | 1 CHANGES | 53 bin/dnssec/dnssec-signzone.c | 2 bin/named/config.c | 4 bin/plugins/filter-aaaa.c | 2 bin/rndc/rndc.rst | 6 bin/tests/system/README | 12 bin/tests/system/acl/tests.sh | 219 bin/tests/system/additional/tests.sh | 540 - bin/tests/system/addzone/tests.sh | 739 - bin/tests/system/allow-query/setup.sh | 6 bin/tests/system/allow-query/tests.sh | 527 - bin/tests/system/auth/tests.sh | 198 bin/tests/system/autosign/ns1/keygen.sh | 26 bin/tests/system/autosign/ns2/keygen.sh | 36 bin/tests/system/autosign/ns3/keygen.sh | 294 bin/tests/system/autosign/ns3/named.conf.in | 1 bin/tests/system/autosign/tests.sh | 1077 +- bin/tests/system/builtin/tests.sh | 177 bin/tests/system/cacheclean/tests.sh | 192 bin/tests/system/case/tests.sh | 100 bin/tests/system/catz/tests.sh | 1347 +-- bin/tests/system/cds/setup.sh | 44 bin/tests/system/cds/tests.sh | 65 bin/tests/system/chain/ans3/ans.pl | 16 bin/tests/system/chain/ns2/sign.sh | 10 bin/tests/system/chain/prereq.sh | 49 bin/tests/system/chain/tests.sh | 396 bin/tests/system/checkconf/tests.sh | 846 + bin/tests/system/checkds/ns2/setup.sh | 17 bin/tests/system/checkds/ns5/setup.sh | 8 bin/tests/system/checkds/ns9/setup.sh | 52 bin/tests/system/checkds/prereq.sh | 20 bin/tests/system/checkds/setup.sh | 12 bin/tests/system/checkdstool/dig.sh | 19 bin/tests/system/checkdstool/tests.sh | 108 bin/tests/system/checknames/tests.sh | 138 bin/tests/system/checkzone/setup.sh | 4 bin/tests/system/checkzone/tests.sh | 174 bin/tests/system/ckdnsrps.sh | 127 bin/tests/system/cleanall.sh | 17 bin/tests/system/cleanpkcs11.sh | 2 bin/tests/system/conf.sh.in | 15 bin/tests/system/cookie/prereq.sh | 20 bin/tests/system/cookie/tests.sh | 553 - bin/tests/system/coverage/setup.sh | 40 bin/tests/system/coverage/tests.sh | 114 bin/tests/system/database/tests.sh | 27 bin/tests/system/dialup/tests.sh | 46 bin/tests/system/digdelv/ns2/sign.sh | 10 bin/tests/system/digdelv/prereq.sh | 9 bin/tests/system/digdelv/tests.sh | 1231 +- bin/tests/system/dlz/prereq.sh | 4 bin/tests/system/dlz/tests.sh | 58 bin/tests/system/dlzexternal/prereq.sh | 10 bin/tests/system/dlzexternal/setup.sh | 2 bin/tests/system/dlzexternal/tests.sh | 212 bin/tests/system/dns64/ns1/sign.sh | 4 bin/tests/system/dns64/tests.sh | 1536 +-- bin/tests/system/dnssec/ns1/sign.sh | 20 bin/tests/system/dnssec/ns2/sign.sh | 146 bin/tests/system/dnssec/ns3/secure.example.db.in | 5 bin/tests/system/dnssec/ns3/sign.sh | 313 bin/tests/system/dnssec/ns5/sign.sh | 12 bin/tests/system/dnssec/ns6/sign.sh | 4 bin/tests/system/dnssec/ns7/sign.sh | 6 bin/tests/system/dnssec/prereq.sh | 38 bin/tests/system/dnssec/setup.sh | 22 bin/tests/system/dnssec/tests.sh | 4289 +++++----- bin/tests/system/dnstap/prereq.sh | 4 bin/tests/system/dnstap/tests.sh | 1015 +- bin/tests/system/dscp/tests.sh | 25 bin/tests/system/dsdigest/ns1/sign.sh | 6 bin/tests/system/dsdigest/ns2/sign.sh | 13 bin/tests/system/dsdigest/tests.sh | 28 bin/tests/system/dupsigs/ns1/reset_keys.sh | 51 bin/tests/system/dupsigs/setup.sh | 5 bin/tests/system/dupsigs/tests.sh | 41 bin/tests/system/dyndb/prereq.sh | 12 bin/tests/system/dyndb/tests.sh | 170 bin/tests/system/ecdsa/ns1/sign.sh | 34 bin/tests/system/ecdsa/setup.sh | 8 bin/tests/system/ecdsa/tests.sh | 42 bin/tests/system/eddsa/ns1/sign.sh | 34 bin/tests/system/eddsa/ns2/sign.sh | 13 bin/tests/system/eddsa/ns3/sign.sh | 13 bin/tests/system/eddsa/prereq.sh | 4 bin/tests/system/eddsa/setup.sh | 16 bin/tests/system/eddsa/tests.sh | 104 bin/tests/system/ednscompliance/tests.sh | 181 bin/tests/system/emptyzones/tests.sh | 16 bin/tests/system/fetchlimit/prereq.sh | 9 bin/tests/system/fetchlimit/tests.sh | 155 bin/tests/system/filter-aaaa/ns1/sign.sh | 10 bin/tests/system/filter-aaaa/ns4/sign.sh | 6 bin/tests/system/filter-aaaa/prereq.sh | 10 bin/tests/system/filter-aaaa/tests.sh | 1543 +-- bin/tests/system/formerr/clean.sh | 6 bin/tests/system/formerr/tests.sh | 30 bin/tests/system/forward/ns1/sign.sh | 6 bin/tests/system/forward/prereq.sh | 29 bin/tests/system/forward/setup.sh | 4 bin/tests/system/forward/tests.sh | 308 bin/tests/system/genzone.sh | 5 bin/tests/system/geoip2/prereq.sh | 4 bin/tests/system/geoip2/setup.sh | 4 bin/tests/system/geoip2/tests.sh | 323 bin/tests/system/glue/tests.sh | 2 bin/tests/system/idna/tests.sh | 456 - bin/tests/system/ifconfig.sh | 410 bin/tests/system/inline/clean.sh | 26 bin/tests/system/inline/ns1/sign.sh | 4 bin/tests/system/inline/ns3/sign.sh | 77 bin/tests/system/inline/ns8/sign.sh | 9 bin/tests/system/inline/setup.sh | 20 bin/tests/system/inline/tests.sh | 1092 +- bin/tests/system/integrity/tests.sh | 120 bin/tests/system/ixfr/prereq.sh | 9 bin/tests/system/ixfr/setup.sh | 32 bin/tests/system/ixfr/tests.sh | 163 bin/tests/system/journal/setup.sh | 2 bin/tests/system/journal/tests.sh | 192 bin/tests/system/kasp.sh | 1771 ++-- bin/tests/system/kasp/ns3/setup.sh | 757 - bin/tests/system/kasp/ns4/setup.sh | 13 bin/tests/system/kasp/ns5/setup.sh | 13 bin/tests/system/kasp/ns6/setup.sh | 377 bin/tests/system/kasp/prereq.sh | 4 bin/tests/system/kasp/setup.sh | 43 bin/tests/system/kasp/tests.sh | 2466 ++--- bin/tests/system/keepalive/tests.sh | 70 bin/tests/system/keymgr/19-old-keys/extra.sh | 16 bin/tests/system/keymgr/setup.sh | 184 bin/tests/system/keymgr/tests.sh | 207 bin/tests/system/keymgr2kasp/clean.sh | 1 bin/tests/system/keymgr2kasp/ns3/setup.sh | 98 bin/tests/system/keymgr2kasp/ns4/setup.sh | 10 bin/tests/system/keymgr2kasp/setup.sh | 8 bin/tests/system/keymgr2kasp/tests.sh | 556 - bin/tests/system/legacy/ns6/sign.sh | 6 bin/tests/system/legacy/ns7/sign.sh | 8 bin/tests/system/legacy/tests.sh | 270 bin/tests/system/limits/tests.sh | 20 bin/tests/system/logfileconfig/named1.args | 2 bin/tests/system/logfileconfig/named2.args | 2 bin/tests/system/logfileconfig/tests.sh | 180 bin/tests/system/masterfile/tests.sh | 26 bin/tests/system/masterformat/ns1/compile.sh | 24 bin/tests/system/masterformat/setup.sh | 2 bin/tests/system/masterformat/tests.sh | 309 bin/tests/system/metadata/clean.sh | 2 bin/tests/system/metadata/setup.sh | 25 bin/tests/system/metadata/tests.sh | 92 bin/tests/system/mirror/ns1/sign.sh | 14 bin/tests/system/mirror/ns2/sign.sh | 70 bin/tests/system/mirror/setup.sh | 6 bin/tests/system/mirror/tests.sh | 386 bin/tests/system/mkeys/ns1/sign.sh | 24 bin/tests/system/mkeys/ns4/sign.sh | 4 bin/tests/system/mkeys/ns6/setup.sh | 2 bin/tests/system/mkeys/setup.sh | 10 bin/tests/system/mkeys/tests.sh | 581 - bin/tests/system/names/tests.sh | 22 bin/tests/system/notify/tests.sh | 177 bin/tests/system/nsec3/clean.sh | 1 bin/tests/system/nsec3/ns3/setup.sh | 19 bin/tests/system/nsec3/setup.sh | 8 bin/tests/system/nsec3/tests.sh | 194 bin/tests/system/nslookup/tests.sh | 90 bin/tests/system/nsupdate/krb/setup.sh | 13 bin/tests/system/nsupdate/ns3/sign.sh | 6 bin/tests/system/nsupdate/prereq.sh | 16 bin/tests/system/nsupdate/setup.sh | 39 bin/tests/system/nsupdate/tests.sh | 1341 +-- bin/tests/system/nzd2nzf/prereq.sh | 4 bin/tests/system/nzd2nzf/tests.sh | 46 bin/tests/system/padding/tests.sh | 116 bin/tests/system/parallel.sh | 12 bin/tests/system/pending/ns1/sign.sh | 10 bin/tests/system/pending/ns2/sign.sh | 16 bin/tests/system/pending/tests.sh | 103 bin/tests/system/pipelined/prereq.sh | 20 bin/tests/system/pipelined/tests.sh | 60 bin/tests/system/pkcs11/setup.sh | 76 bin/tests/system/pkcs11/tests.sh | 154 bin/tests/system/qmin/prereq.sh | 20 bin/tests/system/qmin/tests.sh | 348 bin/tests/system/reclimit/ans7/ans.pl | 16 bin/tests/system/reclimit/prereq.sh | 29 bin/tests/system/reclimit/tests.sh | 239 bin/tests/system/redirect/ns1/sign.sh | 8 bin/tests/system/redirect/ns3/sign.sh | 8 bin/tests/system/redirect/ns5/sign.sh | 16 bin/tests/system/redirect/setup.sh | 6 bin/tests/system/redirect/tests.sh | 590 - bin/tests/system/resolver/ns6/keygen.sh | 10 bin/tests/system/resolver/prereq.sh | 20 bin/tests/system/resolver/tests.sh | 920 +- bin/tests/system/rndc/setup.sh | 14 bin/tests/system/rndc/tests.sh | 722 - bin/tests/system/rndc/tests_cve-2023-3341.py | 57 bin/tests/system/rootkeysentinel/ns1/sign.sh | 8 bin/tests/system/rootkeysentinel/ns2/sign.sh | 26 bin/tests/system/rootkeysentinel/tests.sh | 296 bin/tests/system/rpz/clean.sh | 43 bin/tests/system/rpz/qperf.sh | 12 bin/tests/system/rpz/setup.sh | 68 bin/tests/system/rpz/tests.sh | 1148 +- bin/tests/system/rpzrecurse/prereq.sh | 9 bin/tests/system/rpzrecurse/setup.sh | 64 bin/tests/system/rpzrecurse/tests.sh | 392 bin/tests/system/rrchecker/tests.sh | 105 bin/tests/system/rrl/clean.sh | 2 bin/tests/system/rrl/tests.sh | 285 bin/tests/system/rrsetorder/tests.sh | 448 - bin/tests/system/rsabigexponent/ns1/sign.sh | 8 bin/tests/system/rsabigexponent/ns2/sign.sh | 9 bin/tests/system/rsabigexponent/prereq.sh | 11 bin/tests/system/rsabigexponent/tests.sh | 40 bin/tests/system/run.sh | 355 bin/tests/system/runall.sh | 76 bin/tests/system/runsequential.sh | 5 bin/tests/system/runtime/setup.sh | 9 bin/tests/system/runtime/tests.sh | 207 bin/tests/system/serve-stale/prereq.sh | 38 bin/tests/system/serve-stale/tests.sh | 2375 ++--- bin/tests/system/setup.sh | 17 bin/tests/system/sfcache/ns1/sign.sh | 10 bin/tests/system/sfcache/ns2/sign.sh | 4 bin/tests/system/sfcache/ns5/sign.sh | 2 bin/tests/system/sfcache/tests.sh | 80 bin/tests/system/shutdown/prereq.sh | 31 bin/tests/system/smartsign/tests.sh | 325 bin/tests/system/sortlist/tests.sh | 18 bin/tests/system/spf/tests.sh | 33 bin/tests/system/start.pl | 21 bin/tests/system/staticstub/ns3/sign.sh | 16 bin/tests/system/staticstub/ns4/sign.sh | 4 bin/tests/system/staticstub/setup.sh | 4 bin/tests/system/staticstub/tests.sh | 200 bin/tests/system/statistics/prereq.sh | 20 bin/tests/system/statistics/tests.sh | 282 bin/tests/system/statschannel/generic.py | 40 bin/tests/system/statschannel/ns2/sign.sh | 20 bin/tests/system/statschannel/prereq.sh | 9 bin/tests/system/statschannel/setup.sh | 2 bin/tests/system/statschannel/tests.sh | 464 - bin/tests/system/stopall.sh | 5 bin/tests/system/stress/prereq.sh | 20 bin/tests/system/stub/tests.sh | 108 bin/tests/system/synthfromdnssec/ns1/sign.sh | 14 bin/tests/system/synthfromdnssec/setup.sh | 4 bin/tests/system/synthfromdnssec/tests.sh | 289 bin/tests/system/system-test-driver.sh | 72 bin/tests/system/tcp/prereq.sh | 5 bin/tests/system/tcp/tests.sh | 64 bin/tests/system/testcrypto.sh | 121 bin/tests/system/testsummary.sh | 54 bin/tests/system/timeouts/prereq.sh | 20 bin/tests/system/timeouts/setup.sh | 2 bin/tests/system/tkey/ns1/setup.sh | 4 bin/tests/system/tkey/tests.sh | 193 bin/tests/system/tools/tests.sh | 81 bin/tests/system/tsig/prereq.sh | 4 bin/tests/system/tsig/setup.sh | 5 bin/tests/system/tsig/tests.sh | 273 bin/tests/system/tsiggss/prereq.sh | 6 bin/tests/system/tsiggss/setup.sh | 4 bin/tests/system/tsiggss/tests.sh | 151 bin/tests/system/ttl/prereq.sh | 20 bin/tests/system/unknown/setup.sh | 5 bin/tests/system/unknown/tests.sh | 266 bin/tests/system/upforwd/prereq.sh | 9 bin/tests/system/upforwd/setup.sh | 21 bin/tests/system/upforwd/tests.sh | 313 bin/tests/system/verify/tests.sh | 152 bin/tests/system/verify/zones/genzones.sh | 220 bin/tests/system/views/setup.sh | 12 bin/tests/system/views/tests.sh | 92 bin/tests/system/wildcard/ns1/sign.sh | 44 bin/tests/system/wildcard/tests.sh | 304 bin/tests/system/xfer/prereq.sh | 27 bin/tests/system/xfer/setup.sh | 6 bin/tests/system/xfer/tests.sh | 361 bin/tests/system/xferquota/tests.sh | 44 bin/tests/system/zero/prereq.sh | 9 bin/tests/system/zero/setup.sh | 2 bin/tests/system/zero/tests.sh | 141 bin/tests/system/zonechecks/setup.sh | 20 bin/tests/system/zonechecks/tests.sh | 273 bin/tests/wire_test.c | 2 cocci/ctype.spatch | 105 contrib/dlz/modules/common/dlz_dbi.c | 2 dangerfile.py | 35 debian/changelog | 21 debian/patches/0003-Remove-the-reference-to-OPTIONS.md-it-breaks-build-o.patch | 22 debian/patches/0004-Disable-treat-warnings-as-errors-in-sphinx-build.patch | 36 debian/patches/series | 3 doc/arm/conf.py | 39 doc/arm/notes.rst | 4 doc/arm/platforms.rst | 10 doc/arm/reference.rst | 2 doc/arm/requirements.txt | 6 doc/arm/security.rst | 50 doc/man/arpaname.1in | 2 doc/man/ddns-confgen.8in | 2 doc/man/delv.1in | 2 doc/man/dig.1in | 2 doc/man/dnssec-cds.8in | 2 doc/man/dnssec-checkds.8in | 2 doc/man/dnssec-coverage.8in | 2 doc/man/dnssec-dsfromkey.8in | 2 doc/man/dnssec-importkey.8in | 2 doc/man/dnssec-keyfromlabel.8in | 2 doc/man/dnssec-keygen.8in | 2 doc/man/dnssec-keymgr.8in | 2 doc/man/dnssec-revoke.8in | 2 doc/man/dnssec-settime.8in | 2 doc/man/dnssec-signzone.8in | 2 doc/man/dnssec-verify.8in | 2 doc/man/dnstap-read.1in | 2 doc/man/filter-aaaa.8in | 2 doc/man/host.1in | 2 doc/man/mdig.1in | 2 doc/man/named-checkconf.8in | 2 doc/man/named-checkzone.8in | 2 doc/man/named-compilezone.8in | 2 doc/man/named-journalprint.8in | 2 doc/man/named-nzd2nzf.8in | 2 doc/man/named-rrchecker.1in | 2 doc/man/named.8in | 2 doc/man/named.conf.5in | 2 doc/man/nsec3hash.8in | 2 doc/man/nslookup.1in | 2 doc/man/nsupdate.1in | 2 doc/man/pkcs11-destroy.8in | 2 doc/man/pkcs11-keygen.8in | 2 doc/man/pkcs11-list.8in | 2 doc/man/pkcs11-tokens.8in | 2 doc/man/rndc-confgen.8in | 2 doc/man/rndc.8in | 8 doc/man/rndc.conf.5in | 2 doc/man/tsig-keygen.8in | 2 doc/notes/notes-9.16.12.rst | 2 doc/notes/notes-9.16.15.rst | 6 doc/notes/notes-9.16.20.rst | 2 doc/notes/notes-9.16.22.rst | 2 doc/notes/notes-9.16.27.rst | 4 doc/notes/notes-9.16.3.rst | 6 doc/notes/notes-9.16.33.rst | 8 doc/notes/notes-9.16.37.rst | 6 doc/notes/notes-9.16.4.rst | 7 doc/notes/notes-9.16.42.rst | 4 doc/notes/notes-9.16.44.rst | 2 doc/notes/notes-9.16.45.rst | 26 doc/notes/notes-9.16.46.rst | 19 doc/notes/notes-9.16.47.rst | 20 doc/notes/notes-9.16.48.rst | 69 doc/notes/notes-9.16.6.rst | 13 lib/bind9/check.c | 4 lib/dns/adb.c | 10 lib/dns/catz.c | 8 lib/dns/dst_api.c | 27 lib/dns/include/dns/message.h | 40 lib/dns/include/dns/name.h | 37 lib/dns/include/dns/rbt.h | 6 lib/dns/include/dns/stats.h | 2 lib/dns/include/dns/validator.h | 1 lib/dns/include/dst/dst.h | 4 lib/dns/mapapi | 2 lib/dns/master.c | 2 lib/dns/message.c | 391 lib/dns/name.c | 1 lib/dns/ncache.c | 2 lib/dns/nsec3.c | 8 lib/dns/opensslrsa_link.c | 5 lib/dns/private.c | 8 lib/dns/rbt.c | 1 lib/dns/rbtdb.c | 153 lib/dns/rdata.c | 2 lib/dns/resolver.c | 4 lib/dns/result.c | 2 lib/dns/rootns.c | 53 lib/dns/rpz.c | 5 lib/dns/tsig.c | 22 lib/dns/update.c | 53 lib/dns/validator.c | 67 lib/dns/win32/libdns.def.in | 3 lib/dns/zone.c | 46 lib/isc/ht.c | 556 - lib/isc/include/isc/endian.h | 34 lib/isc/include/isc/ht.h | 28 lib/isc/include/isc/netmgr.h | 3 lib/isc/include/isc/radix.h | 2 lib/isc/include/isc/resultclass.h | 2 lib/isc/netaddr.c | 2 lib/isc/netmgr/netmgr-int.h | 1 lib/isc/netmgr/netmgr.c | 36 lib/isc/netmgr/tcp.c | 6 lib/isc/netmgr/tcpdns.c | 4 lib/isc/netmgr/udp.c | 6 lib/isc/netmgr/uv-compat.h | 2 lib/isc/tests/ht_test.c | 57 lib/isc/unix/include/isc/net.h | 4 lib/isc/url.c | 5 lib/isc/win32/file.c | 8 lib/isc/win32/fsaccess.c | 2 lib/isc/win32/include/isc/net.h | 4 lib/isc/win32/include/isc/stat.h | 4 lib/ns/query.c | 34 lib/ns/tests/nstest.c | 2 lib/ns/xfrout.c | 2 srcid | 2 version | 2 416 files changed, 26877 insertions(+), 24985 deletions(-) diff -Nru bind9-9.16.44/.editorconfig bind9-9.16.48/.editorconfig --- bind9-9.16.44/.editorconfig 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.48/.editorconfig 2024-02-11 11:31:39.000000000 +0000 @@ -0,0 +1,5 @@ +[{bin/tests/**.sh,bin/tests/**.sh.in,util/**.sh}] +indent_style = space +indent_size = 2 +binary_next_line = true +switch_case_indent = true diff -Nru bind9-9.16.44/.gitlab-ci.yml bind9-9.16.48/.gitlab-ci.yml --- bind9-9.16.44/.gitlab-ci.yml 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/.gitlab-ci.yml 2024-02-11 11:31:39.000000000 +0000 @@ -19,7 +19,7 @@ TEST_PARALLEL_JOBS: 4 CONFIGURE: ./configure - CLANG_VERSION: 16 + CLANG_VERSION: 17 CLANG: "clang-${CLANG_VERSION}" SCAN_BUILD: "scan-build-${CLANG_VERSION}" LLVM_SYMBOLIZER: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" @@ -38,9 +38,6 @@ UBSAN_OPTIONS: "halt_on_error=1:abort_on_error=1:disable_coredump=0" - TARBALL_COMPRESSOR: xz - TARBALL_EXTENSION: xz - INSTALL_PATH: "${CI_PROJECT_DIR}/.local" # Disable pytest's "cacheprovider" plugin to prevent it from creating @@ -83,7 +80,7 @@ - ovh - amd64 -# Autoscaling GitLab Runner on AWS EC2 +# Autoscaling GitLab Runner on AWS EC2 (amd64) .linux-amd64: &linux_amd64 tags: @@ -92,21 +89,16 @@ - runner-manager - amd64 -# Stress-testing runners +# Autoscaling GitLab Runner on AWS EC2 (arm64) -.linux-stress-amd64: &linux_stress_amd64 +.linux-arm64: &linux_arm64 tags: - - amd64 + - linux - aws - - linux-stress - - stress - -.linux-stress-arm64: &linux_stress_arm64 - tags: + - runner-manager - aarch64 - - aws - - linux-stress - - stress + +# Stress-testing runners .freebsd-stress-amd64: &freebsd_stress_amd64 tags: @@ -124,8 +116,8 @@ # Alpine Linux -.alpine-3.18-amd64: &alpine_3_18_amd64_image - image: "$CI_REGISTRY_IMAGE:alpine-3.18-amd64" +.alpine-3.19-amd64: &alpine_3_19_amd64_image + image: "$CI_REGISTRY_IMAGE:alpine-3.19-amd64" <<: *linux_amd64 # Oracle Linux @@ -180,24 +172,20 @@ # Fedora -.tsan-fedora-38-amd64: &tsan_fedora_38_amd64_image - image: "$CI_REGISTRY_IMAGE:tsan-fedora-38-amd64" +.tsan-fedora-39-amd64: &tsan_fedora_39_amd64_image + image: "$CI_REGISTRY_IMAGE:tsan-fedora-39-amd64" <<: *linux_amd64 -.fedora-38-amd64: &fedora_38_amd64_image - image: "$CI_REGISTRY_IMAGE:fedora-38-amd64" +.fedora-39-amd64: &fedora_39_amd64_image + image: "$CI_REGISTRY_IMAGE:fedora-39-amd64" <<: *linux_amd64 -.fedora-38-arm64: &fedora_38_arm64_image - image: "$CI_REGISTRY_IMAGE:fedora-38-arm64" - <<: *linux_stress_arm64 +.fedora-39-arm64: &fedora_39_arm64_image + image: "$CI_REGISTRY_IMAGE:fedora-39-arm64" + <<: *linux_arm64 # Ubuntu -.ubuntu-bionic-amd64: &ubuntu_bionic_amd64_image - image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-amd64" - <<: *linux_amd64 - .ubuntu-focal-amd64: &ubuntu_focal_amd64_image image: "$CI_REGISTRY_IMAGE:ubuntu-focal-amd64" <<: *linux_amd64 @@ -228,8 +216,12 @@ image: "freebsd-13.2-x86_64" <<: *libvirt_amd64 +.freebsd-14-amd64: &freebsd_14_amd64_image + image: "freebsd-14.0-x86_64" + <<: *libvirt_amd64 + .openbsd-amd64: &openbsd_amd64_image - image: "openbsd-7.3-x86_64" + image: "openbsd-7.4-x86_64" <<: *libvirt_amd64 ### Job Templates @@ -263,15 +255,6 @@ <<: *base_image stage: precheck -.autoconf: &autoconf_job - <<: *default_triggering_rules - <<: *base_image - stage: precheck - script: - - autoreconf2.69 -fi - artifacts: - untracked: true - .configure: &configure - ${CONFIGURE} --disable-maintainer-mode @@ -309,12 +292,10 @@ - test -z "${CROSS_COMPILATION}" || grep -F -A 1 "checking whether we are cross compiling" config.log | grep -q "result.*yes" - test -z "${CROSS_COMPILATION}" || file lib/dns/gen | grep -F -q "ELF 64-bit LSB" - test -z "${CROSS_COMPILATION}" || ( ! git ls-files -z --others --exclude lib/dns/gen | xargs -0 file | grep "ELF 64-bit LSB" ) - needs: - - job: autoreconf - artifacts: true artifacts: untracked: true when: always + needs: [] .windows_build: &windows_build_job stage: build @@ -351,52 +332,6 @@ - export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh) - test -n "${SLOT}" && test "${SLOT}" -gt 0 -cross-version-config-tests: - stage: system - <<: *base_image - <<: *default_triggering_rules - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - # Disable option checking to prevent problems with new default options in - # the &configure anchor. - EXTRA_CONFIGURE: "--disable-option-checking" - script: - # Exclude the dyndb test from the system test as the sample library can't - # locate the libdns library from the BIND 9 baseline version. - - sed -i '/^dyndb \\$/d' bin/tests/system/conf.sh.common - - *configure - - *setup_interfaces - - make -j${BUILD_PARALLEL_JOBS:-1} - - export BIND_BRANCH=16 - # When testing a .0 release, compare it against the previous development - # release (e.g., 9.19.0 and 9.18.0 should both be compared against 9.17.22). - - if [ "$(sed -n -E "s|^m4_define\(\[bind_VERSION_PATCH\], ([0-9]+)\)dnl$|\1|p" configure.ac)" = "0" ]; then export BIND_BRANCH=$((BIND_BRANCH - 1 - (BIND_BRANCH % 2))); fi - - BASELINE="$(curl -s "https://gitlab.isc.org/api/v4/projects/1/repository/tags?search=^v9.${BIND_BRANCH}&order_by=version" | jq -r ".[0].name")" - - git clone --branch "${BASELINE}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git "bind-${BASELINE}" - - cd "bind-${BASELINE}" - - autoreconf2.69 -fi - - *configure - - make -j${BUILD_PARALLEL_JOBS:-1} - - cd bin/tests/system - # Neutralize shell and pytests; in effect, "nsX" servers are just started - # and stopped, thus configuration checked. - - truncate --size=0 */tests{.sh,*.py} - # Run the setup phase of all system tests in the most recently tagged BIND 9 - # release using the binaries built for the current BIND 9 version. This - # intends to detect obvious backward compatibility issues with the latter. - - sed -i -E "s|(export TOP)=.*|\1=${CI_PROJECT_DIR}|" conf.sh - - make -j${TEST_PARALLEL_JOBS:-1} -k check V=1 - needs: - - job: autoreconf - artifacts: true - artifacts: - paths: - - bind-* - untracked: true - expire_in: "1 day" - when: on_failure - .system_test_common: &system_test_common <<: *default_triggering_rules stage: system @@ -504,9 +439,6 @@ # Jobs in the precheck stage -autoreconf: - <<: *autoconf_job - misc: <<: *precheck_job script: @@ -525,7 +457,6 @@ - sh util/check-win32util-configure - sh util/check-categories.sh - sh util/xmllint-html.sh - needs: [] artifacts: paths: - checklibs.out @@ -533,7 +464,6 @@ black: <<: *precheck_job - needs: [] script: - black $(git ls-files '*.py' '*.py.in') - git diff > black.patch @@ -546,7 +476,6 @@ clang-format: <<: *precheck_job - needs: [] script: - if [ -r .clang-format ]; then "${CLANG_FORMAT}" -i -style=file $(git ls-files '*.c' '*.h'); fi - git diff > clang-format.patch @@ -559,25 +488,41 @@ coccinelle: <<: *precheck_job - needs: [] script: - util/check-cocci - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi reuse: <<: *precheck_job - needs: [] image: name: docker.io/fsfe/reuse:latest entrypoint: [""] script: - reuse lint -danger: +shfmt: <<: *precheck_job needs: [] script: - - danger-python ci -f + - shfmt -w -i 2 -ci -bn bin/tests/system/ util/ $(find bin/tests/system/ -name "*.sh.in") + - git diff > shfmt.patch + - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + artifacts: + paths: + - shfmt.patch + expire_in: "1 week" + when: on_failure + +danger: + <<: *precheck_job + # Keep the GIT_DEPTH environment variable set to a "high number" before + # https://github.com/libgit2/libgit2/pull/6662 is addressed and integrated + # into pygit2. + variables: + GIT_DEPTH: 1000 + script: + - pip install git+https://gitlab.isc.org/isc-projects/hazard.git + - hazard only: refs: - merge_requests @@ -588,19 +533,16 @@ <<: *default_triggering_rules <<: *base_image stage: postcheck - needs: - - job: autoreconf - artifacts: true script: - *configure - export PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python" - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|^bin/tests/system/)') # Ignore Pylint wrong-import-position error in system test to enable use of pytest.importorskip - pylint --rcfile $CI_PROJECT_DIR/.pylintrc --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py') + needs: [] checkbashisms: <<: *precheck_job - needs: [] script: - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print | sed -e '/^\.\/install-sh$/d') @@ -620,10 +562,10 @@ - rm -rf "${BIND_DIRECTORY}/tmp/.doctrees/" - for man in "${BIND_DIRECTORY}/doc/man/"*; do mv "$man" "$man"in; done - tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/doc/man/"*in - - ${TARBALL_COMPRESSOR} "${BIND_DIRECTORY}.tar" + - xz "${BIND_DIRECTORY}.tar" artifacts: paths: - - bind-*.tar.${TARBALL_EXTENSION} + - bind-*.tar.xz # Jobs for doc builds on Debian 12 "bookworm" (amd64) @@ -641,40 +583,96 @@ - *configure - make -j${BUILD_PARALLEL_JOBS:-1} all V=1 - make -j${BUILD_PARALLEL_JOBS:-1} doc V=1 - - if test "$(git status --porcelain | grep -Ev '\?\?' | grep -v -F -e aclocal.m4 -e configure -e ltmain.sh -e m4/ | wc -l)" -gt "0"; then git status --short; exit 1; fi - - qpdf --check doc/arm/_build/latex/Bv9ARM.pdf + - if test "$(git status --porcelain | grep -Ev '\?\?' | grep -v -F -e aclocal.m4 -e configure -e ltmain.sh -e bin/named/bind9.xsl.h -e m4/ | wc -l)" -gt "0"; then git status --short; exit 1; fi - find doc/man/ -maxdepth 1 -name "*.[0-9]" -exec mandoc -T lint "{}" \; | ( ! grep -v -e "skipping paragraph macro. sp after" -e "unknown font, skipping request. ft C" -e "input text line longer than 80 bytes" ) - needs: - - job: autoreconf - artifacts: true artifacts: paths: - doc/arm/ - doc/man/ - doc/misc/ when: always + needs: [] + +docs:pdf: + <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *base_image + stage: docs + before_script: + - apt-get -y install qpdf texlive-full texlive-xetex xindy + script: + - *configure + - make -C doc/arm/ pdf V=1 + - qpdf --check doc/arm/_build/latex/Bv9ARM.pdf + artifacts: + untracked: true + needs: [] -# Jobs for regular GCC builds on Alpine Linux 3.18 (amd64) +# Job detecting named.conf breakage introduced since the previous point release -gcc:alpine3.18:amd64: +cross-version-config-tests: + stage: system + <<: *base_image + <<: *default_triggering_rules + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + # Disable option checking to prevent problems with new default options in + # the &configure anchor. + EXTRA_CONFIGURE: "--disable-option-checking" + script: + # Exclude the dyndb test from the system test as the sample library can't + # locate the libdns library from the BIND 9 baseline version. + - sed -i '/^dyndb \\$/d' bin/tests/system/conf.sh.common + - *configure + - *setup_interfaces + - make -j${BUILD_PARALLEL_JOBS:-1} + - export BIND_BRANCH=16 + # When testing a .0 release, compare it against the previous development + # release (e.g., 9.19.0 and 9.18.0 should both be compared against 9.17.22). + - if [ "$(sed -n -E "s|^m4_define\(\[bind_VERSION_PATCH\], ([0-9]+)\)dnl$|\1|p" configure.ac)" = "0" ]; then export BIND_BRANCH=$((BIND_BRANCH - 1 - (BIND_BRANCH % 2))); fi + - BASELINE="$(curl -s "https://gitlab.isc.org/api/v4/projects/1/repository/tags?search=^v9.${BIND_BRANCH}&order_by=version" | jq -r ".[0].name")" + - git clone --branch "${BASELINE}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git "bind-${BASELINE}" + - cd "bind-${BASELINE}" + - *configure + - make -j${BUILD_PARALLEL_JOBS:-1} + - cd bin/tests/system + # Neutralize shell and pytests; in effect, "nsX" servers are just started + # and stopped, thus configuration checked. + - truncate --size=0 */tests{.sh,*.py} + # Run the setup phase of all system tests in the most recently tagged BIND 9 + # release using the binaries built for the current BIND 9 version. This + # intends to detect obvious backward compatibility issues with the latter. + - sed -i -E "s|(export TOP)=.*|\1=${CI_PROJECT_DIR}|" conf.sh + - make -j${TEST_PARALLEL_JOBS:-1} -k check V=1 + artifacts: + paths: + - bind-* + untracked: true + expire_in: "1 day" + when: on_failure + needs: [] + +# Jobs for regular GCC builds on Alpine Linux 3.19 (amd64) + +gcc:alpine3.19:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - <<: *alpine_3_18_amd64_image + <<: *alpine_3_19_amd64_image <<: *build_job -system:gcc:alpine3.18:amd64: - <<: *alpine_3_18_amd64_image +system:gcc:alpine3.19:amd64: + <<: *alpine_3_19_amd64_image <<: *system_test_job needs: - - job: gcc:alpine3.18:amd64 + - job: gcc:alpine3.19:amd64 artifacts: true -unit:gcc:alpine3.18:amd64: - <<: *alpine_3_18_amd64_image +unit:gcc:alpine3.19:amd64: + <<: *alpine_3_19_amd64_image <<: *unit_test_job needs: - - job: gcc:alpine3.18:amd64 + - job: gcc:alpine3.19:amd64 artifacts: true # Jobs for regular GCC builds on Oracle Linux 7 (amd64) @@ -760,8 +758,8 @@ <<: *build_job before_script: - (! command -v sphinx-build >/dev/null) - - tar --extract --file bind-*.tar.${TARBALL_EXTENSION} - - rm -f bind-*.tar.${TARBALL_EXTENSION} + - tar --extract --file bind-*.tar.xz + - rm -f bind-*.tar.xz - cd bind-* needs: - job: tarball-create @@ -904,13 +902,11 @@ script: - *configure - *scan_build - needs: - - job: autoreconf - artifacts: true artifacts: paths: - scan-build.reports/ when: on_failure + needs: [] # Jobs for regular GCC builds on Debian "sid" (amd64) # Also tests configration option: --without-lmdb. @@ -963,8 +959,8 @@ <<: *base_image <<: *build_job before_script: - - tar --extract --file bind-*.tar.${TARBALL_EXTENSION} - - rm -f bind-*.tar.${TARBALL_EXTENSION} + - tar --extract --file bind-*.tar.xz + - rm -f bind-*.tar.xz - cd bind-* needs: - job: tarball-create @@ -1015,25 +1011,6 @@ - job: gcc:tumbleweed:amd64 artifacts: true -# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64) - -gcc:bionic:amd64: - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O2" - EXTRA_CONFIGURE: "--disable-dnstap --with-gssapi --without-cmocka" - <<: *ubuntu_bionic_amd64_image - <<: *build_job - <<: *api_schedules_tags_triggers_web_triggering_rules - -system:gcc:bionic:amd64: - <<: *ubuntu_bionic_amd64_image - <<: *system_test_job - <<: *api_schedules_tags_triggers_web_triggering_rules - needs: - - job: gcc:bionic:amd64 - artifacts: true - # Jobs for regular GCC builds on Ubuntu 20.04 Focal Fossa (amd64) gcc:focal:amd64: @@ -1063,8 +1040,8 @@ gcc:jammy:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--with-libidn2" + CFLAGS: "${CFLAGS_COMMON} -O2" + EXTRA_CONFIGURE: "--with-libidn2 --disable-dnstap --with-gssapi --without-cmocka" <<: *ubuntu_jammy_amd64_image <<: *build_job @@ -1082,7 +1059,7 @@ - job: gcc:jammy:amd64 artifacts: true -# Jobs for ASAN builds on Fedora 38 (amd64) +# Jobs for ASAN builds on Fedora 39 (amd64) gcc:asan: variables: @@ -1090,18 +1067,18 @@ CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=address,undefined" EXTRA_CONFIGURE: "--with-libidn2" - <<: *fedora_38_amd64_image + <<: *fedora_39_amd64_image <<: *build_job system:gcc:asan: - <<: *fedora_38_amd64_image + <<: *fedora_39_amd64_image <<: *system_test_job needs: - job: gcc:asan artifacts: true unit:gcc:asan: - <<: *fedora_38_amd64_image + <<: *fedora_39_amd64_image <<: *unit_test_job needs: - job: gcc:asan @@ -1130,7 +1107,7 @@ - job: clang:asan artifacts: true -# Jobs for TSAN builds on Fedora 38 (amd64) +# Jobs for TSAN builds on Fedora 39 (amd64) gcc:tsan: variables: @@ -1138,13 +1115,13 @@ CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=thread" EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock" - <<: *tsan_fedora_38_amd64_image + <<: *tsan_fedora_39_amd64_image <<: *build_job system:gcc:tsan: variables: TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}" - <<: *tsan_fedora_38_amd64_image + <<: *tsan_fedora_39_amd64_image <<: *system_test_tsan_job needs: - job: gcc:tsan @@ -1153,7 +1130,7 @@ unit:gcc:tsan: variables: TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}" - <<: *tsan_fedora_38_amd64_image + <<: *tsan_fedora_39_amd64_image <<: *unit_test_tsan_job needs: - job: gcc:tsan @@ -1314,26 +1291,42 @@ - job: clang:freebsd13:amd64 artifacts: true -# Jobs for Clang builds on OpenBSD (amd64) +# Jobs for Clang builds on FreeBSD 14 (amd64) -clang:openbsd:amd64: +clang:freebsd14:amd64: variables: - CC: clang + CFLAGS: "${CFLAGS_COMMON}" + # Disable BIND 9 GSS-API support because of Heimdal incompatibility; see FreeBSD bug #275241. + EXTRA_CONFIGURE: "${WITH_READLINE_LIBEDIT} --without-gssapi" USER: gitlab-runner - EXTRA_CONFIGURE: "--disable-dnstap" - <<: *openbsd_amd64_image + <<: *freebsd_14_amd64_image <<: *build_job -system:clang:openbsd:amd64: - <<: *openbsd_amd64_image +system:clang:freebsd14:amd64: + <<: *freebsd_14_amd64_image <<: *system_test_job - <<: *api_schedules_triggers_web_triggering_rules variables: USER: gitlab-runner needs: - - job: clang:openbsd:amd64 + - job: clang:freebsd14:amd64 artifacts: true - allow_failure: true + +unit:clang:freebsd14:amd64: + <<: *freebsd_14_amd64_image + <<: *unit_test_job + needs: + - job: clang:freebsd14:amd64 + artifacts: true + +# Jobs for Clang builds on OpenBSD (amd64) + +clang:openbsd:amd64: + variables: + CC: clang + USER: gitlab-runner + EXTRA_CONFIGURE: "--disable-dnstap" + <<: *openbsd_amd64_image + <<: *build_job # Jobs with libtool disabled @@ -1395,7 +1388,7 @@ - job: msvc-debug:windows:amd64 artifacts: true -# Job producing a release tarball +# Job producing a release directory release: <<: *base_image @@ -1409,24 +1402,22 @@ - find Build/Debug/ \( -name "*.bsc" -o -name "*.idb" \) -print -delete - find Build/ -regextype posix-extended -regex "Build/.*/($(find bin/tests/ -type f | sed -nE "s|^bin/tests(/system)?/win32/(.*)\.vcxproj$|\2|p" | paste -d"|" -s))\..*" -print -delete # Create Windows zips - - openssl dgst -sha256 "${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" | tee Build/Release/SHA256 Build/Debug/SHA256 + - openssl dgst -sha256 "${BIND_DIRECTORY}.tar.xz" | tee Build/Release/SHA256 Build/Debug/SHA256 - cp "doc/arm/_build/latex/Bv9ARM.pdf" Build/Release/ - cp "doc/arm/_build/latex/Bv9ARM.pdf" Build/Debug/ - ( cd Build/Release; zip "../../BIND${BIND_DIRECTORY#bind-}.x64.zip" * ) - ( cd Build/Debug; zip "../../BIND${BIND_DIRECTORY#bind-}.debug.x64.zip" * ) # Prepare release tarball contents (tarballs + zips + documentation) - - mkdir -p release/doc/arm - - pushd release - - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" ../BIND*.zip . - - tar --extract --file="${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" + - mkdir -p "${BIND_DIRECTORY}-release/doc/arm" + - pushd "${BIND_DIRECTORY}-release" + - mv "../${BIND_DIRECTORY}.tar.xz" ../BIND*.zip . + - tar --extract --file="${BIND_DIRECTORY}.tar.xz" - mv "${BIND_DIRECTORY}"/{CHANGES*,COPYRIGHT,LICENSE,README,srcid} . - rm -rf "${BIND_DIRECTORY}" - mv "../doc/arm/_build/html" doc/arm/ - mv "../doc/arm/_build/latex/Bv9ARM.pdf" doc/arm/ - echo 'Redirect' > "RELEASE-NOTES-${BIND_DIRECTORY}.html" - popd - # Create release tarball - - tar --create --file="${CI_COMMIT_TAG}.tar.gz" --gzip release/ needs: - job: tarball-create artifacts: true @@ -1436,12 +1427,56 @@ artifacts: true - job: docs artifacts: true + - job: docs:pdf + artifacts: true only: - tags artifacts: paths: + - "*-release" + expire_in: "1 month" + +# Job signing the source tarballs in the release directory + +sign: + stage: release + tags: + - signer + script: + - export RELEASE_DIRECTORY="$(echo *-release)" + - pushd "${RELEASE_DIRECTORY}" + - | + echo + cat > /tmp/sign-bind9.sh <>> Signing \${FILE}..." + gpg2 --local-user "\${SIGNING_KEY_FINGERPRINT}" --armor --digest-algo SHA512 --detach-sign --output "\${FILE}.asc" "\${FILE}" + done + } 2>&1 | tee "${CI_PROJECT_DIR}/signing.log" + EOF + chmod +x /tmp/sign-bind9.sh + echo -e "\e[31m*** Please sign the releases by following the instructions at:\e[0m" + echo -e "\e[31m*** \e[0m" + echo -e "\e[31m*** ${SIGNING_HELP_URL}\e[0m" + echo -e "\e[31m*** \e[0m" + echo -e "\e[31m*** Sleeping until files in ${PWD} are signed... ⌛\e[0m" + while [ "$(find . -name "*.asc" -size +0 | sed "s|\.asc$||" | sort)" != "$(find . -name "*.tar.xz" -o -name "*.zip" | sort)" ]; do sleep 10; done + - popd + - tar --create --file="${RELEASE_DIRECTORY}.tar.gz" --gzip "${RELEASE_DIRECTORY}" + artifacts: + paths: - "*.tar.gz" + - signing.log expire_in: never + needs: + - job: release + artifacts: true + only: + - tags + when: manual + allow_failure: false # Coverity Scan analysis upload @@ -1482,9 +1517,6 @@ - *coverity_build after_script: - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/ - needs: - - job: autoreconf - artifacts: true artifacts: paths: - curl-response.txt @@ -1495,6 +1527,7 @@ variables: - $COVERITY_SCAN_PROJECT_NAME - $COVERITY_SCAN_TOKEN + needs: [] # Respdiff tests @@ -1606,18 +1639,16 @@ - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git - cd bind-qa/bind9/stress - LD_LIBRARY_PATH="${INSTALL_PATH}/usr/local/lib" BIND_INSTALL_PATH="${INSTALL_PATH}/usr/local" WORKSPACE="${CI_PROJECT_DIR}" bash stress.sh - needs: - - job: autoreconf - artifacts: true artifacts: untracked: true expire_in: "1 week" when: always timeout: 2h + needs: [] -stress:authoritative:fedora:38:amd64: - <<: *fedora_38_amd64_image - <<: *linux_stress_amd64 +stress:authoritative:fedora:39:amd64: + <<: *fedora_39_amd64_image + <<: *linux_amd64 <<: *stress_job variables: CC: gcc @@ -1630,9 +1661,9 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:recursive:fedora:38:amd64: - <<: *fedora_38_amd64_image - <<: *linux_stress_amd64 +stress:recursive:fedora:39:amd64: + <<: *fedora_39_amd64_image + <<: *linux_amd64 <<: *stress_job variables: CC: gcc @@ -1645,9 +1676,9 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:rpz:fedora:38:amd64: - <<: *fedora_38_amd64_image - <<: *linux_stress_amd64 +stress:rpz:fedora:39:amd64: + <<: *fedora_39_amd64_image + <<: *linux_amd64 <<: *stress_job variables: CC: gcc @@ -1660,9 +1691,9 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:authoritative:fedora:38:arm64: - <<: *fedora_38_arm64_image - <<: *linux_stress_arm64 +stress:authoritative:fedora:39:arm64: + <<: *fedora_39_arm64_image + <<: *linux_arm64 <<: *stress_job variables: CC: gcc @@ -1675,9 +1706,9 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) -stress:recursive:fedora:38:arm64: - <<: *fedora_38_arm64_image - <<: *linux_stress_arm64 +stress:recursive:fedora:39:arm64: + <<: *fedora_39_arm64_image + <<: *linux_arm64 <<: *stress_job variables: CC: gcc @@ -1690,9 +1721,9 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) -stress:rpz:fedora:38:arm64: - <<: *fedora_38_arm64_image - <<: *linux_stress_arm64 +stress:rpz:fedora:39:arm64: + <<: *fedora_39_arm64_image + <<: *linux_arm64 <<: *stress_job variables: CC: gcc @@ -1784,9 +1815,6 @@ pairwise: <<: *base_image stage: build - needs: - - job: autoreconf - artifacts: true script: - util/pairwise-testing.sh artifacts: @@ -1798,3 +1826,4 @@ only: variables: - $PAIRWISE_TESTING + needs: [] diff -Nru bind9-9.16.44/.reuse/dep5 bind9-9.16.48/.reuse/dep5 --- bind9-9.16.44/.reuse/dep5 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/.reuse/dep5 2024-02-11 11:31:39.000000000 +0000 @@ -156,6 +156,7 @@ .clang-format .clang-format.headers .dir-locals.el + .editorconfig .gitattributes .gitignore .gitlab-ci.yml diff -Nru bind9-9.16.44/CHANGES bind9-9.16.48/CHANGES --- bind9-9.16.44/CHANGES 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/CHANGES 2024-02-11 11:31:39.000000000 +0000 @@ -1,3 +1,56 @@ + --- 9.16.48 released --- + +6343. [bug] Fix case insensitive setting for isc_ht hashtable. + [GL #4568] + + --- 9.16.47 released --- + +6322. [security] Specific DNS answers could cause a denial-of-service + condition due to DNS validation taking a long time. + (CVE-2023-50387) [GL #4424] + +6321. [security] Change 6315 inadvertently introduced regressions that + could cause named to crash. [GL #4234] + + --- 9.16.46 released --- + +6319. [security] Query patterns that continuously triggered cache + database maintenance could exhaust all available memory + on the host running named. (CVE-2023-6516) [GL #4383] + +6317. [security] Restore DNS64 state when handling a serve-stale timeout. + (CVE-2023-5679) [GL #4334] + +6316. [security] Specific queries could trigger an assertion check with + nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] + +6315. [security] Speed up parsing of DNS messages with many different + names. (CVE-2023-4408) [GL #4234] + +6314. [bug] Address race conditions in dns_tsigkey_find(). + [GL #4182] + +6304. [bug] The wrong time was being used to determine what RRSIGs + where to be generated when dnssec-policy was in use. + [GL #4494] + +6282. [func] Deprecate AES-based DNS cookies. [GL #4421] + + --- 9.16.45 released --- + +6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and + 2801:1b8:10::b. [GL #4101] + +6254. [cleanup] Add semantic patch to do an explicit cast from char + to unsigned char in ctype.h class of functions. + [GL #4327] + +6250. [bug] The wrong covered value was being set by + dns_ncache_current for RRSIG records in the returned + rdataset structure. This resulted in TYPE0 being + reported as the covered value of the RRSIG when dumping + the cache contents. [GL #4314] + --- 9.16.44 released --- 6245. [security] Limit the amount of recursion that can be performed diff -Nru bind9-9.16.44/bin/dnssec/dnssec-signzone.c bind9-9.16.48/bin/dnssec/dnssec-signzone.c --- bind9-9.16.44/bin/dnssec/dnssec-signzone.c 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/dnssec/dnssec-signzone.c 2024-02-11 11:31:39.000000000 +0000 @@ -101,7 +101,7 @@ "dns_dbiterator_current()") #define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3) -#define OPTOUT(x) (((x)&DNS_NSEC3FLAG_OPTOUT) != 0) +#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0) #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) diff -Nru bind9-9.16.44/bin/named/config.c bind9-9.16.48/bin/named/config.c --- bind9-9.16.44/bin/named/config.c 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/named/config.c 2024-02-11 11:31:39.000000000 +0000 @@ -303,14 +303,14 @@ "# END TRUST ANCHORS\n\ \n\ primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\ - 2001:500:200::b; # b.root-servers.net\n\ + 2801:1b8:10::b; # b.root-servers.net\n\ 2001:500:2::c; # c.root-servers.net\n\ 2001:500:2f::f; # f.root-servers.net\n\ 2001:500:12::d0d; # g.root-servers.net\n\ 2001:7fd::1; # k.root-servers.net\n\ 2620:0:2830:202::132; # xfr.cjr.dns.icann.org\n\ 2620:0:2d0:202::132; # xfr.lax.dns.icann.org\n\ - 199.9.14.201; # b.root-servers.net\n\ + 170.247.170.2; # b.root-servers.net\n\ 192.33.4.12; # c.root-servers.net\n\ 192.5.5.241; # f.root-servers.net\n\ 192.112.36.4; # g.root-servers.net\n\ diff -Nru bind9-9.16.44/bin/plugins/filter-aaaa.c bind9-9.16.48/bin/plugins/filter-aaaa.c --- bind9-9.16.44/bin/plugins/filter-aaaa.c 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/plugins/filter-aaaa.c 2024-02-11 11:31:39.000000000 +0000 @@ -350,7 +350,7 @@ cfg_line, mctx, lctx, actx)); } - isc_ht_init(&inst->ht, mctx, 16); + isc_ht_init(&inst->ht, mctx, 16, ISC_HT_CASE_SENSITIVE); isc_mutex_init(&inst->hlock); /* diff -Nru bind9-9.16.44/bin/rndc/rndc.rst bind9-9.16.48/bin/rndc/rndc.rst --- bind9-9.16.44/bin/rndc/rndc.rst 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/rndc/rndc.rst 2024-02-11 11:31:39.000000000 +0000 @@ -389,7 +389,8 @@ This command schedules zone maintenance for the given zone. ``reload`` - This command reloads the configuration file and zones. + This command reloads the configuration file and zones. As no zone is specified, + the reloading of the zones happens asynchronously. ``reload`` *zone* [*class* [*view*]] This command reloads the given zone. @@ -546,7 +547,8 @@ refused. If the zone has changed and the ``ixfr-from-differences`` option is in use, the journal file is updated to reflect changes in the zone. Otherwise, if the zone has changed, any existing - journal file is removed. + journal file is removed. If no zone is specified, the reloading happens + asynchronously. See also ``rndc freeze``. diff -Nru bind9-9.16.44/bin/tests/system/README bind9-9.16.48/bin/tests/system/README --- bind9-9.16.44/bin/tests/system/README 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/README 2024-02-11 11:31:39.000000000 +0000 @@ -662,14 +662,12 @@ need to edit multiple files to add a test.) -Valgrind +rr --- -When running system tests, named can be run under Valgrind. The output from -Valgrind are sent to per-process files that can be reviewed after the test has -completed. To enable this, set the USE_VALGRIND environment variable to -"helgrind" to run the Helgrind tool, or any other value to run the Memcheck -tool. To use "helgrind" effectively, build BIND with --disable-atomic. - +When running system tests, named can be run under the rr tool. rr records a +trace to the $system_test/nsX/named-Y/ directory, which can be later used to +replay named. To enable this, execute start.pl with the USE_RR environment +variable set. Maintenance Notes === diff -Nru bind9-9.16.44/bin/tests/system/acl/tests.sh bind9-9.16.48/bin/tests/system/acl/tests.sh --- bind9-9.16.44/bin/tests/system/acl/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/acl/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -22,38 +22,52 @@ echo_i "testing basic ACL processing" # key "one" should fail -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # any other key should be fine -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} copy_setports ns2/named2.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 sleep 5 # prefix 10/8 should fail -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # any other address should work, as long as it sends key "one" -t=`expr $t + 1` -$DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} + +t=$(expr $t + 1) +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} echo_i "testing nested ACL processing" # all combinations of 10.53.0.{1|2} with key {one|two}, should succeed @@ -62,45 +76,66 @@ sleep 5 # should succeed -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # but only one or the other should fail -t=`expr $t + 1` -$DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} + +t=$(expr $t + 1) +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $tt failed" + status=1 +} # and other values? right out -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two copy_setports ns2/named4.conf.in ns2/named.conf @@ -108,63 +143,81 @@ sleep 5 # should succeed -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should fail -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # should fail -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # should fail -t=`expr $t + 1` +t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} echo_i "testing allow-query-on ACL processing" copy_setports ns2/named5.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 sleep 5 -t=`expr $t + 1` +t=$(expr $t + 1) $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.${t} -grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.3 >dig.out.${t} +grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} echo_i "testing blackhole ACL processing" -t=`expr $t + 1` +t=$(expr $t + 1) ret=0 $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.1.${t} -grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.3 >dig.out.1.${t} +grep "status: NOERROR" dig.out.1.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.8 > dig.out.2.${t} -grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1 -grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.8 >dig.out.2.${t} +grep "status: NOERROR" dig.out.2.${t} >/dev/null 2>&1 && ret=1 +grep "communications error" dig.out.2.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.3.${t} -grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.3 >dig.out.3.${t} +grep "status: NOERROR" dig.out.3.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} soa example. \ - @10.53.0.2 -b 10.53.0.8 > dig.out.4.${t} -grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1 -grep "connection timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.8 >dig.out.4.${t} +grep "status: NOERROR" dig.out.4.${t} >/dev/null 2>&1 && ret=1 +grep "connection timed out" dig.out.4.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) # AXFR tests against ns3 @@ -174,26 +227,26 @@ $RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; ' sleep 1 -t=`expr $t + 1` +t=$(expr $t + 1) ret=0 echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "calling rndc reconfig" rndc_reconfig ns3 10.53.0.3 sleep 1 -t=`expr $t + 1` +t=$(expr $t + 1) ret=0 echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) # AXFR tests against ns4 @@ -203,26 +256,26 @@ $RNDCCMD 10.53.0.4 addzone 'example.com {type primary; file "example.db"; }; ' sleep 1 -t=`expr $t + 1` +t=$(expr $t + 1) ret=0 echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "calling rndc reconfig" rndc_reconfig ns4 10.53.0.4 sleep 1 -t=`expr $t + 1` +t=$(expr $t + 1) ret=0 echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/additional/tests.sh bind9-9.16.48/bin/tests/system/additional/tests.sh --- bind9-9.16.44/bin/tests/system/additional/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/additional/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,229 +21,245 @@ n=0 dotests() { - n=`expr $n + 1` - echo_i "test with RT, single zone (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with RT, two zones (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NAPTR, single zone (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NAPTR, two zones (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with LP (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + n=$(expr $n + 1) + echo_i "test with RT, single zone (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with RT, two zones (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NAPTR, single zone (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NAPTR, two zones (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with LP (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in no) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; yes) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 ;; no-auth) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 - ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NID (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NID + LP (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with RT, single zone (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with RT, two zones (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NAPTR, single zone (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NAPTR, two zones (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with LP (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 + ;; + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NID (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NID + LP (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with RT, single zone (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with RT, two zones (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NAPTR, single zone (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NAPTR, two zones (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with LP (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in no) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; yes) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 ;; no-auth) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 - ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NID (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NID + LP (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NS, root zone ($n)" - ret=0 - $DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1 - # Always expect glue for root priming queries, regardless $minimal - grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=`expr $n + 1` - echo_i "test with NS, non-root zone ($n)" - ret=0 - $DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 + ;; + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NID (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NID + LP (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NS, root zone ($n)" + ret=0 + $DIG $DIGOPTS -t NS . @10.53.0.1 >dig.out.$n || ret=1 + # Always expect glue for root priming queries, regardless $minimal + grep 'ADDITIONAL: 3' dig.out.$n >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$(expr $n + 1) + echo_i "test with NS, non-root zone ($n)" + ret=0 + $DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in yes) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no-auth) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi } echo_i "testing with 'minimal-responses yes;'" @@ -258,44 +274,48 @@ minimal=no dotests -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing with 'minimal-any no;' ($n)" ret=0 -$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "reconfiguring server: minimal-any yes" copy_setports ns1/named3.conf.in ns1/named.conf rndc_reconfig ns1 10.53.0.1 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing with 'minimal-any yes;' over UDP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing with 'minimal-any yes;' over TCP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing with 'minimal-any yes;' over UDP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "testing with 'minimal-responses no-auth;'" @@ -310,68 +330,74 @@ minimal=no-auth-recursive dotests -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing returning TLSA records with MX query ($n)" ret=0 -$DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1 -grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1 -grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1 -grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t mx mx.example @10.53.0.1 >dig.out.$n || ret=1 +grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n >/dev/null || ret=1 +grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1 +grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing returning TLSA records with SRV query ($n)" ret=0 -$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1 -grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n > /dev/null || ret=1 -grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1 -grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 >dig.out.$n || ret=1 +grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n >/dev/null || ret=1 +grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1 +grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "reconfiguring server: minimal-responses no" copy_setports ns1/named2.conf.in ns1/named.conf rndc_reconfig ns1 10.53.0.1 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing NS handling in ANY responses (authoritative) ($n)" ret=0 -$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 -grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 +grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing NS handling in ANY responses (recursive) ($n)" ret=0 -$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1 -grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 -grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 >dig.out.$n || ret=1 +grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 +grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)" ret=0 -$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)" ret=0 -$DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1 -grep "ADDITIONAL: 3" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t NS ex @10.53.0.3 >dig.out.$n || ret=1 +grep "ADDITIONAL: 3" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/addzone/tests.sh bind9-9.16.48/bin/tests/system/addzone/tests.sh --- bind9-9.16.44/bin/tests/system/addzone/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/addzone/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -18,9 +18,9 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" check_zonestatus() ( - $RNDCCMD "10.53.0.$1" zonestatus -redirect > "zonestatus.out.ns$1.$n" && - grep "type: redirect" "zonestatus.out.ns$1.$n" > /dev/null && - grep "serial: 1" "zonestatus.out.ns$1.$n" > /dev/null + $RNDCCMD "10.53.0.$1" zonestatus -redirect >"zonestatus.out.ns$1.$n" \ + && grep "type: redirect" "zonestatus.out.ns$1.$n" >/dev/null \ + && grep "serial: 1" "zonestatus.out.ns$1.$n" >/dev/null ) status=0 @@ -28,463 +28,465 @@ echo_i "checking normally loaded zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # When LMDB support is compiled in, this tests that migration from # NZF to NZD occurs during named startup echo_i "checking previously added zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.previous.example' dig.out.ns2.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) if $FEATURETEST --with-lmdb; then - echo_i "checking that existing NZF file was renamed after migration ($n)" - [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + echo_i "checking that existing NZF file was renamed after migration ($n)" + [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi echo_i "adding new zone ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -_check_adding_new_zone () ( - $DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.$n > /dev/null +_check_adding_new_zone() ( + $DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_adding_new_zone || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) nextpart ns2/named.run >/dev/null echo_i "checking addzone errors are logged correctly" ret=0 -$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1 wait_for_log_peek 20 "addzone: 'mister' unexpected" ns2/named.run || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) nextpart ns2/named.run >/dev/null echo_i "checking modzone errors are logged correctly" ret=0 -$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1 wait_for_log_peek 20 "modzone: 'mister' unexpected" ns2/named.run || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "adding a zone that requires quotes ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone '"32/1.0.0.127-in-addr.added.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_zone_that_requires_quotes() ( - $DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_zone_that_requires_quotes || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "adding a zone with a quote in the name ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone '"foo\"bar.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_zone_with_a_quote() ( - $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.foo\\"bar.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.foo\\"bar.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_zone_with_a_quote || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "adding new zone with missing file ($n)" ret=0 -$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.pre.$n || ret=1 -grep "status: REFUSED" dig.out.ns2.pre.$n > /dev/null || ret=1 -$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n -grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 -$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.post.$n || ret=1 -grep "status: REFUSED" dig.out.ns2.post.$n > /dev/null || ret=1 +$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.pre.$n || ret=1 +grep "status: REFUSED" dig.out.ns2.pre.$n >/dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2>rndc.out.ns2.$n +grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1 +$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.post.$n || ret=1 +grep "status: REFUSED" dig.out.ns2.post.$n >/dev/null || ret=1 digcomp dig.out.ns2.pre.$n dig.out.ns2.post.$n || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) if ! $FEATURETEST --with-lmdb; then - echo_i "verifying no comments in NZF file ($n)" - ret=0 - hcount=`grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l` - [ $hcount -eq 0 ] || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + echo_i "verifying no comments in NZF file ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) + [ $hcount -eq 0 ] || ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi echo_i "checking rndc showzone with previously added zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone previous.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone previous.example >rndc.out.ns2.$n expected='zone "previous.example" { type primary; file "previous.db"; };' -[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 -n=`expr $n + 1` +[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) if $FEATURETEST --with-lmdb; then - echo_i "checking zone is present in NZD ($n)" - ret=0 - $NZD2NZF ns2/_default.nzd | grep previous.example > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + echo_i "checking zone is present in NZD ($n)" + ret=0 + $NZD2NZF ns2/_default.nzd | grep previous.example >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi echo_i "deleting previously added zone ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone previous.example 2>&1 | sed 's/^/I:ns2 /' _check_deleting_previously_added_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.previous.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.previous.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_previously_added_zone || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) check_nzd2nzf() ( - $NZD2NZF ns2/_default.nzd > nzd2nzf.out.$n && - ! grep previous.example nzd2nzf.out.$n > /dev/null + $NZD2NZF ns2/_default.nzd >nzd2nzf.out.$n \ + && ! grep previous.example nzd2nzf.out.$n >/dev/null ) if $FEATURETEST --with-lmdb; then - echo_i "checking zone was deleted from NZD ($n)" - retry_quiet 10 check_nzd2nzf || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + echo_i "checking zone was deleted from NZD ($n)" + retry_quiet 10 check_nzd2nzf || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi if ! $FEATURETEST --with-lmdb; then - echo_i "checking NZF file now has comment ($n)" - ret=0 - hcount=`grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l` - [ $hcount -eq 1 ] || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + echo_i "checking NZF file now has comment ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) + [ $hcount -eq 1 ] || ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi echo_i "deleting newly added zone added.example ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone added.example 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "deleting newly added zone with escaped quote ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone "foo\\\"bar.example" 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone_quote() ( - $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep "^a.foo\"bar.example" dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep "^a.foo\"bar.example" dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone_quote || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking rndc showzone with a normally-loaded zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone normal.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone normal.example >rndc.out.ns2.$n expected='zone "normal.example" { type primary; file "normal.db"; };' -[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 -n=`expr $n + 1` +[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking rndc showzone with a normally-loaded zone with trailing dot ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone finaldot.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone finaldot.example >rndc.out.ns2.$n expected='zone "finaldot.example." { type primary; file "normal.db"; };' -[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 -n=`expr $n + 1` +[ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking rndc showzone with a normally-loaded redirect zone ($n)" ret=0 -$RNDCCMD 10.53.0.1 showzone -redirect > rndc.out.ns1.$n +$RNDCCMD 10.53.0.1 showzone -redirect >rndc.out.ns1.$n expected='zone "." { type redirect; file "redirect.db"; };' -[ "`cat rndc.out.ns1.$n`" = "$expected" ] || ret=1 -n=`expr $n + 1` +[ "$(cat rndc.out.ns1.$n)" = "$expected" ] || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking rndc zonestatus with a normally-loaded redirect zone ($n)" ret=0 -$RNDCCMD 10.53.0.1 zonestatus -redirect > rndc.out.ns1.$n -grep "type: redirect" rndc.out.ns1.$n > /dev/null || ret=1 -grep "serial: 0" rndc.out.ns1.$n > /dev/null || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.1 zonestatus -redirect >rndc.out.ns1.$n +grep "type: redirect" rndc.out.ns1.$n >/dev/null || ret=1 +grep "serial: 0" rndc.out.ns1.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking rndc reload with a normally-loaded redirect zone ($n)" ret=0 sleep 1 cp -f ns1/redirect.db.2 ns1/redirect.db -$RNDCCMD 10.53.0.1 reload -redirect > rndc.out.ns1.$n +$RNDCCMD 10.53.0.1 reload -redirect >rndc.out.ns1.$n retry_quiet 5 check_zonestatus 1 || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "delete a normally-loaded zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone normal.example > rndc.out.ns2.$n 2>&1 -grep "is no longer active and will be deleted" rndc.out.ns2.$n > /dev/null || ret=11 -grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n > /dev/null || ret=1 -grep "must also be removed from named.conf." rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 delzone normal.example >rndc.out.ns2.$n 2>&1 +grep "is no longer active and will be deleted" rndc.out.ns2.$n >/dev/null || ret=11 +grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n >/dev/null || ret=1 +grep "must also be removed from named.conf." rndc.out.ns2.$n >/dev/null || ret=1 _check_delete_normally_loaded_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_delete_normally_loaded_zone || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "attempting to add primary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inline.example { type primary; file "inline.db"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_add_primary_zone_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inline.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inline.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inline.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inline.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_add_primary_zone_with_inline || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "attempting to add primary zone with inline signing and missing file ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2> rndc.out.ns2.$n -grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2>rndc.out.ns2.$n +grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "attempting to add secondary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_add_secondary_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_add_secondary_with_inline || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "attempting to delete secondary zone with inline signing ($n)" ret=0 retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 -$RNDCCMD 10.53.0.2 delzone inlinesec.example > rndc.out2.test$n 2>&1 || ret=1 -test -f inlinesec.bk || -grep '^inlinesec.bk$' rndc.out2.test$n > /dev/null || { - echo_i "failed to report inlinesec.bk"; ret=1; +$RNDCCMD 10.53.0.2 delzone inlinesec.example >rndc.out2.test$n 2>&1 || ret=1 +test -f inlinesec.bk \ + || grep '^inlinesec.bk$' rndc.out2.test$n >/dev/null || { + echo_i "failed to report inlinesec.bk" + ret=1 } -test ! -f inlinesec.bk.signed || -grep '^inlinesec.bk.signed$' rndc.out2.test$n > /dev/null || { - echo_i "failed to report inlinesec.bk.signed"; ret=1; +test ! -f inlinesec.bk.signed \ + || grep '^inlinesec.bk.signed$' rndc.out2.test$n >/dev/null || { + echo_i "failed to report inlinesec.bk.signed" + ret=1 } -n=`expr $n + 1` -status=`expr $status + $ret` +n=$(expr $n + 1) +status=$(expr $status + $ret) echo_i "restoring secondary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_restoring_secondary_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_restoring_secondary_with_inline || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "deleting secondary zone with automatic zone file removal ($n)" ret=0 retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 -$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example > /dev/null 2>&1 +$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example >/dev/null 2>&1 retry_quiet 10 test ! -f ns2/inlinesec.bk.signed -a ! -f ns2/inlinesec.bk -n=`expr $n + 1` -status=`expr $status + $ret` +n=$(expr $n + 1) +status=$(expr $status + $ret) echo_i "modifying zone configuration ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'mod.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/ns2 /' | cat_i -$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.1.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 modzone 'mod.example { type primary; file "added.db"; allow-query { none; }; };' 2>&1 | sed 's/^/ns2 /' | cat_i -$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.2.$n || ret=1 -$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.2.$n || ret=1 +$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that adding a 'stub' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that adding a 'static-stub' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' > rndc.out.ns2.$n 2>&1 || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' >rndc.out.ns2.$n 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that adding a 'primary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' >rndc.out.ns2.$n 2>&1 || ret=1 _check_add_primary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 && - grep "type redirect;" showzone.out.ns2.$n > /dev/null && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 0" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \ + && grep "type redirect;" showzone.out.ns2.$n >/dev/null \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 0" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_add_primary_redirect || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that reloading a added 'primary redirect' zone works ($n)" ret=0 sleep 1 cp -f ns2/redirect.db.2 ns2/redirect.db -$RNDCCMD 10.53.0.2 reload -redirect > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 reload -redirect >rndc.out.ns2.$n retry_quiet 10 check_zonestatus 2 || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that retransfer of a added 'primary redirect' zone fails ($n)" ret=0 -$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that deleting a 'primary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1 _check_deleting_primary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true - grep 'not found' showzone.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true + grep 'not found' showzone.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_primary_redirect || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that adding a 'secondary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1 _check_adding_secondary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 && - grep "type redirect;" showzone.out.ns2.$n > /dev/null && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 0" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \ + && grep "type redirect;" showzone.out.ns2.$n >/dev/null \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 0" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_adding_secondary_redirect || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that retransfering a added 'secondary redirect' zone works ($n)" ret=0 cp -f ns3/redirect.db.2 ns3/redirect.db -$RNDCCMD 10.53.0.3 reload . > showzone.out.ns3.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 reload . >showzone.out.ns3.$n 2>&1 || ret=1 _check_retransfering_secondary_redirect() ( - $RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 1" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 1" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_retransfering_secondary_redirect || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that deleting a 'secondary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1 _check_deleting_secondary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true - grep 'not found' showzone.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true + grep 'not found' showzone.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_secondary_redirect || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that zone type 'hint' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that zone type 'forward' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that zone type 'delegation-only' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check that 'in-view' zones are properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "reconfiguring server with multiple views" rm -f ns2/named.conf @@ -499,118 +501,118 @@ # the zone does not exist because a) it has not yet been loaded, b) # it failed to load, or c) it has been deleted. ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) if ! $FEATURETEST --with-lmdb; then - echo_i "checking new NZF file has comment ($n)" - ret=0 - hcount=`grep "^# New zone file for view: external" ns2/external.nzf | wc -l` - [ $hcount -eq 1 ] || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + echo_i "checking new NZF file has comment ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l) + [ $hcount -eq 1 ] || ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi if $FEATURETEST --with-lmdb; then - echo_i "verifying added.example in external view created an external.nzd DB ($n)" - ret=0 - [ -e ns2/external.nzd ] || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + echo_i "verifying added.example in external view created an external.nzd DB ($n)" + ret=0 + [ -e ns2/external.nzd ] || ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi echo_i "checking rndc reload causes named to reload the external view's new zone config ($n)" ret=0 $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i _check_rndc_reload_external_view_config() ( - $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n && - grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null && - $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n && - grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null + $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \ + && grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \ + && $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \ + && grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null ) retry_quiet 10 _check_rndc_reload_external_view_config || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking rndc showzone with newly added zone ($n)" _check_rndc_showzone_newly_added() ( - if ! $FEATURETEST --with-lmdb; then - expected='zone "added.example" in external { type primary; file "added.db"; };' - else - expected='zone "added.example" { type primary; file "added.db"; };' - fi - $RNDCCMD 10.53.0.2 showzone added.example in external > rndc.out.ns2.$n 2>/dev/null && - [ "`cat rndc.out.ns2.$n`" = "$expected" ] + if ! $FEATURETEST --with-lmdb; then + expected='zone "added.example" in external { type primary; file "added.db"; };' + else + expected='zone "added.example" { type primary; file "added.db"; };' + fi + $RNDCCMD 10.53.0.2 showzone added.example in external >rndc.out.ns2.$n 2>/dev/null \ + && [ "$(cat rndc.out.ns2.$n)" = "$expected" ] ) -retry_quiet 10 _check_rndc_showzone_newly_added || ret=1 -n=`expr $n + 1` +retry_quiet 10 _check_rndc_showzone_newly_added || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "deleting newly added zone ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone() ( - $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "attempting to add zone to internal view ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.pre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.pre.$n > /dev/null || ret=1 -$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n -grep "permission denied" rndc.out.ns2.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.pre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.pre.$n >/dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2>rndc.out.ns2.$n +grep "permission denied" rndc.out.ns2.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "attempting to delete a policy zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1 -grep 'cannot be deleted' rndc.out.ns2.$n > /dev/null || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2>rndc.out.ns2.$n >&1 +grep 'cannot be deleted' rndc.out.ns2.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "adding new zone again to external view ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_adding_new_zone_again_external() ( - $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n && - grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null && - $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n && - grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null + $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \ + && grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \ + && $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \ + && grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null ) retry_quiet 10 _check_adding_new_zone_again_external || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "reconfiguring server with multiple views and new-zones-directory" rm -f ns2/named.conf @@ -619,137 +621,136 @@ echo_i "checking new zone is still loaded after dir change ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "deleting newly added zone from external ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' -$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "adding new zone to directory view ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dirpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.dirpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dirpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.dirpre.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 addzone 'added.example in directory { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dir.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.dir.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.dir.$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dir.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.dir.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.dir.$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) if $FEATURETEST --with-lmdb; then - echo_i "checking NZD file was created in new-zones-directory ($n)" - expect=ns2/new-zones/directory.nzd + echo_i "checking NZD file was created in new-zones-directory ($n)" + expect=ns2/new-zones/directory.nzd else - echo_i "checking NZF file was created in new-zones-directory ($n)" - expect=ns2/new-zones/directory.nzf + echo_i "checking NZF file was created in new-zones-directory ($n)" + expect=ns2/new-zones/directory.nzf fi $RNDCCMD 10.53.0.2 sync 'added.example IN directory' 2>&1 | sed 's/^/I:ns2 /' sleep 2 [ -e "$expect" ] || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "deleting newly added zone from directory ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in directory' 2>&1 | sed 's/^/I:ns2 /' -$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "ensure the configuration context is cleaned up correctly ($n)" ret=0 rndc_reconfig ns2 10.53.0.2 -$RNDCCMD 10.53.0.2 status > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.2 status >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "check delzone after reconfig failure ($n)" ret=0 -$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' >/dev/null 2>&1 || ret=1 copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 -$RNDCCMD 10.53.0.3 delzone inlinesec.example > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$RNDCCMD 10.53.0.3 delzone inlinesec.example >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -if ! $FEATURETEST --with-lmdb -then - echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)" - ret=0 - $RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 - $RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' > /dev/null 2>&1 && ret=1 - $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 - $RNDCCMD 10.53.0.3 delzone "test3.baz" > /dev/null 2>&1 || ret=1 - grep test2.baz ns3/_default.nzf > /dev/null && ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +if ! $FEATURETEST --with-lmdb; then + echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)" + ret=0 + $RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 + $RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' >/dev/null 2>&1 && ret=1 + $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 + $RNDCCMD 10.53.0.3 delzone "test3.baz" >/dev/null 2>&1 || ret=1 + grep test2.baz ns3/_default.nzf >/dev/null && ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi _check_version_bind() ( - $DIG $DIGOPTS @10.53.0.3 version.bind txt ch > dig.out.test$n && - grep "status: NOERROR" dig.out.test$n > /dev/null + $DIG $DIGOPTS @10.53.0.3 version.bind txt ch >dig.out.test$n \ + && grep "status: NOERROR" dig.out.test$n >/dev/null ) echo_i "check that named restarts with multiple added zones ($n)" ret=0 -$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 stop_server ns3 start_server --noclean --restart --port ${PORT} ns3 || ret=1 retry_quiet 10 _check_version_bind || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' > dig.out.3.test$n || ret=1 -grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.3.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' > dig.out.4.test$n || ret=1 -grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.4.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' > dig.out.5.test$n || ret=1 -grep "status: NOERROR" dig.out.5.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.5.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' > dig.out.6.test$n || ret=1 -grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' >dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.3.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' >dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.4.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' >dig.out.5.test$n || ret=1 +grep "status: NOERROR" dig.out.5.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.5.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' >dig.out.6.test$n || ret=1 +grep "status: NOERROR" dig.out.6.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/allow-query/setup.sh bind9-9.16.48/bin/tests/system/allow-query/setup.sh --- bind9-9.16.44/bin/tests/system/allow-query/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/allow-query/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -15,6 +15,6 @@ . $SYSTEMTESTTOP/conf.sh copy_setports ../common/controls.conf.in ns2/controls.conf -copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named01.conf.in ns2/named.conf -copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named01.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf diff -Nru bind9-9.16.44/bin/tests/system/allow-query/tests.sh bind9-9.16.48/bin/tests/system/allow-query/tests.sh --- bind9-9.16.44/bin/tests/system/allow-query/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/allow-query/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -60,629 +60,628 @@ status=0 n=0 -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null # Test 1 - default, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 2 - explicit any, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named02.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 3 - none, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named03.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 4 - address allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named04.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 5 - address not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named05.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 6 - address disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named06.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 7 - acl allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named07.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 8 - acl not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named08.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - +status=$(expr $status + $ret) # Test 9 - acl disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named09.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 10 - key allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named10.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 11 - key not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named11.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 12 - key disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named12.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # The next set of tests check if allow-query works in a view n=20 # Test 21 - views default, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named21.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 22 - views explicit any, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named22.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 23 - views none, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named23.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 24 - views address allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named24.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 25 - views address not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named25.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 26 - views address disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named26.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 27 - views acl allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named27.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 28 - views acl not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named28.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 29 - views acl disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named29.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 30 - views key allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named30.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 31 - views key not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named31.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 32 - views key disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named32.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 33 - views over options, views allow, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named33.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 34 - views over options, views disallow, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named34.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Tests for allow-query in the zone statements n=40 # Test 41 - zone default, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named40.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: zone default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 42 - zone explicit any, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 43 - zone none, query refused -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 44 - zone address allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 45 - zone address not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 46 - zone address disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 47 - zone acl allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 48 - zone acl not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 49 - zone acl disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 50 - zone key allowed, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 51 - zone key not allowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 52 - zone key disallowed, query refused -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 53 - zones over options, zones allow, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named53.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 54 - zones over options, zones disallow, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named54.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 55 - zones over views, zones allow, query allowed -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named55.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 56 - zones over views, zones disallow, query refused -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named56.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 57 - zones over views, zones disallow, query refused (allow-query-on) -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns2/named57.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, allow-query-on" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 -grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1 +grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 58 - allow-recursion default -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: default allow-recursion configuration" ret=0 -$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n -grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 -$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n +grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 59 - allow-query-cache default -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test $n: default allow-query-cache configuration" ret=0 -$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n -grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 -$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n +grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 60 - block recursion-on, allow query-cache-on -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns3/named2.conf.in ns3/named.conf rndc_reload ns3 10.53.0.3 echo_i "test $n: block recursion-on, allow query-cache-on" ret=0 # this should query the cache, and an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1 -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1 +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should require recursion and therefore can't get an answer -$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 61 - inheritance of allow-query-cache-on from allow-recursion-on -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns3/named3.conf.in ns3/named.conf rndc_reload ns3 10.53.0.3 echo_i "test $n: inheritance of allow-query-cache-on" ret=0 # this should query the cache, an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should be refused due to allow-recursion-on/allow-query-cache-on -$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 # this should require recursion and should be allowed -$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n -grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n +grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 # this should require recursion and be refused -$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n -grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n +grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Test 62 - inheritance of allow-recursion-on from allow-query-cache-on -n=`expr $n + 1` +n=$(expr $n + 1) copy_setports ns3/named4.conf.in ns3/named.conf rndc_reload ns3 10.53.0.3 echo_i "test $n: inheritance of allow-recursion-on" ret=0 # this should query the cache, an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should be refused due to allow-recursion-on/allow-query-cache-on -$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 # this should require recursion and should be allowed -$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n -grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n +grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 # this should require recursion and be refused -$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n -grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n +grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/auth/tests.sh bind9-9.16.48/bin/tests/system/auth/tests.sh --- bind9-9.16.44/bin/tests/system/auth/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/auth/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -19,173 +19,171 @@ status=0 n=0 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "wait for zones to finish transferring to ns2 ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do +for i in 1 2 3 4 5 6 7 8 9 10; do ret=0 - for zone in example.com example.net - do - $DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 + for zone in example.com example.net; do + $DIG $DIGOPTS @10.53.0.2 soa $zone >dig.out.test$n || ret=1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 done [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) # # If recursion is unrequested or unavailable, then cross-zone CNAME records # should not be followed. If both requested and available, they should be. # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +norec @10.53.0.1 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +rec @10.53.0.1 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +norec @10.53.0.2 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) # # In-zone CNAME records should always be followed regardless of RD and RA. # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 -grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1 +grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that CHAOS addresses are compared correctly ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n -lines=`wc -l < dig.out.test$n` +$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos >dig.out.test$n +lines=$(wc -l $zonefile +cat $infile ../ns2/dsset-example$TP ../ns2/dsset-bar$TP >$zonefile zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) @@ -35,20 +35,20 @@ ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone) kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone) -keyfile_to_static_ds $ksksby > trusted.conf +keyfile_to_static_ds $ksksby >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf -keyfile_to_static_ds $kskrev > trusted.conf +keyfile_to_static_ds $kskrev >trusted.conf cp trusted.conf ../ns5/trusted.conf -echo $zskact > ../active.key -echo $zskvanish > ../vanishing.key -echo $zskdel > ../del.key -echo $zskinact > ../inact.key -echo $zskunpub > ../unpub.key -echo $zsknopriv > ../nopriv.key -echo $zsksby > ../standby.key -echo $zskactnowpub1d > ../activate-now-publish-1day.key -$REVOKE -R $kskrev > ../rev.key +echo $zskact >../active.key +echo $zskvanish >../vanishing.key +echo $zskdel >../del.key +echo $zskinact >../inact.key +echo $zskunpub >../unpub.key +echo $zsknopriv >../nopriv.key +echo $zsksby >../standby.key +echo $zskactnowpub1d >../activate-now-publish-1day.key +$REVOKE -R $kskrev >../rev.key diff -Nru bind9-9.16.44/bin/tests/system/autosign/ns2/keygen.sh bind9-9.16.48/bin/tests/system/autosign/ns2/keygen.sh --- bind9-9.16.44/bin/tests/system/autosign/ns2/keygen.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/autosign/ns2/keygen.sh 2024-02-11 11:31:39.000000000 +0000 @@ -15,52 +15,50 @@ . $SYSTEMTESTTOP/conf.sh # Have the child generate subdomain keys and pass DS sets to us. -( cd ../ns3 && $SHELL keygen.sh ) +(cd ../ns3 && $SHELL keygen.sh) for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \ - nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ - cdnskey-delete -do - cp ../ns3/dsset-$subdomain.example$TP . + nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ + cdnskey-delete; do + cp ../ns3/dsset-$subdomain.example$TP . done # Create keys and pass the DS to the parent. zone=example zonefile="${zone}.db" infile="${zonefile}.in" -cat $infile dsset-*.example$TP > $zonefile +cat $infile dsset-*.example$TP >$zonefile kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null -$DSFROMKEY $kskname.key > dsset-${zone}$TP +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null +$DSFROMKEY $kskname.key >dsset-${zone}$TP # Create keys for a private secure zone. zone=private.secure.example zonefile="${zone}.db" infile="${zonefile}.in" ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null -keyfile_to_static_ds $ksk > private.conf +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null +keyfile_to_static_ds $ksk >private.conf cp private.conf ../ns4/private.conf -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >/dev/null # Extract saved keys for the revoke-to-duplicate-key test zone=bar zonefile="${zone}.db" infile="${zonefile}.in" -cat $infile > $zonefile +cat $infile >$zonefile for i in Xbar.+013+59973.key Xbar.+013+59973.private \ - Xbar.+013+60101.key Xbar.+013+60101.private -do - cp $i $(echo $i | sed s/X/K/) + Xbar.+013+60101.key Xbar.+013+60101.private; do + cp $i $(echo $i | sed s/X/K/) done -$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null -$DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP +$KEYGEN -a ECDSAP256SHA256 -q $zone >/dev/null +$DSFROMKEY Kbar.+013+60101.key >dsset-bar$TP # a zone with empty non-terminals. zone=optout-with-ent zonefile=optout-with-ent.db infile=optout-with-ent.db.in -cat $infile > $zonefile +cat $infile >$zonefile kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null diff -Nru bind9-9.16.44/bin/tests/system/autosign/ns3/keygen.sh bind9-9.16.48/bin/tests/system/autosign/ns3/keygen.sh --- bind9-9.16.44/bin/tests/system/autosign/ns3/keygen.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/autosign/ns3/keygen.sh 2024-02-11 11:31:39.000000000 +0000 @@ -16,43 +16,43 @@ SYSTESTDIR=autosign -dumpit () { - echo_d "${debug}: dumping ${1}" - cat "${1}" | cat_d +dumpit() { + echo_d "${debug}: dumping ${1}" + cat "${1}" | cat_d } -setup () { - echo_i "setting up zone: $1" - debug="$1" - zone="$1" - zonefile="${zone}.db" - infile="${zonefile}.in" - n=$((${n:-0} + 1)) +setup() { + echo_i "setting up zone: $1" + debug="$1" + zone="$1" + zonefile="${zone}.db" + infile="${zonefile}.in" + n=$((${n:-0} + 1)) } setup secure.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # NSEC3/NSEC test zone # setup secure.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # NSEC3/NSEC3 test zone # setup nsec3.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # Jitter/NSEC3 test zone @@ -60,10 +60,9 @@ setup jitter.nsec3.example cp $infile $zonefile count=1 -while [ $count -le 1000 ] -do - echo "label${count} IN TXT label${count}" >> $zonefile - count=$((count + 1)) +while [ $count -le 1000 ]; do + echo "label${count} IN TXT label${count}" >>$zonefile + count=$((count + 1)) done # Don't create keys just yet, because the scenario we want to test # is an unsigned zone that has a NSEC3PARAM record added with @@ -74,98 +73,100 @@ # setup optout.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A nsec3 zone (non-optout). # setup nsec3.example -cat $infile dsset-*.${zone}$TP > $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +cat $infile dsset-*.${zone}$TP >$zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # An NSEC3 zone, with NSEC3 parameters set prior to signing # setup autonsec3.example -cat $infile > $zonefile -ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../autoksk.key -zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../autozsk.key -$DSFROMKEY $ksk.key > dsset-${zone}$TP +cat $infile >$zonefile +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../autoksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../autozsk.key +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # OPTOUT/NSEC test zone # setup secure.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # OPTOUT/NSEC3 test zone # setup nsec3.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # OPTOUT/OPTOUT test zone # setup optout.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A optout nsec3 zone. # setup optout.example -cat $infile dsset-*.${zone}$TP > $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +cat $infile dsset-*.${zone}$TP >$zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A RSASHA256 zone. # setup rsasha256.example cp $infile $zonefile -ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A RSASHA512 zone. # setup rsasha512.example cp $infile $zonefile -ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # NSEC-only zone. A zone using NSEC-only DNSSEC algorithms. # None of these algorithms are supported for signing in FIPS mode # as they are MD5 and SHA1 based. # -if (cd ..; SYSTEMTESTTOP=.. $SHELL ../testcrypto.sh -q RSASHA1) -then - setup nsec-only.example - cp $infile $zonefile - ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out - $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out - $DSFROMKEY $ksk.key > dsset-${zone}$TP +if ( + cd .. + SYSTEMTESTTOP=.. $SHELL ../testcrypto.sh -q RSASHA1 +); then + setup nsec-only.example + cp $infile $zonefile + ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out + $KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out + $DSFROMKEY $ksk.key >dsset-${zone}$TP else - echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" + echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" fi # @@ -175,52 +176,51 @@ setup oldsigs.example cp $infile $zonefile count=1 -while [ $count -le 1000 ] -do - echo "label${count} IN TXT label${count}" >> $zonefile - count=$((count + 1)) +while [ $count -le 1000 ]; do + echo "label${count} IN TXT label${count}" >>$zonefile + count=$((count + 1)) done -$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out mv $zonefile.signed $zonefile # # NSEC3->NSEC transition test zone. # setup nsec3-to-nsec.example -$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out # # secure-to-insecure transition test zone; used to test removal of # keys via nsupdate # setup secure-to-insecure.example -$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -q $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -o $zone -f $zonefile $infile >s.out || dumpit s.out # # another secure-to-insecure transition test zone; used to test # removal of keys on schedule. # setup secure-to-insecure2.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../del1.key -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../del2.key -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../del1.key +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../del2.key +$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out # # Introducing a pre-published key test. # setup prepub.example infile="secure-to-insecure2.example.db.in" -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out # # Key TTL tests. @@ -228,46 +228,46 @@ # no default key TTL; DNSKEY should get SOA TTL setup ttl1.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # default key TTL should be used setup ttl2.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # mismatched key TTLs, should use shortest setup ttl3.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # existing DNSKEY RRset, should retain TTL setup ttl4.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out -cat ${infile} K${zone}.+*.key > $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out +cat ${infile} K${zone}.+*.key >$zonefile +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out # # A zone with a DNSKEY RRset that is published before it's activated # setup delay.example -ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../delayksk.key -zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../delayzsk.key +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../delayksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../delayzsk.key # # A zone with signatures that are already expired, and the private KSK # is missing. # setup noksk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../noksk-ksk.key +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../noksk-ksk.key rm -f ${ksk}.private # @@ -275,11 +275,11 @@ # is missing. # setup nozsk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../nozsk-ksk.key -echo $zsk > ../nozsk-zsk.key +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../nozsk-ksk.key +echo $zsk >../nozsk-zsk.key rm -f ${zsk}.private # @@ -287,77 +287,77 @@ # is inactive. # setup inaczsk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../inaczsk-ksk.key -echo $zsk > ../inaczsk-zsk.key -$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../inaczsk-ksk.key +echo $zsk >../inaczsk-zsk.key +$SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out # # A zone that is set to 'auto-dnssec maintain' during a reconfig # setup reconf.example cp secure.example.db.in $zonefile -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out # # A zone which generates CDS and CDNSEY RRsets automatically # setup sync.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP -echo ns3/$ksk > ../sync.key +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP +echo ns3/$ksk >../sync.key # # A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly # setup kskonly.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A zone that has a published inactive key that is autosigned. # setup inacksk2.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A zone that has a published inactive key that is autosigned. # setup inaczsk2.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inacksk3.example cp $infile $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone >kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inaczsk3.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # A zone that starts with an active KSK + ZSK and an inactive ZSK, with the @@ -365,28 +365,28 @@ # setup delzsk.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out -echo $zsk > ../delzsk.key +echo $zsk >../delzsk.key # # Check that NSEC3 are correctly signed and returned from below a DNAME # setup dname-at-apex-nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # Check that dynamically added CDS (DELETE) is kept in the zone after signing. # setup cds-delete.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP # # Check that dynamically added CDNSKEY (DELETE) is kept in the zone after @@ -394,6 +394,6 @@ # setup cdnskey-delete.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}$TP +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}$TP diff -Nru bind9-9.16.44/bin/tests/system/autosign/ns3/named.conf.in bind9-9.16.48/bin/tests/system/autosign/ns3/named.conf.in --- bind9-9.16.44/bin/tests/system/autosign/ns3/named.conf.in 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/autosign/ns3/named.conf.in 2024-02-11 11:31:39.000000000 +0000 @@ -167,6 +167,7 @@ type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; + max-journal-size 10M; auto-dnssec maintain; }; diff -Nru bind9-9.16.44/bin/tests/system/autosign/tests.sh bind9-9.16.48/bin/tests/system/autosign/tests.sh --- bind9-9.16.44/bin/tests/system/autosign/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/autosign/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,11 +21,11 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" # convert private-type records to readable form -showprivate () { - echo "-- $@ --" - $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | - while read record; do - $PERL -e 'my $rdata = pack("H*", @ARGV[0]); +showprivate() { + echo "-- $@ --" + $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' \ + | while read record; do + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); my $action = "signing"; @@ -33,103 +33,99 @@ my $state = " (incomplete)"; $state = " (complete)" if $complete; print ("$action: alg: $alg, key: $key$state\n");' $record - done + done } # check that signing records are marked as complete -checkprivate () { - _ret=0 - expected="${3:-0}" - x=$(showprivate "$@") - echo $x | grep incomplete > /dev/null && _ret=1 - - if [ $_ret = $expected ]; then - return 0 - fi - - echo "$x" - echo_i "failed" - return 1 +checkprivate() { + _ret=0 + expected="${3:-0}" + x=$(showprivate "$@") + echo $x | grep incomplete >/dev/null && _ret=1 + + if [ $_ret = $expected ]; then + return 0 + fi + + echo "$x" + echo_i "failed" + return 1 } # wait until notifies for zone $1 are sent by server $2. This is an indication # that the zone is signed with the active keys, and the changes have been # committed. -wait_for_notifies () { - wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1 +wait_for_notifies() { + wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1 } freq() { - _file=$1 - # remove first and last line that has incomplete set and skews the distribution - awk '$4 == "RRSIG" {print substr($9,1,8)}' < "$_file" | sort | uniq -c | sed '1d;$d' + _file=$1 + # remove first and last line that has incomplete set and skews the distribution + awk '$4 == "RRSIG" {print substr($9,1,8)}' <"$_file" | sort | uniq -c | sed '1d;$d' } # Check the signatures expiration times. First check how many signatures # there are in total ($rrsigs). Then see what the distribution of signature # expiration times is ($expiretimes). Ignore the time part for a better # modelled distribution. -checkjitter () { - _file=$1 - _ret=0 - - if ! command -v bc >/dev/null 2>&1; then - echo_i "skip: bc not available" - return 0 - fi - - freq "$_file" | cat_i - _expiretimes=$(freq "$_file" | awk '{print $1}') - - _count=0 - # Check if we have at least 4 days - # This number has been tuned for `sig-validity-interval 10 2`, as - # 1 signature expiration dates should be spread out across at most 8 (10-2) days - # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days - # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) - for _num in $_expiretimes - do - _count=$((_count+1)) - done - if [ "$_count" -lt 4 ]; then - echo_i "error: not enough categories" - return 1 - fi - - # Calculate mean - _total=0 - for _num in $_expiretimes - do - _total=$((_total+_num)) - done - _mean=$(($_total / $_count)) - - # Calculate stddev - _stddev=0 - for _num in $_expiretimes - do - _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc) - done - _stddev=$(echo "sqrt($_stddev/$_count)" | bc) - - # We expect the number of signatures not to exceed the mean +- 3 * stddev. - _limit=$((_stddev*3)) - _low=$((_mean-_limit)) - _high=$((_mean+_limit)) - # Find outliers. - echo_i "checking whether all frequencies fall into <$_low;$_high> range" - for _num in $_expiretimes - do - if [ $_num -gt $_high ]; then - echo_i "error: too many RRSIG records ($_num) in expiration bucket" - _ret=1 - fi - if [ $_num -lt $_low ]; then - echo_i "error: too few RRSIG records ($_num) in expiration bucket" - _ret=1 - fi - done +checkjitter() { + _file=$1 + _ret=0 + + if ! command -v bc >/dev/null 2>&1; then + echo_i "skip: bc not available" + return 0 + fi + + freq "$_file" | cat_i + _expiretimes=$(freq "$_file" | awk '{print $1}') + + _count=0 + # Check if we have at least 4 days + # This number has been tuned for `sig-validity-interval 10 2`, as + # 1 signature expiration dates should be spread out across at most 8 (10-2) days + # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days + # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) + for _num in $_expiretimes; do + _count=$((_count + 1)) + done + if [ "$_count" -lt 4 ]; then + echo_i "error: not enough categories" + return 1 + fi + + # Calculate mean + _total=0 + for _num in $_expiretimes; do + _total=$((_total + _num)) + done + _mean=$(($_total / $_count)) + + # Calculate stddev + _stddev=0 + for _num in $_expiretimes; do + _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc) + done + _stddev=$(echo "sqrt($_stddev/$_count)" | bc) + + # We expect the number of signatures not to exceed the mean +- 3 * stddev. + _limit=$((_stddev * 3)) + _low=$((_mean - _limit)) + _high=$((_mean + _limit)) + # Find outliers. + echo_i "checking whether all frequencies fall into <$_low;$_high> range" + for _num in $_expiretimes; do + if [ $_num -gt $_high ]; then + echo_i "error: too many RRSIG records ($_num) in expiration bucket" + _ret=1 + fi + if [ $_num -lt $_low ]; then + echo_i "error: too few RRSIG records ($_num) in expiration bucket" + _ret=1 + fi + done - return $_ret + return $_ret } # @@ -140,34 +136,30 @@ # echo_i "waiting for autosign changes to take effect" i=0 -while [ $i -lt 30 ] -do - ret=0 - # - # Wait for the root DNSKEY RRset to be fully signed. - # - $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 - grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1 - for z in . - do - $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 - grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 - done - for z in bar. example. private.secure.example. optout-with-ent. - do - $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 - grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 - done - for z in bar. example. inacksk2.example. inacksk3.example \ - inaczsk2.example. inaczsk3.example noksk.example nozsk.example - do - $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 - grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 - done - i=$((i + 1)) - if [ $ret = 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 2 +while [ $i -lt 30 ]; do + ret=0 + # + # Wait for the root DNSKEY RRset to be fully signed. + # + $DIG $DIGOPTS . @10.53.0.1 dnskey >dig.out.ns1.test$n || ret=1 + grep "ANSWER: 10," dig.out.ns1.test$n >/dev/null || ret=1 + for z in .; do + $DIG $DIGOPTS $z @10.53.0.1 nsec >dig.out.ns1.test$n || ret=1 + grep "NS SOA" dig.out.ns1.test$n >/dev/null || ret=1 + done + for z in bar. example. private.secure.example. optout-with-ent.; do + $DIG $DIGOPTS $z @10.53.0.2 nsec >dig.out.ns2.test$n || ret=1 + grep "NS SOA" dig.out.ns2.test$n >/dev/null || ret=1 + done + for z in bar. example. inacksk2.example. inacksk3.example \ + inaczsk2.example. inaczsk3.example noksk.example nozsk.example; do + $DIG $DIGOPTS $z @10.53.0.3 nsec >dig.out.ns3.test$n || ret=1 + grep "NS SOA" dig.out.ns3.test$n >/dev/null || ret=1 + done + i=$((i + 1)) + if [ $ret = 0 ]; then break; fi + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "done"; fi @@ -177,20 +169,17 @@ ($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" -for z in . -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in .; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done -for z in bar. example. private.secure.example. -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in bar. example. private.secure.example.; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done -for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done # Set logfile offset for wait_for_log usage. @@ -204,14 +193,14 @@ echo_ic "is initially signed with a KSK and not a ZSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1 +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n >/dev/null || ret=1 pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null && ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "DNSKEY" { count++ } @@ -227,7 +216,7 @@ id=$(awk "${awk}" dig.out.ns3.test$n) keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") -$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 +$SETTIME -D now+5 "${keyfile}" >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 n=$((n + 1)) @@ -241,11 +230,11 @@ echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone" echo_ic "is initially signed with a ZSK and not a KSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1 -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}') +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n >/dev/null || ret=1 +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null && ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "CNAME" { count++ } END {print count}' dig.out.ns3.test$n) @@ -257,7 +246,7 @@ id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n) keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") -$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 +$SETTIME -D now+5 "${keyfile}" >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -266,24 +255,24 @@ echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)" ret=0 # these commands should result in an empty file: -$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion prerequisites ($n)" ret=0 -$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "converting zones from nsec to nsec3" -$NSUPDATE > /dev/null 2>&1 </dev/null 2>&1 < nsupdate.out 2>&1 <nsupdate.out 2>&1 < dig.out.ns3.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking for nsec3param signing record ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 -grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 signing -list autonsec3.example. >signing.out.test$n 2>&1 +grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "resetting nsec3param via rndc signing ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. >/dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. >/dev/null 2>&1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 - grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 - num=$(grep "Pending " signing.out.test$n | wc -l) - [ $num -eq 1 ] || ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $RNDCCMD 10.53.0.3 signing -list autonsec3.example. >signing.out.test$n 2>&1 + grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n >/dev/null || ret=1 + num=$(grep "Pending " signing.out.test$n | wc -l) + [ $num -eq 1 ] || ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -358,15 +346,15 @@ echo_i "signing preset nsec3 zone" zsk=$(cat autozsk.key) ksk=$(cat autoksk.key) -$SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -P now -A now $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now -A now $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 echo_i "converting zone from nsec3 to nsec" -$NSUPDATE > /dev/null 2>&1 << END || status=1 +$NSUPDATE >/dev/null 2>&1 < dig.out.test$n - nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)" - if [ "$nearest_expiration" -le "$now" ]; then - echo_i "failed: $nearest_expiration <= $now" - return 1 - fi + $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 >dig.out.test$n + nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -455,7 +443,7 @@ # Check jitter distribution. echo_i "checking expired signatures were jittered correctly ($n)" ret=0 -$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 checkjitter dig.out.ns3.test$n || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -463,38 +451,37 @@ echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" ret=0 -$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.ok.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.ok.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking direct NSEC3 autosigning succeeded ($n)" ret=0 -$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 -[ -s dig.out.ns3.ok.test$n ] || ret=1 -grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.ok.test$n || ret=1 +[ -s dig.out.ns3.ok.test$n ] || ret=1 +grep "NSEC3PARAM" dig.out.ns3.ok.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" ret=0 -if $SHELL ../testcrypto.sh -q RSASHA1 -then - grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1 +if $SHELL ../testcrypto.sh -q RSASHA1; then + grep "failed: REFUSED" nsupdate.out >/dev/null || ret=1 else - echo_i "skip: RSASHA1 not supported" + echo_i "skip: RSASHA1 not supported" fi n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -503,39 +490,39 @@ echo_i "checking NSEC3->NSEC conversion succeeded ($n)" ret=0 # this command should result in an empty file: -$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 >dig.out.ns3.nx.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.nx.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. >/dev/null 2>&1 # this command should result in an empty file: no_nsec3param() ( - $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1 - grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1 - return 0 + $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.nx.test$n || return 1 + grep "NSEC3PARAM" dig.out.ns3.nx.test$n >/dev/null && return 1 + return 0 ) retry_quiet 10 no_nsec3param || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (no default) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -544,7 +531,7 @@ echo_i "checking TTLs of imported DNSKEYs (with default) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -553,7 +540,7 @@ echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -562,7 +549,7 @@ echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -571,10 +558,10 @@ echo_i "checking positive validation NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -582,11 +569,11 @@ echo_i "checking positive validation NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -594,22 +581,22 @@ echo_i "checking positive validation OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -617,12 +604,12 @@ echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth q.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth q.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -630,25 +617,25 @@ echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth q.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth q.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking negative validation NODATA NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -656,13 +643,13 @@ echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -670,13 +657,13 @@ echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -685,12 +672,12 @@ echo_i "checking 1-server insecurity proof NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -698,13 +685,13 @@ echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -714,12 +701,12 @@ echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -727,12 +714,12 @@ echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -740,12 +727,12 @@ echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -753,12 +740,12 @@ echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -766,12 +753,12 @@ echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -779,12 +766,12 @@ echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -792,12 +779,12 @@ echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -805,12 +792,12 @@ echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -818,12 +805,12 @@ echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -831,11 +818,11 @@ echo_i "checking empty NODATA OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth empty.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth empty.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -846,13 +833,13 @@ echo_i "checking 2-server insecurity proof ($n)" ret=0 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -861,43 +848,43 @@ echo_i "checking 2-server insecurity proof with a negative answer ($n)" ret=0 -$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ - || ret=1 -$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ - || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ + || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking security root query ($n)" ret=0 -$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -905,12 +892,12 @@ echo_i "checking that positive validation in a privately secure zone works ($n)" ret=0 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -918,22 +905,22 @@ echo_i "checking that negative validation in a privately secure zone works ($n)" ret=0 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking privately secure to nxdomain works ($n)" ret=0 -$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -943,9 +930,9 @@ echo_i "checking that validation returns insecure due to revoked trusted key ($n)" ret=0 -$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +$DIG $DIGOPTS example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "flags:.*; QUERY" dig.out.ns5.test$n >/dev/null || ret=1 +grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -953,8 +940,8 @@ echo_i "checking that revoked key is present ($n)" ret=0 id=$(cat rev.key) -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -962,8 +949,8 @@ echo_i "checking that revoked key self-signs ($n)" ret=0 id=$(cat rev.key) -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -971,8 +958,8 @@ echo_i "checking for unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat unpub.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -980,8 +967,8 @@ echo_i "checking for activated but unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -989,8 +976,8 @@ echo_i "checking that standby key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat standby.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -998,8 +985,8 @@ echo_i "checking that deactivated key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat inact.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1009,7 +996,7 @@ id=$(keyfile_to_key_id "$(cat nopriv.key)") file="ns1/$(cat nopriv.key).key" keydata=$(grep DNSKEY $file) -$NSUPDATE > /dev/null 2>&1 </dev/null 2>&1 < dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1026,27 +1013,27 @@ echo_i "checking key deletion ($n)" ret=0 id=$(keyfile_to_key_id "$(cat del.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking secure-to-insecure transition, nsupdate ($n)" ret=0 -$NSUPDATE > /dev/null 2>&1 </dev/null 2>&1 < dig.out.ns3.test$n || ret=1 - grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 + grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n >/dev/null && ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1055,17 +1042,17 @@ echo_i "checking secure-to-insecure transition, scheduled ($n)" ret=0 file="ns3/$(cat del1.key).key" -$SETTIME -I now -D now $file > settime.out.test$n.1 || ret=1 +$SETTIME -I now -D now $file >settime.out.test$n.1 || ret=1 file="ns3/$(cat del2.key).key" -$SETTIME -I now -D now $file > settime.out.test$n.2 || ret=1 +$SETTIME -I now -D now $file >settime.out.test$n.2 || ret=1 ($RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 - grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 + grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n >/dev/null && ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1074,7 +1061,7 @@ echo_i "checking jitter in a newly signed NSEC3 zone ($n)" ret=0 # Use DNS UPDATE to add an NSEC3PARAM record into the zone. -$NSUPDATE > nsupdate.out.test$n 2>&1 <nsupdate.out.test$n 2>&1 < /dev/null +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example >/dev/null # Trigger zone signing. ($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 # Wait until zone has been signed. check_if_nsec3param_exists() { - $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 > dig.out.ns3.1.test$n || return 1 - grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1 + $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 >dig.out.ns3.1.test$n || return 1 + grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1 } retry_quiet 40 check_if_nsec3param_exists || { - echo_i "error: NSEC3PARAM not present yet" - ret=1 + echo_i "error: NSEC3PARAM not present yet" + ret=1 } -$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 +$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 # Check jitter distribution. checkjitter dig.out.ns3.2.test$n || ret=1 n=$((n + 1)) @@ -1106,17 +1093,16 @@ oldserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}') oldinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example >/dev/null ($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 newserial=$oldserial try=0 -while [ $oldserial -eq $newserial -a $try -lt 42 ] -do - newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | - awk '$0 !~ /SOA/ {print $3}') - sleep 1 - try=$((try + 1)) +while [ $oldserial -eq $newserial -a $try -lt 42 ]; do + newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 \ + | awk '$0 !~ /SOA/ {print $3}') + sleep 1 + try=$((try + 1)) done newinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) #echo "$oldserial : $newserial" @@ -1139,8 +1125,8 @@ oldid=$(keyfile_to_key_id "$(cat active.key)") newfile=$(cat standby.key) newid=$(keyfile_to_key_id "$(cat standby.key)") -$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1 -$SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1 +$SETTIME -K ns1 -I now+2s -D now+25 $oldfile >settime.out.test$n.1 || ret=1 +$SETTIME -K ns1 -i 0 -S $oldfile $newfile >settime.out.test$n.2 || ret=1 # note previous zone serial number oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') @@ -1149,7 +1135,7 @@ sleep 4 echo_i "revoking key to duplicated key ID" -$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1 +$SETTIME -R now -K ns2 Kbar.+013+59973.key >settime.out.test$n.3 || ret=1 ($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 @@ -1158,17 +1144,17 @@ echo_i "checking former standby key $newid is now active ($n)" ret=0 -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking former standby key has only signed incrementally ($n)" ret=0 -$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 +grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1183,9 +1169,8 @@ checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.optout.example 10.53.0.3 || ret=1 checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1 -if $SHELL ../testcrypto.sh -q RSASHA1 -then - checkprivate nsec-only.example 10.53.0.3 || ret=1 +if $SHELL ../testcrypto.sh -q RSASHA1; then + checkprivate nsec-only.example 10.53.0.3 || ret=1 fi checkprivate oldsigs.example 10.53.0.3 || ret=1 checkprivate optout.example 10.53.0.3 || ret=1 @@ -1214,8 +1199,8 @@ echo_i "checking former standby key has now signed fully ($n)" ret=0 -$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1233,11 +1218,11 @@ zsk=$(cat delayzsk.key) ksk=$(cat delayksk.key) # publication and activation times should be unset -$SETTIME -K ns3 -pA -pP $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -pA -pP $zsk >settime.out.test$n.zsk || ret=1 grep -v UNSET settime.out.test$n.zsk >/dev/null && ret=1 -$SETTIME -K ns3 -pA -pP $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -pA -pP $ksk >settime.out.test$n.ksk || ret=1 grep -v UNSET settime.out.test$n.ksk >/dev/null && ret=1 -$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 # DNSKEY not expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 n=$((n + 1)) @@ -1248,14 +1233,14 @@ ret=0 # Ensure initial zone is loaded. wait_for_notifies "delay.example" "ns3" || ret=1 -$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -P now+3s -A none $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now+3s -A none $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 wait_for_notifies "delay.example" "ns3" || ret=1 -$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 # DNSKEY expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1 # RRSIG not expected: @@ -1266,19 +1251,19 @@ echo_i "checking scheduled key activation ($n)" ret=0 -$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -A now+3s $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -A now+3s $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 wait_for_log 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run check_is_signed() { - $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1 + $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.1.test$n || return 1 # DNSKEY expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1 # RRSIG expected: awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1 - $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || return 1 + $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 >dig.out.ns3.2.test$n || return 1 # A expected: awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1 # RRSIG expected: @@ -1298,12 +1283,15 @@ now=$($PERL -e 'print time(), "\n";') sleep=$((starttime + 29 - now)) case $sleep in --*|0);; -*) echo_i "waiting for timer to have activated"; sleep $sleep;; + -* | 0) ;; + *) + echo_i "waiting for timer to have activated" + sleep $sleep + ;; esac ret=0 -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$oldid"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1311,8 +1299,8 @@ echo_i "checking private key file removal caused no immediate harm ($n)" ret=0 id=$(keyfile_to_key_id "$(cat vanishing.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1321,12 +1309,12 @@ ret=0 id=59973 rid=60101 -$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns2.test$n >/dev/null && ret=1 keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l) test $keys -eq 2 || ret=1 -$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey bar @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1344,10 +1332,10 @@ # this confirms that key events are never scheduled more than # 'dnssec-loadkeys-interval' minutes in the future, and that the # event scheduled is within 10 seconds of expected interval. -check_interval () { - awk '/next key event/ {print $2 ":" $9}' $1/named.run | - sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' | - awk -F: ' +check_interval() { + awk '/next key event/ {print $2 ":" $9}' $1/named.run \ + | sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' \ + | awk -F: ' { x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000); # abs(x) < 1000 ms treat as 'now' @@ -1365,7 +1353,7 @@ exit (1); } END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 - return $? + return $? } echo_i "checking automatic key reloading interval ($n)" @@ -1391,8 +1379,8 @@ ret=0 chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1 ($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 -$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS . @10.53.0.1 dnskey >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1407,12 +1395,12 @@ ($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 rndc_reconfig ns3 10.53.0.3 for i in 0 1 2 3 4 5 6 7 8 9; do - lret=0 - rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) - [ "$rekey_calls" -gt 0 ] || lret=1 - if [ "$lret" -eq 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 1 + lret=0 + rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) + [ "$rekey_calls" -gt 0 ] || lret=1 + if [ "$lret" -eq 0 ]; then break; fi + echo_i "waiting ... ($i)" + sleep 1 done n=$((n + 1)) if [ "$lret" != 0 ]; then ret=$lret; fi @@ -1421,19 +1409,19 @@ echo_i "test CDS and CDNSKEY auto generation ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n -grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1 -grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n +grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n >/dev/null || ret=1 +grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example dnskey >dig.out.ns3.dnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) @@ -1446,9 +1434,9 @@ echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n -$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n -$DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey >dig.out.ns3.dnskeytest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey >dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example cds >dig.out.ns3.cdstest$n lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) @@ -1460,16 +1448,16 @@ status=$((status + ret)) echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" -$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -D sync now $(cat sync.key) >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 echo_i "checking that the CDS and CDNSKEY are deleted ($n)" ret=0 ensure_cds_and_cdnskey_are_deleted() { - $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 - $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 + $DIG $DIGOPTS @10.53.0.3 sync.example. CDS >dig.out.ns3.cdstest$n || return 1 + awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 + $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY >dig.out.ns3.cdnskeytest$n || return 1 + awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 } retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 n=$((n + 1)) @@ -1478,7 +1466,7 @@ echo_i "check that dnssec-settime -p Dsync works ($n)" ret=0 -$SETTIME -p Dsync $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -p Dsync $(cat sync.key) >settime.out.test$n || ret=1 grep "SYNC Delete:" settime.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1486,7 +1474,7 @@ echo_i "check that dnssec-settime -p Psync works ($n)" ret=0 -$SETTIME -p Psync $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -p Psync $(cat sync.key) >settime.out.test$n || ret=1 grep "SYNC Publish:" settime.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1494,17 +1482,17 @@ echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ) +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null || ret=1 -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ) +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1512,8 +1500,8 @@ echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n -grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example >dig.out.ns3.test$n +grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1526,12 +1514,12 @@ echo_ic "is now signed with the ZSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ) +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null || ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "DNSKEY" { count++ } @@ -1554,10 +1542,10 @@ echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone" echo_ic "is now signed with the KSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}') +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null || ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "CNAME" { count++ } END {print count}' dig.out.ns3.test$n) @@ -1573,45 +1561,45 @@ echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)" ret=0 # Switch the zone over to NSEC3 and wait until the transition is complete. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. >signing.out.1.test$n 2>&1 || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1 - grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1 - if [ $? -eq 0 ]; then - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1 - grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1 - if [ $? -ne 0 ]; then - _ret=0 - break - fi - fi - sleep 1 + _ret=1 + $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 >dig.out.ns3.1.test$n 2>&1 || ret=1 + grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n >/dev/null 2>&1 + if [ $? -eq 0 ]; then + $RNDCCMD 10.53.0.3 signing -list delzsk.example >signing.out.2.test$n 2>&1 + grep "Creating NSEC3 chain " signing.out.2.test$n >/dev/null 2>&1 + if [ $? -ne 0 ]; then + _ret=0 + break + fi + fi + sleep 1 done if [ $_ret -ne 0 ]; then - echo_i "timed out waiting for NSEC3 chain creation" - ret=1 + echo_i "timed out waiting for NSEC3 chain creation" + ret=1 fi # Mark the inactive ZSK as pending removal. file="ns3/$(cat delzsk.key).key" -$SETTIME -D now-1h $file > settime.out.test$n || ret=1 +$SETTIME -D now-1h $file >settime.out.test$n || ret=1 # Trigger removal of the inactive ZSK and wait until its completion. ($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1 - grep "Signing " signing.out.3.test$n > /dev/null 2>&1 - if [ $? -ne 0 ]; then - if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then - _ret=0 - break - fi - fi - sleep 1 + _ret=1 + $RNDCCMD 10.53.0.3 signing -list delzsk.example >signing.out.3.test$n 2>&1 + grep "Signing " signing.out.3.test$n >/dev/null 2>&1 + if [ $? -ne 0 ]; then + if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then + _ret=0 + break + fi + fi + sleep 1 done if [ $_ret -ne 0 ]; then - echo_i "timed out waiting for key removal" - ret=1 + echo_i "timed out waiting for key removal" + ret=1 fi # Check whether key removal caused NSEC3 records to be erroneously created for # glue records due to a secure delegation already being signed by the active key @@ -1622,26 +1610,26 @@ # $ nsec3hash 12345678 1 10 ns.sub.delzsk.example. # 589R358VSPJUFVAJU949JPVF74D9PTGH (salt=12345678, hash=1, iterations=10) # -$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 > dig.out.ns3.3.test$n || ret=1 -grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 >dig.out.ns3.3.test$n || ret=1 +grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n >/dev/null 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)" ret=0 -$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that DNAME is not treated as a delegation when signing ($n)" ret=0 -$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1 -$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n >/dev/null 2>&1 || ret=1 +$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1665,7 +1653,7 @@ echo_i "checking that CDS (DELETE) persists after zone sign ($n)" echo_i "update add cds-delete.example. CDS 0 0 00" ret=0 -$NSUPDATE > nsupdate.out 2>&1 <nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 - grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n >/dev/null 2>&1 || return 1 + return 0 ) _cdnskey_delete_nx() { - $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n >/dev/null 2>&1 && return 1 + return 0 } echo_i "query cds-delete.example. CDS" @@ -1690,7 +1678,7 @@ echo_i "sign cds-delete.example." nextpart ns3/named.run >/dev/null -$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 sign cds-delete.example >/dev/null 2>&1 || ret=1 wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run # The CDS (DELETE) record should still be here. echo_i "query cds-delete.example. CDS" @@ -1706,7 +1694,7 @@ echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)" echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA==" ret=0 -$NSUPDATE > nsupdate.out 2>&1 <nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 - grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n >/dev/null 2>&1 && return 1 + return 0 ) _cdnskey_delete() { - $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n >/dev/null 2>&1 || return 1 + return 0 } echo_i "query cdnskey-delete.example. CDNSKEY" @@ -1731,7 +1719,7 @@ echo_i "sign cdsnskey-delete.example." nextpart ns3/named.run >/dev/null -$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 sign cdnskey-delete.example >/dev/null 2>&1 || ret=1 wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run # The CDNSKEY (DELETE) record should still be here. echo_i "query cdnskey-delete.example. CDNSKEY" @@ -1749,40 +1737,53 @@ zone=optout-with-ent hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL # check that NSEC3 for ENT is present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.pre.ns2.test$n >/dev/null || ret=1 # remove first delegation of two delegations, NSEC3 for ENT should remain. ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update del sub1.ent.$zone NS -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update del sub1.ent.$zone NS + echo send ) | $NSUPDATE # check that NSEC3 for ENT is still present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.mid.ns2.test$n grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.mid.ns2.test$n >/dev/null || ret=1 # remove second delegation of two delegations, NSEC3 for ENT should be deleted. ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update del sub2.ent.$zone NS -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update del sub2.ent.$zone NS + echo send ) | $NSUPDATE # check that NSEC3 for ENT is gone present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.post.ns2.test$n grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1 -$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n -grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.post.ns2.test$n >/dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" >dig.out.axfr.ns2.test$n +grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) + +echo_i "check that the startup change from NSEC3 to NSEC is properly signed ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \ + | awk 'BEGIN { private=0; rrsig=0; ok=0 } +$1 == "del" && $5 == "SOA" { if (private || rrsig) { if (private == rrsig) { exit(0); } else { exit(1); } } } +$1 == "add" && $5 == "TYPE65534" { private=1 } +$1 == "add" && $5 == "RRSIG" && $6 == "TYPE65534" { rrsig=1 } +END { if (private || rrsig) { if (private == rrsig) { exit(0); } else { exit(1); } } else { exit (1); } } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/builtin/tests.sh bind9-9.16.48/bin/tests/system/builtin/tests.sh --- bind9-9.16.44/bin/tests/system/builtin/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/builtin/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -121,127 +121,166 @@ EMPTY.AS112.ARPA HOME.ARPA" -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 count=0 echo_i "Checking expected empty zones were configured ($n)" -for zone in ${emptyzones} -do - grep "automatic empty zone: $zone" ns1/named.run > /dev/null || { - echo_i "failed (empty zone $zone missing)" - ret=1 - } - count=`expr $count + 1` +for zone in ${emptyzones}; do + grep "automatic empty zone: $zone" ns1/named.run >/dev/null || { + echo_i "failed (empty zone $zone missing)" + ret=1 + } + count=$(expr $count + 1) done -lines=`grep "automatic empty zone: " ns1/named.run | wc -l` +lines=$(grep "automatic empty zone: " ns1/named.run | wc -l) test $count -eq $lines -a $count -eq 99 || { - ret=1; echo_i "failed (count mismatch)"; + ret=1 + echo_i "failed (count mismatch)" } -if [ $ret != 0 ] ; then status=`expr $status + $ret`; fi +if [ $ret != 0 ]; then status=$(expr $status + $ret); fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "Checking that reconfiguring empty zones is silent ($n)" $RNDCCMD 10.53.0.1 reconfig ret=0 -grep "automatic empty zone" ns1/named.run > /dev/null || ret=1 -grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || ret=1 -grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 +grep "automatic empty zone" ns1/named.run >/dev/null || ret=1 +grep "received control channel command 'reconfig'" ns1/named.run >/dev/null || ret=1 +grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1 sleep 1 -grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "Checking that reloading empty zones is silent ($n)" rndc_reload ns1 10.53.0.1 ret=0 -grep "automatic empty zone" ns1/named.run > /dev/null || ret=1 -grep "received control channel command 'reload'" ns1/named.run > /dev/null || ret=1 -grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 +grep "automatic empty zone" ns1/named.run >/dev/null || ret=1 +grep "received control channel command 'reload'" ns1/named.run >/dev/null || ret=1 +grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1 sleep 1 -grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -HOST_NAME=`$FEATURETEST --gethostname` +HOST_NAME=$($FEATURETEST --gethostname) BIND_VERSION_STRING=$($NAMED -V | head -1) BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p') -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that default version works for rndc ($n)" -$RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1 -grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$RNDCCMD 10.53.0.1 status >rndc.status.ns1.$n 2>&1 +grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that custom version works for rndc ($n)" -$RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1 -grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$RNDCCMD 10.53.0.3 status >rndc.status.ns3.$n 2>&1 +grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that default version works for query ($n)" -$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that custom version works for query ($n)" -$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n -grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 >dig.out.ns3.$n +grep "^\"this is a test of version\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that default hostname works for query ($n)" -$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "^\"$HOST_NAME\"$" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that custom hostname works for query ($n)" -$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n -grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 >dig.out.ns3.$n +grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that default server-id is none for query ($n)" -$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS id.server txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that server-id hostname works for query ($n)" -$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n -grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 >dig.out.ns2.$n +grep "^\"$HOST_NAME\"$" dig.out.ns2.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)" -$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n -grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 >dig.out.ns2.$n +grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that custom server-id works for query ($n)" -$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n -grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 >dig.out.ns3.$n +grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "Checking that custom server-id works for EDNS name server ID request ($n)" -$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n -grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 >dig.out.ns3.$n +grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$(expr $status + $ret) +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/cacheclean/tests.sh bind9-9.16.48/bin/tests/system/cacheclean/tests.sh --- bind9-9.16.44/bin/tests/system/cacheclean/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/cacheclean/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -22,12 +22,12 @@ +nostat @10.53.0.2 -p ${PORT}" # fill the cache with nodes from flushtest.example zone -load_cache () { - # empty all existing cache data - $RNDC $RNDCOPTS flush +load_cache() { + # empty all existing cache data + $RNDC $RNDCOPTS flush - # load the positive cache entries - $DIG $DIGOPTS -f - << EOF > /dev/null 2>&1 + # load the positive cache entries + $DIG $DIGOPTS -f - </dev/null 2>&1 txt top1.flushtest.example txt second1.top1.flushtest.example txt third1.second1.top1.flushtest.example @@ -46,42 +46,42 @@ txt second3.top3.flushtest.example EOF - # load the negative cache entries - # nxrrset: - $DIG $DIGOPTS a third1.second1.top1.flushtest.example > /dev/null - # nxdomain: - $DIG $DIGOPTS txt top4.flushtest.example > /dev/null - # empty nonterminal: - $DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null - - # sleep 2 seconds ensure the TTLs will be lower on cached data - sleep 2 -} - -dump_cache () { - rndc_dumpdb ns2 -cache _default -} - -clear_cache () { - $RNDC $RNDCOPTS flush -} - -in_cache () { - ttl=`$DIG $DIGOPTS "$@" | awk '{print $2}'` - [ -z "$ttl" ] && { - ttl=`$DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}'` - [ "$ttl" -ge 3599 ] && return 1 - return 0 - } - [ "$ttl" -ge 3599 ] && return 1 - return 0 + # load the negative cache entries + # nxrrset: + $DIG $DIGOPTS a third1.second1.top1.flushtest.example >/dev/null + # nxdomain: + $DIG $DIGOPTS txt top4.flushtest.example >/dev/null + # empty nonterminal: + $DIG $DIGOPTS txt second2.top3.flushtest.example >/dev/null + + # sleep 2 seconds ensure the TTLs will be lower on cached data + sleep 2 +} + +dump_cache() { + rndc_dumpdb ns2 -cache _default +} + +clear_cache() { + $RNDC $RNDCOPTS flush +} + +in_cache() { + ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}') + [ -z "$ttl" ] && { + ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}') + [ "$ttl" -ge 3599 ] && return 1 + return 0 + } + [ "$ttl" -ge 3599 ] && return 1 + return 0 } # Extract records at and below name "$1" from the cache dump in file "$2". -filter_tree () { - tree="$1" - file="$2" - perl -n -e ' +filter_tree() { + tree="$1" + file="$2" + perl -n -e ' next if /^;/; if (/'"$tree"'/ || (/^\t/ && $print)) { $print = 1; @@ -92,39 +92,45 @@ ' "$file" } -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check correctness of routine cache cleaning ($n)" -$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1 +$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch >dig.out.ns2 || status=1 digcomp --lc dig.out.ns2 knowngood.dig.out || status=1 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "only one tcp socket was used ($n)" -tcpclients=`awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l` +tcpclients=$(awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l) -test $tcpclients -eq 1 || { status=1; echo_i "failed"; } +test $tcpclients -eq 1 || { + status=1 + echo_i "failed" +} -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "reset and check that records are correctly cached initially ($n)" ret=0 load_cache dump_cache -nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l` -[ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; } +nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l) +[ $nrecords -eq 18 ] || { + ret=1 + echo_i "found $nrecords records expected 18" +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check flushing of the full cache ($n)" ret=0 clear_cache dump_cache -nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | wc -l` +nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | wc -l) [ $nrecords -eq 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check flushing of individual nodes (interior node) ($n)" ret=0 clear_cache @@ -134,9 +140,9 @@ $RNDC $RNDCOPTS flushname top1.flushtest.example in_cache txt top1.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check flushing of individual nodes (leaf node, under the interior node) ($n)" ret=0 # leaf node, under the interior node (should still exist) @@ -144,9 +150,9 @@ $RNDC $RNDCOPTS flushname third2.second1.top1.flushtest.example in_cache txt third2.second1.top1.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check flushing of individual nodes (another leaf node, with both positive and negative cache entries) ($n)" ret=0 # another leaf node, with both positive and negative cache entries @@ -156,16 +162,16 @@ in_cache a third1.second1.top1.flushtest.example && ret=1 in_cache txt third1.second1.top1.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check flushing a nonexistent name ($n)" ret=0 $RNDC $RNDCOPTS flushname fake.flushtest.example || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check flushing of namespaces ($n)" ret=0 clear_cache @@ -190,79 +196,85 @@ in_cache txt second2.top2.flushtest.example && ret=1 in_cache txt second3.top2.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check flushing a nonexistent namespace ($n)" ret=0 $RNDC $RNDCOPTS flushtree fake.flushtest.example || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check the number of cached records remaining ($n)" ret=0 dump_cache -nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l` -[ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; } +nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l) +[ $nrecords -eq 17 ] || { + ret=1 + echo_i "found $nrecords records expected 17" +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check the check that flushname of a partial match works ($n)" ret=0 in_cache txt second2.top1.flushtest.example || ret=1 $RNDC $RNDCOPTS flushtree example in_cache txt second2.top1.flushtest.example && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check the number of cached records remaining ($n)" ret=0 dump_cache -nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l` -[ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; } +nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l) +[ $nrecords -eq 1 ] || { + ret=1 + echo_i "found $nrecords records expected 1" +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check flushtree clears adb correctly ($n)" ret=0 load_cache dump_cache mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a sed -n '/plain success\/timeout/,/Unassociated entries/p' \ - ns2/named_dump.db.test$n.a > sed.out.$n.a -grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1 -grep 'Unassociated entries' sed.out.$n.a > /dev/null 2>&1 || ret=1 -grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1 + ns2/named_dump.db.test$n.a >sed.out.$n.a +grep 'plain success/timeout' sed.out.$n.a >/dev/null 2>&1 || ret=1 +grep 'Unassociated entries' sed.out.$n.a >/dev/null 2>&1 || ret=1 +grep 'ns.flushtest.example' sed.out.$n.a >/dev/null 2>&1 || ret=1 $RNDC $RNDCOPTS flushtree flushtest.example || ret=1 dump_cache mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b sed -n '/plain success\/timeout/,/Unassociated entries/p' \ - ns2/named_dump.db.test$n.b > sed.out.$n.b -grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1 -grep 'Unassociated entries' sed.out.$n.b > /dev/null 2>&1 || ret=1 -grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1 + ns2/named_dump.db.test$n.b >sed.out.$n.b +grep 'plain success/timeout' sed.out.$n.b >/dev/null 2>&1 || ret=1 +grep 'Unassociated entries' sed.out.$n.b >/dev/null 2>&1 || ret=1 +grep 'ns.flushtest.example' sed.out.$n.b >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check expire option returned from primary zone ($n)" ret=0 -$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire -grep EXPIRE: dig.out.expire > /dev/null || ret=1 +$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test >dig.out.expire +grep EXPIRE: dig.out.expire >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check expire option returned from secondary zone ($n)" ret=0 -$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire -grep EXPIRE: dig.out.expire > /dev/null || ret=1 +$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test >dig.out.expire +grep EXPIRE: dig.out.expire >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/case/tests.sh bind9-9.16.48/bin/tests/system/case/tests.sh --- bind9-9.16.44/bin/tests/system/case/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/case/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,134 +17,132 @@ DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" wait_for_serial() ( - $DIG $DIGOPTS "@$1" "$2" SOA > "$4" - serial=$(awk '$4 == "SOA" { print $7 }' "$4") - [ "$3" -eq "${serial:--1}" ] + $DIG $DIGOPTS "@$1" "$2" SOA >"$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] ) status=0 n=0 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "waiting for zone transfer to complete ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n - grep SOA dig.ns2.test$n > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS soa example. @10.53.0.2 >dig.ns2.test$n + grep SOA dig.ns2.test$n >/dev/null && break + sleep 1 done -for i in 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n - grep SOA dig.ns2.test$n > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS soa dynamic. @10.53.0.2 >dig.ns2.test$n + grep SOA dig.ns2.test$n >/dev/null && break + sleep 1 done -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing case preserving responses - no acl ($n)" ret=0 -$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n -grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 -grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. @10.53.0.1 >dig.ns1.test$n +grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1 +grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)" ret=0 # check that we preserve zone case for non-matching query (10.53.0.1) -$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n -grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 -grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 >dig.ns1.test$n +grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1 +grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1 # check that we don't preserve zone case for match (10.53.0.2) -$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n -grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1 -grep "mail.example" dig.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 >dig.ns2.test$n +grep "0.mail.example" dig.ns2.test$n >/dev/null || ret=1 +grep "mail.example" dig.ns2.test$n >/dev/null || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n digcomp dig.ns1.test$n dynamic.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n digcomp dig.ns2.test$n dynamic.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "change SOA owner case via update ($n)" -$NSUPDATE << EOF +$NSUPDATE < dig.ns1.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n digcomp dig.ns1.test$n postupdate.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "wait for zone to transfer ($n)" retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042408 dig.ns2.test$n || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check SOA owner case is transferred to secondary ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n digcomp dig.ns2.test$n postupdate.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) #update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "change A record owner case via update ($n)" -$NSUPDATE << EOF +$NSUPDATE < dig.ns1.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n digcomp dig.ns1.test$n postns1.good || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 echo_i "wait for zone to transfer ($n)" retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042409 dig.ns2.test$n || ret=1 test $ret -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check A owner case is transferred to secondary ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n digcomp dig.ns2.test$n postns1.good || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/catz/tests.sh bind9-9.16.48/bin/tests/system/catz/tests.sh --- bind9-9.16.44/bin/tests/system/catz/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/catz/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -18,272 +18,272 @@ . "$SYSTEMTESTTOP/conf.sh" dig_with_opts() { - "$DIG" -p "${PORT}" "$@" + "$DIG" -p "${PORT}" "$@" } rndccmd() ( - "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@" ) _wait_for_message() ( - nextpartpeek "$1" > wait_for_message.$n - grep -F "$2" wait_for_message.$n >/dev/null + nextpartpeek "$1" >wait_for_message.$n + grep -F "$2" wait_for_message.$n >/dev/null ) wait_for_message() ( - retry_quiet 20 _wait_for_message "$@" + retry_quiet 20 _wait_for_message "$@" ) _wait_for_rcode() ( - rcode="$1" - qtype="$2" - ns="$3" - qname="$4" - file="$5" - shift 5 - dig_with_opts "$ns" "$qtype" "$qname" "$@" >"$file" || return 1 - grep "status: $rcode" "$file" >/dev/null + rcode="$1" + qtype="$2" + ns="$3" + qname="$4" + file="$5" + shift 5 + dig_with_opts "$ns" "$qtype" "$qname" "$@" >"$file" || return 1 + grep "status: $rcode" "$file" >/dev/null ) wait_for_rcode() ( - retry_quiet 10 _wait_for_rcode "$@" + retry_quiet 10 _wait_for_rcode "$@" ) wait_for_soa() ( - wait_for_rcode NOERROR SOA "$@" + wait_for_rcode NOERROR SOA "$@" ) wait_for_a() ( - wait_for_rcode NOERROR A "$@" + wait_for_rcode NOERROR A "$@" ) wait_for_no_soa() { - wait_for_rcode REFUSED SOA "$@" + wait_for_rcode REFUSED SOA "$@" } _wait_for_zonefile() ( - # shellcheck disable=SC2234 - [ -f "$1" ] + # shellcheck disable=SC2234 + [ -f "$1" ] ) wait_for_zonefile() ( - retry_quiet 10 _wait_for_zonefile "$@" + retry_quiet 10 _wait_for_zonefile "$@" ) _wait_for_no_zonefile() ( - # shellcheck disable=SC2234 - [ ! -f "$1" ] + # shellcheck disable=SC2234 + [ ! -f "$1" ] ) wait_for_no_zonefile() ( - retry_quiet 10 _wait_for_no_zonefile "$@" + retry_quiet 10 _wait_for_no_zonefile "$@" ) status=0 n=0 ########################################################################## echo_i "Testing adding/removing of domain in catalog zone" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom1.example. to primary via RNDC ($n)" ret=0 # enough initial content for IXFR response when TXT record is added below -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom1.example.db -echo "@ 3600 IN NS invalid." >> ns1/dom1.example.db -echo "foo 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "bar 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "xxx 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "yyy 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom1.example.db +echo "@ 3600 IN NS invalid." >>ns1/dom1.example.db +echo "foo 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "bar 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "xxx 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "yyy 3600 IN TXT some content here" >>ns1/dom1.example.db rndccmd 10.53.0.1 addzone dom1.example. '{ type primary; file "dom1.example.db"; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom1.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN PTR dom1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom1.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom1.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that zone-directory is populated ($n)" ret=0 wait_for_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update dom1.example. ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom1.example 0 IN TXT added record send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to be updated ($n)" ret=0 wait_for_txt() { - dig_with_opts @10.53.0.2 TXT dom1.example. > dig.out.test$n || return 1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "IN.TXT." dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 TXT dom1.example. >dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "IN.TXT." dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_txt || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that journal was created for cleanup test ($n)" ret=0 test -f ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update catalog zone serial ($n)" ret=0 # default minimum update rate is once / 5 seconds sleep 5 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add catalog1.example 3600 SOA . . 20 86400 3600 86400 3600 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for catalog zone to transfer ($n)" ret=0 wait_for_soa_equal_20() { - dig_with_opts @10.53.0.2 SOA catalog1.example. > dig.out.test$n || return 1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep 'IN.SOA.\. \. 20 ' dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 SOA catalog1.example. >dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep 'IN.SOA.\. \. 20 ' dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_soa_equal_20 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update dom1.example. again ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add foo.dom1.example 0 IN TXT added record send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to be updated again ($n)" ret=0 wait_for_txt() { - dig_with_opts @10.53.0.2 TXT foo.dom1.example. > dig.out.test$n || return 1 - grep "ANSWER: 2," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "IN.TXT." dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 TXT foo.dom1.example. >dig.out.test$n || return 1 + grep "ANSWER: 2," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "IN.TXT." dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_txt || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom1.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "zone_shutdown: zone dom1.example/IN: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that zone-directory is emptied ($n)" ret=0 wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1 wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing various simple operations on domains, including using multiple catalog zones and garbage in zone" -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom2.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom2.example.db -echo "@ IN NS invalid." >> ns1/dom2.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom2.example.db +echo "@ IN NS invalid." >>ns1/dom2.example.db rndccmd 10.53.0.1 addzone dom2.example. '{type primary; file "dom2.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom4.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom4.example.db -echo "@ IN NS invalid." >> ns1/dom4.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom4.example.db +echo "@ IN NS invalid." >>ns1/dom4.example.db rndccmd 10.53.0.1 addzone dom4.example. '{type primary; file "dom4.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom2.example, dom3.example. and some garbage to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. update add b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. @@ -300,142 +300,140 @@ END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom4.example. to catalog2 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) - -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" && -wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom4.example/IN' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom4.example/IN' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom4.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom4.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom3.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom3.example.db -echo "@ IN NS invalid." >> ns1/dom3.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom3.example.db +echo "@ IN NS invalid." >>ns1/dom3.example.db rndccmd 10.53.0.1 addzone dom3.example. '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is served by primary ($n)" ret=0 -wait_for_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom2.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom3.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom2.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" \ + && wait_for_message ns2/named.run "transfer of 'dom3.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # GL #3060 -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)" ret=0 -sed -e "s/^#T3//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T3//" ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking again that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # GL #3911 -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)" ret=0 -sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T4//" ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # catalog zone update can be deferred sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "checking again that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "removing all records from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. update delete b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. @@ -452,81 +450,80 @@ END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing all records from catalog2 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing masters suboption and random labels" -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom5.example. with a valid masters suboption (IP without TSIG) and a random label ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. update add masters.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom5.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom5.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom5.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom5.example. ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. update delete masters.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom5.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) ########################################################################## echo_i "Testing masters global option" -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom6.example. and a valid global masters option (IP without TSIG) ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add masters.catalog1.example. 3600 IN A 10.53.0.3 update add masters.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 @@ -534,27 +531,27 @@ send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom6.example/IN' from " > /dev/null || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom6.example/IN' from " >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom6.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom6.example. ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete masters.catalog1.example. 3600 IN A 10.53.0.3 update delete masters.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 @@ -562,142 +559,142 @@ send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom6.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom6.example. and an invalid global masters option (TSIG without IP) ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add label1.masters.catalog1.example. 3600 IN TXT "tsig_key" update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone \"dom6.example\"" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone \"dom6.example\"" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom6.example. ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete label1.masters.catalog1.example. 3600 IN TXT "tsig_key" update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" > /dev/null || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "Checking that a missing zone directory forces in-memory ($n)" ret=0 -grep "'nonexistent' not found; zone files will not be saved" ns2/named.run > /dev/null || ret=1 +grep "'nonexistent' not found; zone files will not be saved" ns2/named.run >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing allow-query and allow-transfer ACLs" -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom7.example. and dom8.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom7.example.db -echo "@ IN NS invalid." >> ns1/dom7.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom7.example.db +echo "@ IN NS invalid." >>ns1/dom7.example.db rndccmd 10.53.0.1 addzone dom7.example. '{type primary; file "dom7.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom8.example.db -echo "@ IN NS invalid." >> ns1/dom8.example.db +status=$((status + ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom8.example.db +echo "@ IN NS invalid." >>ns1/dom8.example.db rndccmd 10.53.0.1 addzone dom8.example. '{type primary; file "dom8.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom7.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom7.example. to catalog1 zone with an allow-query statement ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN PTR dom7.example. update add allow-query.78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN APL 1:10.53.0.1/32 !1:10.53.0.0/30 1:0.0.0.0/0 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" > /dev/null && -wait_for_message ns2/named.run "transfer of 'dom7.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" >/dev/null \ + && wait_for_message ns2/named.run "transfer of 'dom7.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is not accessible from 10.53.0.2 ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is accessible from 10.53.0.5 ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.5 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom8.example. domain and global allow-query and allow-transfer ACLs ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add cba95222e308baba42417be6021026fdf20827b6.zones.catalog1.example. 3600 IN PTR dom8.example update add allow-query.catalog1.example. 3600 IN APL 1:10.53.0.1/32 @@ -705,118 +702,117 @@ send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" && -wait_for_message ns2/named.run "transfer of 'dom8.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" \ + && wait_for_message ns2/named.run "transfer of 'dom8.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is not accessible from 10.53.0.2 ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is not AXFR accessible from 10.53.0.1 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n -grep "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 >dig.out.test$n +grep "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 >dig.out.test$n +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting global allow-query and allow-domain ACLs ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete allow-query.catalog1.example. 3600 IN APL 1:10.53.0.1/32 update delete allow-transfer.catalog1.example. 3600 IN APL 1:10.53.0.2/32 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.2 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.1 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 >dig.out.test$n +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 >dig.out.test$n +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) ########################################################################## echo_i "Testing TSIG keys for masters set per-domain" -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom9.example. to primary via RNDC, with transfers allowed only with TSIG key ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom9.example.db -echo "@ IN NS invalid." >> ns1/dom9.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom9.example.db +echo "@ IN NS invalid." >>ns1/dom9.example.db rndccmd 10.53.0.1 addzone dom9.example. '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom9.example. to catalog1 zone with a valid masters suboption (IP with TSIG) ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -824,77 +820,77 @@ send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom9.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom9.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is accessible on secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "change TSIG key name on primary ($n)" ret=0 rndccmd 10.53.0.1 modzone dom9.example. '{type primary; notify yes; file "dom9.example.db"; allow-transfer { key next_key; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update TSIG key name in catalog zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update del label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update zone contents and reload ($n)" ret=0 -echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" > ns1/dom9.example.db -echo "@ IN NS ns2" >> ns1/dom9.example.db -echo "ns2 IN A 10.53.0.2" >> ns1/dom9.example.db +echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" >ns1/dom9.example.db +echo "@ IN NS ns2" >>ns1/dom9.example.db +echo "ns2 IN A 10.53.0.2" >>ns1/dom9.example.db rndccmd 10.53.0.1 reload dom9.example. || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for primary to update zone ($n)" ret=0 wait_for_a @10.53.0.1 ns2.dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to update zone ($n)" ret=0 wait_for_a @10.53.0.2 ns2.dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom9.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -902,881 +898,878 @@ send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is no longer accessible on secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom9.example. to catalog1 zone with an invalid masters suboption (TSIG without IP) ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone \"dom9.example\"" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone \"dom9.example\"" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom9.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing catalog entries that can't be represented as filenames" # note: we need 4 backslashes in the shell to get 2 backslashes in DNS # presentation format, which is 1 backslash on the wire. for special in \ - this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ - this.zone/domain.has.a.slash.dom10.example \ - this.zone\\\\domain.has.backslash.dom10.example \ - this.zone:domain.has.a.colon.dom.10.example -do - # hashes below are generated by: - # python ${TOP}/contrib/scripts/catzhash.py "${special}" + this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ + this.zone/domain.has.a.slash.dom10.example \ + this.zone\\\\domain.has.backslash.dom10.example \ + this.zone:domain.has.a.colon.dom.10.example; do + # hashes below are generated by: + # python ${TOP}/contrib/scripts/catzhash.py "${special}" - case "$special" in + case "$special" in this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example) - hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 - db=__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db - ;; + hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 + db=__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db + ;; this.zone/domain.has.a.slash.dom10.example) - hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa - db=__catz__46ba3e1b28d5955e5313d5fee61bedc78c71d08035aa7ea2f7bf0b8228ab3acc.db - ;; + hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa + db=__catz__46ba3e1b28d5955e5313d5fee61bedc78c71d08035aa7ea2f7bf0b8228ab3acc.db + ;; this.zone\\\\domain.has.backslash.dom10.example) - hash=91e27e02153d38cf656a9b376d7747fbcd19f985 - db=__catz__b667f7ff802c0895e0506699951cff9a1cab68c5ef8546aa0d07425f244ed870.db - ;; + hash=91e27e02153d38cf656a9b376d7747fbcd19f985 + db=__catz__b667f7ff802c0895e0506699951cff9a1cab68c5ef8546aa0d07425f244ed870.db + ;; this.zone:domain.has.a.colon.dom.10.example) - hash=8b7238bf4c34045834c573ba4116557ebb24d33c - db=__catz__5c721f7872913a4e7fa8ad42589cce5dd6e551a4c9e6ab3f86e77c0bbc7c2ca6.db - ;; - esac - - n=$((n+1)) - echo_i "checking that ${special}. is not served by primary ($n)" - ret=0 - wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "Adding a domain ${special}. to primary via RNDC ($n)" - ret=0 - echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db - echo "@ IN NS invalid." >> ns1/dom10.example.db - rndccmd 10.53.0.1 addzone '"'"${special}"'"' '{type primary; file "dom10.example.db";};' || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is now served by primary ($n)" - ret=0 - wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - nextpart ns2/named.run >/dev/null - - n=$((n+1)) - echo_i "Adding domain ${special}. to catalog1 zone ($n)" - ret=0 - $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + hash=8b7238bf4c34045834c573ba4116557ebb24d33c + db=__catz__5c721f7872913a4e7fa8ad42589cce5dd6e551a4c9e6ab3f86e77c0bbc7c2ca6.db + ;; + esac + + n=$((n + 1)) + echo_i "checking that ${special}. is not served by primary ($n)" + ret=0 + wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "Adding a domain ${special}. to primary via RNDC ($n)" + ret=0 + echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom10.example.db + echo "@ IN NS invalid." >>ns1/dom10.example.db + rndccmd 10.53.0.1 addzone '"'"${special}"'"' '{type primary; file "dom10.example.db";};' || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is now served by primary ($n)" + ret=0 + wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + nextpart ns2/named.run >/dev/null + + n=$((n + 1)) + echo_i "Adding domain ${special}. to catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add ${hash}.zones.catalog1.example 3600 IN PTR ${special}. send END - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) - n=$((n+1)) - echo_i "waiting for secondary to sync up ($n)" - ret=0 - wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" && - wait_for_message ns2/named.run "transfer of '$special/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is served by secondary ($n)" - ret=0 - wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that zone-directory is populated with a hashed filename ($n)" - ret=0 - wait_for_zonefile "ns2/zonedir/$db" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "removing domain ${special}. from catalog1 zone ($n)" - ret=0 - $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + n=$((n + 1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of '$special/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is served by secondary ($n)" + ret=0 + wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that zone-directory is populated with a hashed filename ($n)" + ret=0 + wait_for_zonefile "ns2/zonedir/$db" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "removing domain ${special}. from catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete ${hash}.zones.catalog1.example send END - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) - n=$((n+1)) - echo_i "waiting for secondary to sync up ($n)" - ret=0 - wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN: shutting down" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is not served by secondary ($n)" - ret=0 - wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that zone-directory is emptied ($n)" - ret=0 - wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 - wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN: shutting down" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is not served by secondary ($n)" + ret=0 + wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that zone-directory is emptied ($n)" + ret=0 + wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 + wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done ########################################################################## echo_i "Testing adding a domain and a subdomain of it" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom11.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom11.example.db -echo "@ IN NS invalid." >> ns1/dom11.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom11.example.db +echo "@ IN NS invalid." >>ns1/dom11.example.db rndccmd 10.53.0.1 addzone dom11.example. '{type primary; file "dom11.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom11.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example. 3600 IN PTR dom11.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is not served by primary ($n)" ret=0 wait_for_rcode NXDOMAIN SOA @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain subdomain.of.dom11.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/subdomain.of.dom11.example.db -echo "@ IN NS invalid." >> ns1/subdomain.of.dom11.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/subdomain.of.dom11.example.db +echo "@ IN NS invalid." >>ns1/subdomain.of.dom11.example.db rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain subdomain.of.dom11.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example. 3600 IN PTR subdomain.of.dom11.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom11.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is still served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain subdomain.of.dom11.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 subdomain.of.d11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing adding a catalog zone at runtime with rndc reconfig" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom12.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom12.example.db -echo "@ IN NS invalid." >> ns1/dom12.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom12.example.db +echo "@ IN NS invalid." >>ns1/dom12.example.db rndccmd 10.53.0.1 addzone dom12.example. '{type primary; file "dom12.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom12.example. to catalog4 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)" ret=0 -sed -e "s/^#T1//g" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T1//g" ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" && -wait_for_message ns2/named.run "transfer of 'dom12.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom12.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is still served by secondary after reconfiguration ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "checking that dom12.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)" ret=0 -sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T2//" ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom12.example. from catalog4 zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing having a zone in two different catalogs" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom13.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom13.example.db -echo "@ IN NS invalid." >> ns1/dom13.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom13.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom13.example.db +echo "@ IN NS invalid." >>ns1/dom13.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom13.example.db rndccmd 10.53.0.1 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom13.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom13.example.db -echo "@ IN NS invalid." >> ns3/dom13.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom13.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom13.example.db +echo "@ IN NS invalid." >>ns3/dom13.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom13.example.db rndccmd 10.53.0.3 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom13.example. to catalog1 zone with ns1 as primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. update add masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom13.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom13.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom13.example. to catalog2 zone with ns3 as primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. update add masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom13.example. from catalog2 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. update delete masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom13.example. from catalog1 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. update delete masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.2 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing having a regular zone and a zone in catalog zone of the same name" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom14.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom14.example.db -echo "@ IN NS invalid." >> ns1/dom14.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom14.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom14.example.db +echo "@ IN NS invalid." >>ns1/dom14.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom14.example.db rndccmd 10.53.0.1 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom14.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom14.example.db -echo "@ IN NS invalid." >> ns3/dom14.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom14.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom14.example.db +echo "@ IN NS invalid." >>ns3/dom14.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom14.example.db rndccmd 10.53.0.3 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom14.example. with rndc with ns1 as primary ($n)" ret=0 rndccmd 10.53.0.2 addzone dom14.example. '{type secondary; primaries {10.53.0.1;};};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "transfer of 'dom14.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom14.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom14.example. to catalog2 zone with ns3 as primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. update add masters.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom14.example. from catalog2 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. update delete masters.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing changing label for a member zone" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom15.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom15.example.db -echo "@ IN NS invalid." >> ns1/dom15.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom15.example.db +echo "@ IN NS invalid." >>ns1/dom15.example.db rndccmd 10.53.0.1 addzone dom15.example. '{type primary; file "dom15.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "Adding domain dom15.example. to catalog1 zone with 'dom15label1' label ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 3 -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Changing label of domain dom15.example. from 'dom15label1' to 'dom15label2' ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. update add dom15label2.zones.catalog1.example. 3600 IN PTR dom15.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing recreation of a manually deleted zone after a reload" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom16.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom16.example.db -echo "@ IN NS invalid." >> ns1/dom16.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom16.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom16.example.db +echo "@ IN NS invalid." >>ns1/dom16.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom16.example.db rndccmd 10.53.0.1 addzone dom16.example. '{type primary; file "dom16.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom16.example. to catalog1 zone with ns1 as primary ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. update add masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom16.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom16.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null @@ -1784,14 +1777,14 @@ ret=0 rndccmd 10.53.0.2 delzone dom16.example. >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null @@ -1799,52 +1792,52 @@ ret=0 rndccmd 10.53.0.2 reload >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom16.example. from catalog1 ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. update delete masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that reconfig can delete and restore catalog zone configuration ($n)" ret=0 copy_setports ns2/named2.conf.in ns2/named.conf @@ -1852,30 +1845,30 @@ copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ######################################################################### nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a dom19.example. to primary via RNDC ($n)" ret=0 # enough initial content for IXFR response when TXT record is added below -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom19.example.db -echo "@ 3600 IN NS invalid." >> ns1/dom19.example.db -echo "foo 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "bar 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "xxx 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "yyy 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom19.example.db +echo "@ 3600 IN NS invalid." >>ns1/dom19.example.db +echo "foo 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "bar 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "xxx 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "yyy 3600 IN TXT some content here" >>ns1/dom19.example.db rndccmd 10.53.0.1 addzone dom19.example. '{ type primary; file "dom19.example.db"; allow-transfer { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "add an entry to the restored catalog zone ($n)" ret=0 -$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN PTR dom19.example. update add label1.masters.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -1883,32 +1876,32 @@ send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom19.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom19.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## # GL #3777 nextpart ns4/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)" ret=0 -echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db +echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >>ns4/catalog-self.example.db rndccmd 10.53.0.4 reload || ret=1 -n=$((n+1)) +n=$((n + 1)) echo_i "Issuing another rndc reload command after 1 second ($n)" sleep 1 rndccmd 10.53.0.4 reload || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/cds/setup.sh bind9-9.16.48/bin/tests/system/cds/setup.sh --- bind9-9.16.44/bin/tests/system/cds/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/cds/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -40,20 +40,20 @@ EOF tac() { - $PERL -e 'print reverse <>' + $PERL -e 'print reverse <>' } convert() { - key=$1 - n=$2 - $DSFROMKEY -12 $key >DS.$n - grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 - grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 - sed 's/ IN DS / IN CDS /' >CDS.$n - sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n - sed 's/ IN DS / 3600 IN DS /' DS.ttl$n - sed 's/ IN DS / 7200 IN DS /' DS.ttlong$n - tac DS.rev$n + key=$1 + n=$2 + $DSFROMKEY -12 $key >DS.$n + grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 + grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 + sed 's/ IN DS / IN CDS /' >CDS.$n + sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n + sed 's/ IN DS / 3600 IN DS /' DS.ttl$n + sed 's/ IN DS / 7200 IN DS /' DS.ttlong$n + tac DS.rev$n } convert $key1 1 convert $key2 2 @@ -85,9 +85,9 @@ sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' UP.swapttl sign() { - cat >db.$1 - $SIGNER >/dev/null \ - -S -O full -o $Z -f sig.$1 db.$1 + cat >db.$1 + $SIGNER >/dev/null \ + -S -O full -o $Z -f sig.$1 db.$1 } sign null <brk.rrsig.cds.zsk + brk.rrsig.cds.zsk $mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \ - brk.rrsig.cds.ksk + brk.rrsig.cds.ksk -$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " out.$n 2> err.$n - echo $? + "$@" 1>out.$n 2>err.$n + echo $? } testcase() { - n=$((n + 1)) - echo_i "$name ($n)" - expect=$1 - shift - result=$(runcmd "$@") - check_stdout - check_stderr - if [ "$expect" -ne "$result" ]; then - echo_d "exit status does not match $expect" - fail - fi - unset name err out + n=$((n + 1)) + echo_i "$name ($n)" + expect=$1 + shift + result=$(runcmd "$@") + check_stdout + check_stderr + if [ "$expect" -ne "$result" ]; then + echo_d "exit status does not match $expect" + fail + fi + unset name err out } check_stderr() { - if [ -n "${err:=}" ]; then - grep -E "$err" err.$n >/dev/null && return 0 - echo_d "stderr did not match '$err'" - else - [ -s err.$n ] || return 0 - fi - cat err.$n | cat_d - fail + if [ -n "${err:=}" ]; then + grep -E "$err" err.$n >/dev/null && return 0 + echo_d "stderr did not match '$err'" + else + [ -s err.$n ] || return 0 + fi + cat err.$n | cat_d + fail } check_stdout() { - $DIFF out.$n "${out:-empty}" >/dev/null && return - echo_d "stdout did not match '$out'" - ( echo "wanted" - cat "$out" - echo "got" - cat out.$n - ) | cat_d - fail + $DIFF out.$n "${out:-empty}" >/dev/null && return + echo_d "stdout did not match '$out'" + ( + echo "wanted" + cat "$out" + echo "got" + cat out.$n + ) | cat_d + fail } Z=cds.test diff -Nru bind9-9.16.44/bin/tests/system/chain/ans3/ans.pl bind9-9.16.48/bin/tests/system/chain/ans3/ans.pl --- bind9-9.16.44/bin/tests/system/chain/ans3/ans.pl 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/chain/ans3/ans.pl 2024-02-11 11:31:39.000000000 +0000 @@ -22,9 +22,14 @@ print $pidf "$$\n" or die "cannot write pid file: $!"; $pidf->close or die "cannot close pid file: $!"; sub rmpid { unlink "ans.pid"; exit 1; }; +sub term { }; $SIG{INT} = \&rmpid; -$SIG{TERM} = \&rmpid; +if ($Net::DNS::VERSION > 1.41) { + $SIG{TERM} = \&term; +} else { + $SIG{TERM} = \&rmpid; +} my $localaddr = "10.53.0.3"; @@ -128,4 +133,11 @@ Verbose => $verbose, ); -$ns->main_loop; +if ($Net::DNS::VERSION >= 1.42) { + $ns->start_server(); + select(undef, undef, undef, undef); + $ns->stop_server(); + unlink "ans.pid"; +} else { + $ns->main_loop; +} diff -Nru bind9-9.16.44/bin/tests/system/chain/ns2/sign.sh bind9-9.16.48/bin/tests/system/chain/ns2/sign.sh --- bind9-9.16.44/bin/tests/system/chain/ns2/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/chain/ns2/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -20,7 +20,7 @@ ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-secure.example. zonefile=wildcard-secure.db @@ -28,7 +28,7 @@ ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec.example. zonefile=wildcard.db @@ -36,7 +36,7 @@ ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec3.example. zonefile=wildcard.db @@ -44,7 +44,7 @@ ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec3-optout.example. zonefile=wildcard.db @@ -52,4 +52,4 @@ ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile >/dev/null diff -Nru bind9-9.16.44/bin/tests/system/chain/prereq.sh bind9-9.16.48/bin/tests/system/chain/prereq.sh --- bind9-9.16.44/bin/tests/system/chain/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/chain/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,37 +14,32 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -if test -n "$PYTHON" -then - if $PYTHON -c "import dns" 2> /dev/null - then - : - else - echo_i "This test requires the dnspython module." >&2 - exit 1 - fi -else - echo_i "This test requires Python and the dnspython module." >&2 +if test -n "$PYTHON"; then + if $PYTHON -c "import dns" 2>/dev/null; then + : + else + echo_i "This test requires the dnspython module." >&2 exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 fi -if $PERL -e 'use Net::DNS;' 2>/dev/null -then - if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null - then - : - else - echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2 - exit 1 - fi -else - echo_i "This test requires the perl Net::DNS library." >&2 +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null; then + : + else + echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2 exit 1 + fi +else + echo_i "This test requires the perl Net::DNS library." >&2 + exit 1 fi -if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null -then - : +if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null; then + : else - echo_i "This test requires the Net::DNS::Nameserver library." >&2 - exit 1 + echo_i "This test requires the Net::DNS::Nameserver library." >&2 + exit 1 fi diff -Nru bind9-9.16.44/bin/tests/system/chain/tests.sh bind9-9.16.48/bin/tests/system/chain/tests.sh --- bind9-9.16.44/bin/tests/system/chain/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/chain/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -20,126 +20,126 @@ status=0 n=0 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking short DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1 -grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1 +$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a >dig.out.ns2.short || ret=1 +grep "status: NOERROR" dig.out.ns2.short >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking short DNAME from recursive ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1 -grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1 +$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a >dig.out.ns4.short || ret=1 +grep "status: NOERROR" dig.out.ns4.short >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking long DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1 -grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1 +$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a >dig.out.ns2.long || ret=1 +grep "status: NOERROR" dig.out.ns2.long >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking long DNAME from recursive ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1 -grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1 +$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a >dig.out.ns4.long || ret=1 +grep "status: NOERROR" dig.out.ns4.long >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking (too) long DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a >dig.out.ns2.toolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns2.toolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a > dig.out.ns4.cachedtoolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1 -grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a >dig.out.ns4.cachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong >/dev/null || ret=1 +grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a > dig.out.ns4.uncachedtoolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1 -grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a >dig.out.ns4.uncachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong >/dev/null || ret=1 +grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) find_records() { - owner_name="$1" - rr_type="$2" - file="$3" - awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' < "$file" + owner_name="$1" + rr_type="$2" + file="$3" + awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' <"$file" } count_records() { - owner_name="$1" - rr_type="$2" - file="$3" - find_records "$owner_name" "$rr_type" "$file" | wc -l + owner_name="$1" + rr_type="$2" + file="$3" + find_records "$owner_name" "$rr_type" "$file" | wc -l } exactly_one_record_exists_for() { - owner_name="$1" - rr_type="$2" - file="$3" - test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1 + owner_name="$1" + rr_type="$2" + file="$3" + test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1 } no_records_exist_for() { - owner_name="$1" - rr_type="$2" - file="$3" - test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0 + owner_name="$1" + rr_type="$2" + file="$3" + test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0 } ensure_no_ds_in_bitmap() { - owner_name="$1" - rr_type="$2" - file="$3" - case "$rr_type" in - NSEC) start_index=6 ;; - NSEC3) start_index=10 ;; - *) exit 1 ;; - esac - find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }' + owner_name="$1" + rr_type="$2" + file="$3" + case "$rr_type" in + NSEC) start_index=6 ;; + NSEC3) start_index=10 ;; + *) exit 1 ;; + esac + find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }' } -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking secure delegation prepared using CNAME chaining ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # DS RRset. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains the expected NS and DS RRsets. exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking secure delegation prepared using wildcard expansion + CNAME chaining ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an # NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains the expected NS and DS RRsets. exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 @@ -149,14 +149,14 @@ no_records_exist_for "cname.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 no_records_exist_for "delegation.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -170,15 +170,15 @@ # type bit map. ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC records are different. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -192,16 +192,16 @@ # type bit map. ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -215,7 +215,7 @@ # type bit map. ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Relevant NSEC3 hashes: # @@ -237,12 +237,12 @@ # $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3.example. # SG2DEHEAOGCKP7FTNQAUVC3I3TIPJH0J (salt=-, hash=1, iterations=0) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -256,15 +256,15 @@ # the type bit map. ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -278,16 +278,16 @@ # the type bit map. ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -301,7 +301,7 @@ # the type bit map. ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Relevant NSEC3 hashes: # @@ -326,12 +326,12 @@ # $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3-optout.example. # V7OTS4791T9SU0HKVL93EVNAJ9JH2CH3 (salt=-, hash=1, iterations=0) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with opt-out ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -344,15 +344,15 @@ # the type bit map. ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #1 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -365,16 +365,16 @@ # the type bit map. ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #2 ($n)" ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -387,239 +387,239 @@ # the type bit map. ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking CNAME to DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname -grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1 +$DIG $DIGOPTS cname.example @10.53.0.2 a >dig.out.ns2.cname +grep "status: NOERROR" dig.out.ns2.cname >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking CNAME to DNAME from recursive" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS cname.example @10.53.0.7 a > dig.out.ns4.cname -grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1 -grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 +$DIG $DIGOPTS cname.example @10.53.0.7 a >dig.out.ns4.cname +grep "status: NOERROR" dig.out.ns4.cname >/dev/null || ret=1 +grep '^cname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^a.cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^a.target.example.' dig.out.ns4.cname >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 -grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1 +grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1 -grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 -grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n >/dev/null || ret=1 +grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1 +grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking CNAME loops are detected ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 17" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking CNAME to external delegated zones is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 a.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking CNAME to internal delegated zones is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 b.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking CNAME to signed external delegation is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 c.example >dig.out.$n +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking CNAME to signed internal delegation is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 d.example >dig.out.$n +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking CNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,1,2,2,3,4,s4,s3,s1" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|2,1,3,4,s3,s1,s2,s4" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 4 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.4.$n 2>&1 -grep 'status: NOERROR' dig.out.4.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.4.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.4.$n 2>&1 +grep 'status: NOERROR' dig.out.4.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.4.$n >/dev/null 2>&1 || ret=1 echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | $SEND $RNDCCMD 10.53.0.7 null --- start test$n - step 5 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.5.$n 2>&1 -grep 'status: NOERROR' dig.out.5.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.5.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.5.$n 2>&1 +grep 'status: NOERROR' dig.out.5.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.5.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 6 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|4,3,3,3,s1,s1,1,3,4" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1 -grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.6.$n 2>&1 +grep 'status: NOERROR' dig.out.6.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.6.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that only the initial CNAME is cached ($n)" ret=0 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | $SEND $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 sleep 1 -$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1 -ttl=`awk '{print $2}' dig.out.2.$n` +$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil >dig.out.2.$n 2>&1 +ttl=$(awk '{print $2}' dig.out.2.$n) [ "$ttl" -eq 86400 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking DNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|2,3,s1,s2,s3,s4,1" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking external CNAME/DNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|1,2,3,4,s1,s2,s3,s4" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|s2,2,s1,1,4,s4,3" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|s2,2,2,2" | $SEND -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: SERVFAIL' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking explicit DNAME query ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 dname short-dname.example >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking DNAME via ANY query ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 any short-dname.example >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Regression test for CVE-2021-25215 (authoritative server). -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking DNAME resolution via itself (authoritative) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Regression test for CVE-2021-25215 (recursive resolver). -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking DNAME resolution via itself (recursive) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/checkconf/tests.sh bind9-9.16.48/bin/tests/system/checkconf/tests.sh --- bind9-9.16.44/bin/tests/system/checkconf/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkconf/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -19,623 +19,747 @@ mkdir keys -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf handles a known good config ($n)" ret=0 -$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 +$CHECKCONF good.conf >checkconf.out$n 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf prints a known good config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf >good.conf.in [ -s good.conf.in ] || ret=1 -$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +$CHECKCONF -p good.conf.in >checkconf.out$n || ret=1 +grep -v '^good.conf.in:' good.conf.out 2>&1 || ret=1 cmp good.conf.in good.conf.out || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -x removes secrets ($n)" ret=0 # ensure there is a secret and that it is not the check string. -grep 'secret "' good.conf.in > /dev/null || ret=1 -grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 -$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 -grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -for bad in bad-*.conf -do - n=`expr $n + 1` - echo_i "checking that named-checkconf detects error in $bad ($n)" - ret=0 - $CHECKCONF $bad > checkconf.out$n 2>&1 - if [ $? -ne 1 ]; then ret=1; fi - grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 - case $bad in +grep 'secret "' good.conf.in >/dev/null || ret=1 +grep 'secret "????????????????"' good.conf.in >/dev/null 2>&1 && ret=1 +$CHECKCONF -p -x good.conf.in >checkconf.out$n || ret=1 +grep -v '^good.conf.in:' good.conf.out 2>&1 || ret=1 +grep 'secret "????????????????"' good.conf.out >/dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$(expr $status + $ret) + +for bad in bad-*.conf; do + n=$(expr $n + 1) + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + $CHECKCONF $bad >checkconf.out$n 2>&1 + if [ $? -ne 1 ]; then ret=1; fi + grep "^$bad:[0-9]*: " /dev/null || ret=1 + case $bad in bad-update-policy[123].conf) - pat="identity and name fields are not the same" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - bad-update-policy[4589].conf|bad-update-policy1[01].conf) - pat="name field not set to placeholder value" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - bad-update-policy[67].conf|bad-update-policy1[2345].conf) - pat="missing name field type '.*' found" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - esac - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + pat="identity and name fields are not the same" + grep "$pat" /dev/null || ret=1 + ;; + bad-update-policy[4589].conf | bad-update-policy1[01].conf) + pat="name field not set to placeholder value" + grep "$pat" /dev/null || ret=1 + ;; + bad-update-policy[67].conf | bad-update-policy1[2345].conf) + pat="missing name field type '.*' found" + grep "$pat" /dev/null || ret=1 + ;; + esac + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done -for good in good-*.conf -do - n=`expr $n + 1` - echo_i "checking that named-checkconf detects no error in $good ($n)" - ret=0 - $CHECKCONF $good > checkconf.out$n 2>&1 - if [ $? -ne 0 ]; then echo_i "failed"; ret=1; fi - status=`expr $status + $ret` +for good in good-*.conf; do + n=$(expr $n + 1) + echo_i "checking that named-checkconf detects no error in $good ($n)" + ret=0 + $CHECKCONF $good >checkconf.out$n 2>&1 + if [ $? -ne 0 ]; then + echo_i "failed" + ret=1 + fi + status=$(expr $status + $ret) done -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that ancient options report a fatal error ($n)" ret=0 -$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 -grep "no longer exists" ancient.out > /dev/null || ret=1 +$CHECKCONF ancient.conf >ancient.out 2>&1 && ret=1 +grep "no longer exists" ancient.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z catches missing hint file ($n)" ret=0 -$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 -grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 +$CHECKCONF -z hint-nofile.conf >hint-nofile.out 2>&1 && ret=1 +grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf catches range errors ($n)" ret=0 -$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 +$CHECKCONF range.conf >checkconf.out$n 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" ret=0 -$CHECKCONF notify.conf > checkconf.out$n 2>&1 -warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l` +$CHECKCONF notify.conf >checkconf.out$n 2>&1 +warnings=$(grep "'notify' is disabled" checkconf.out$n.1 2>&1 -grep "'dnssec-enable' is obsolete and should be removed" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF dnssec.1 >checkconf.out$n.1 2>&1 +grep "'dnssec-enable' is obsolete and should be removed" /dev/null || ret=1 # dnssec.2: auto-dnssec warning -$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 -grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 +$CHECKCONF dnssec.2 >checkconf.out$n.2 2>&1 +grep 'auto-dnssec may only be ' /dev/null || ret=1 # dnssec.3: should have no warnings (other than deprecation warning) -$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 -grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.3 > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n.3") +$CHECKCONF dnssec.3 >checkconf.out$n.3 2>&1 +grep "option 'auto-dnssec' is deprecated" /dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n.3") if [ $lines != 1 ]; then ret=1; fi # dnssec.4: should have specific deprecation warning -$CHECKCONF dnssec.4 > checkconf.out$n.4 2>&1 -grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.4 > /dev/null || ret=1 +$CHECKCONF dnssec.4 >checkconf.out$n.4 2>&1 +grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf deprecate warnings ($n)" ret=0 -$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 -grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "token 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 +grep "option 'managed-keys' is deprecated" /dev/null || ret=1 +grep "option 'trusted-keys' is deprecated" /dev/null || ret=1 +grep "option 'dscp' is deprecated" /dev/null || ret=1 +grep "token 'dscp' is deprecated" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # set -i to ignore deprecate warnings -$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1 -grep '.*' < checkconf.out$n.2 > /dev/null && ret=1 +$CHECKCONF -i deprecated.conf >checkconf.out$n.2 2>&1 +grep '.*' /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf servestale warnings ($n)" ret=0 -$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1 -grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1 +$CHECKCONF servestale.stale-refresh-time.0.conf >checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) ret=0 -$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1 -grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF servestale.stale-refresh-time.29.conf >checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "range checking fields that do not allow zero ($n)" ret=0 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do - cat > badzero.conf << EOF + cat >badzero.conf < checkconf.out$n.1 2>&1 - [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; } - cat > badzero.conf << EOF + $CHECKCONF badzero.conf >checkconf.out$n.1 2>&1 + [ $? -eq 1 ] || { + echo_i "options $field failed" + ret=1 + } + cat >badzero.conf < checkconf.out$n.2 2>&1 - [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; } - cat > badzero.conf << EOF + $CHECKCONF badzero.conf >checkconf.out$n.2 2>&1 + [ $? -eq 1 ] || { + echo_i "view $field failed" + ret=1 + } + cat >badzero.conf < checkconf.out$n.3 2>&1 - [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } - cat > badzero.conf << EOF + $CHECKCONF badzero.conf >checkconf.out$n.3 2>&1 + [ $? -eq 1 ] || { + echo_i "options + view $field failed" + ret=1 + } + cat >badzero.conf < checkconf.out$n.4 2>&1 - [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } + $CHECKCONF badzero.conf >checkconf.out$n.4 2>&1 + [ $? -eq 1 ] || { + echo_i "zone $field failed" + ret=1 + } done if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking options allowed in inline-signing secondaries ($n)" ret=0 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 -l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l` +$CHECKCONF bad-dnssec.conf >checkconf.out$n.1 2>&1 +l=$(grep "dnssec-dnskey-kskonly.*requires inline" checkconf.out$n.2 2>&1 -l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l` +$CHECKCONF bad-dnssec.conf >checkconf.out$n.2 2>&1 +l=$(grep "dnssec-loadkeys-interval.*requires inline" checkconf.out$n.3 2>&1 -l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l` +$CHECKCONF bad-dnssec.conf >checkconf.out$n.3 2>&1 +l=$(grep "update-check-ksk.*requires inline" checkconf.out$n.1 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l` +$CHECKCONF inline-no.conf >checkconf.out$n.1 2>&1 +l=$(grep "missing 'file' entry" checkconf.out$n.2 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l` +$CHECKCONF inline-good.conf >checkconf.out$n.2 2>&1 +l=$(grep "missing 'file' entry" checkconf.out$n.3 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l` +$CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 +l=$(grep "missing 'file' entry" checkconf.out$n 2>&1 -grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF dlz-bad.conf >checkconf.out$n 2>&1 +grep "'dlz' and 'database'" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking for missing key directory warning ($n)" ret=0 rm -rf test.keydir -$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 -l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l` +$CHECKCONF warn-keydir.conf >checkconf.out$n.1 2>&1 +l=$(grep "'test.keydir' does not exist" checkconf.out$n.2 2>&1 -l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l` +$CHECKCONF warn-keydir.conf >checkconf.out$n.2 2>&1 +l=$(grep "'test.keydir' is not a directory" checkconf.out$n.3 2>&1 -l=`grep "key-directory" < checkconf.out$n.3 | wc -l` +$CHECKCONF warn-keydir.conf >checkconf.out$n.3 2>&1 +l=$(grep "key-directory" check.out 2>&1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z max-ttl.conf >check.out 2>&1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" ret=0 -$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z max-ttl-bad.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" ret=0 -$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" ret=0 -$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z altdlz.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" ret=0 -$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z view-class-any1.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" ret=0 -$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z view-class-any2.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z passes on view with IN class ($n)" ret=0 -$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z view-class-in1.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" ret=0 -$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z view-class-in2.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-names fails as configured ($n)" ret=0 -$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-names-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "near '_underscore': bad name (check-names)" /dev/null || ret=1 +grep "zone check-names/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-mx fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "near '10.0.0.1': MX is an address" /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-dup-records fails as configured ($n)" ret=0 -$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-dup-records-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "has semantically identical records" /dev/null || ret=1 +grep "zone check-dup-records/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-mx fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "failed: MX is an address" /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-mx-cname fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-mx-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "MX.* is a CNAME (illegal)" /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-srv-cname fails as configured ($n)" ret=0 -$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-srv-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "SRV.* is a CNAME (illegal)" /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" /dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf -p properly print a port range ($n)" ret=0 -$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "range 8610 8614;" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf -z handles in-view ($n)" ret=0 -$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z in-view-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "zone shared.example/IN: loaded serial" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" ret=0 -$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-missing-zone.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf prints max-cache-size correctly ($n)" ret=0 -$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -p max-cache-size-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "max-cache-size 60%;" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf -l prints out the zone list ($n)" ret=0 -$CHECKCONF -l good.conf | -grep -v "is deprecated" | -grep -v "is not implemented" | -grep -v "is not recommended" | -grep -v "no longer exists" | -grep -v "is obsolete" > checkconf.out$n || ret=1 -diff good.zonelist checkconf.out$n > diff.out$n || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -l good.conf \ + | grep -v "is deprecated" \ + | grep -v "is not implemented" \ + | grep -v "is not recommended" \ + | grep -v "no longer exists" \ + | grep -v "is obsolete" >checkconf.out$n || ret=1 +diff good.zonelist checkconf.out$n >diff.out$n || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)" ret=0 -$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-dlv-auto.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)" ret=0 -$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-dlv-dlv.isc.org.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)" ret=0 -$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-dlv-dlv.example.com.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-2010.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] || ret=1 -grep "key without the updated" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +grep "key without the updated" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-both.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-2017.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that a static root key generates a warning ($n)" ret=0 -$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF check-root-static-key.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that a static root DS trust anchor generates a warning ($n)" ret=0 -$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF check-root-static-ds.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that a trusted-keys entry for root generates a warning ($n)" ret=0 -$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that using trust-anchors and managed-keys generates an error ($n)" ret=0 -$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 -grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1 +grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" ret=0 -$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF warn-geoip-use-ecs.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] || ret=1 -grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +grep "'geoip-use-ecs' is obsolete" /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp errors ($n)" ret=0 -$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 -grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 -grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-and-other-dnssec-options.conf >checkconf.out$n 2>&1 && ret=1 +grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" /dev/null || ret=1 +grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 +grep "update-check-ksk: cannot be configured if dnssec-policy is also set" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n") +$CHECKCONF kasp-bad-nsec3-iter.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: nsec3 iterations value 151 out of range" /dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n") if [ $lines -ne 3 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp key errors ($n)" ret=0 -$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-bad-keylen.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp predefined key length ($n)" ret=0 -$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1 -grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-ignore-keylen.conf >checkconf.out$n 2>&1 || ret=1 +grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that a good 'kasp' configuration is accepted ($n)" ret=0 -$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF good-kasp.conf >checkconf.out$n 2>/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf prints a known good kasp config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf >good-kasp.conf.in [ -s good-kasp.conf.in ] || ret=1 -$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1 +$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' >good-kasp.conf.out 2>&1 || ret=1 cmp good-kasp.conf.in good-kasp.conf.out || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" ret=0 -$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-maxratio1.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "exceeds 100%" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that *-source options with specified port generate warnings ($n)" ret=0 -$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" /dev/null || ret=1 +$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" /dev/null || ret=1 +$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" ret=0 -$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-kasp-max-zone-ttl.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=$((n+1)) +n=$((n + 1)) echo_i "check that masterfile-format map generates deprecation warning ($n)" ret=0 -$CHECKCONF deprecated-masterfile-format-map.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "is deprecated" < checkconf.out$n >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=$((status+ret)) +$CHECKCONF deprecated-masterfile-format-map.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that masterfile-format text and raw don't generate deprecation warning ($n)" ret=0 -$CHECKCONF good-masterfile-format-text.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 -$CHECKCONF good-masterfile-format-raw.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=$((status+ret)) +$CHECKCONF good-masterfile-format-text.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" /dev/null && ret=1 +$CHECKCONF good-masterfile-format-raw.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" /dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" ret=0 -$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1 -grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-wildcard-no.conf >checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'check-wildcard yes;' warns as configured ($n)" ret=0 -$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1 -grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-wildcard.conf >checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) rmdir keys diff -Nru bind9-9.16.44/bin/tests/system/checkds/ns2/setup.sh bind9-9.16.48/bin/tests/system/checkds/ns2/setup.sh --- bind9-9.16.44/bin/tests/system/checkds/ns2/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkds/ns2/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,18 +17,17 @@ echo_i "ns2/setup.sh" for subdomain in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished \ - dswithdrawn missing-dswithdrawn bad-dswithdrawn \ - multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn -do - cp "../ns9/dsset-$subdomain.checkds$TP" . + multiple-dspublished incomplete-dspublished bad2-dspublished \ + dswithdrawn missing-dswithdrawn bad-dswithdrawn \ + multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn; do + cp "../ns9/dsset-$subdomain.checkds$TP" . done zone="checkds" infile="checkds.db.infile" zonefile="checkds.db" -CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 +CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1 diff -Nru bind9-9.16.44/bin/tests/system/checkds/ns5/setup.sh bind9-9.16.48/bin/tests/system/checkds/ns5/setup.sh --- bind9-9.16.44/bin/tests/system/checkds/ns5/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkds/ns5/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -20,7 +20,7 @@ infile="checkds.db.infile" zonefile="checkds.db" -CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 +CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1 diff -Nru bind9-9.16.44/bin/tests/system/checkds/ns9/setup.sh bind9-9.16.48/bin/tests/system/checkds/ns9/setup.sh --- bind9-9.16.44/bin/tests/system/checkds/ns9/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkds/ns9/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,11 +17,11 @@ echo_i "ns9/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - echo "$zone" >> zones + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >>zones } # Short environment variable names for key states and times. @@ -34,30 +34,28 @@ # DS Publication. for zn in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished -do - setup "${zn}.checkds" - cp template.db.in "$zonefile" - keytimes="-P $T -P sync $T -A $T" - CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) - $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 - cat template.db.in "${CSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + multiple-dspublished incomplete-dspublished bad2-dspublished; do + setup "${zn}.checkds" + cp template.db.in "$zonefile" + keytimes="-P $T -P sync $T -A $T" + CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone) + $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" >settime.out.$zone 2>&1 + cat template.db.in "${CSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 done # DS Withdrawal. for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \ - incomplete-dswithdrawn bad2-dswithdrawn -do - setup "${zn}.checkds" - cp template.db.in "$zonefile" - keytimes="-P $Y -P sync $Y -A $Y" - CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) - $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 - cat template.db.in "${CSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + incomplete-dswithdrawn bad2-dswithdrawn; do + setup "${zn}.checkds" + cp template.db.in "$zonefile" + keytimes="-P $Y -P sync $Y -A $Y" + CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone) + $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" >settime.out.$zone 2>&1 + cat template.db.in "${CSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 done diff -Nru bind9-9.16.44/bin/tests/system/checkds/prereq.sh bind9-9.16.48/bin/tests/system/checkds/prereq.sh --- bind9-9.16.44/bin/tests/system/checkds/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkds/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,18 +14,16 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -if test -n "$PYTHON" -then - if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2> /dev/null)" -ge 2 ] - then - : - else - echo_i "This test requires the dnspython >= 2.0.0 module." >&2 - exit 1 - fi -else - echo_i "This test requires Python and the dnspython module." >&2 +if test -n "$PYTHON"; then + if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2>/dev/null)" -ge 2 ]; then + : + else + echo_i "This test requires the dnspython >= 2.0.0 module." >&2 exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 fi exit 0 diff -Nru bind9-9.16.44/bin/tests/system/checkds/setup.sh bind9-9.16.48/bin/tests/system/checkds/setup.sh --- bind9-9.16.44/bin/tests/system/checkds/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkds/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -27,14 +27,14 @@ # Setup zones ( - cd ns9 - $SHELL setup.sh + cd ns9 + $SHELL setup.sh ) ( - cd ns5 - $SHELL setup.sh + cd ns5 + $SHELL setup.sh ) ( - cd ns2 - $SHELL setup.sh + cd ns2 + $SHELL setup.sh ) diff -Nru bind9-9.16.44/bin/tests/system/checkdstool/dig.sh bind9-9.16.48/bin/tests/system/checkdstool/dig.sh --- bind9-9.16.44/bin/tests/system/checkdstool/dig.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkdstool/dig.sh 2024-02-11 11:31:39.000000000 +0000 @@ -12,13 +12,22 @@ # information regarding copyright ownership. while [ "$#" != 0 ]; do - case $1 in + case $1 in +*) shift ;; -t) shift ;; - DS|ds) ext=ds ; shift ;; - DNSKEY|dnskey) ext=dnskey ; shift ;; - *) file=$1 ; shift ;; - esac + DS | ds) + ext=ds + shift + ;; + DNSKEY | dnskey) + ext=dnskey + shift + ;; + *) + file=$1 + shift + ;; + esac done cat ${file}.${ext}.db diff -Nru bind9-9.16.44/bin/tests/system/checkdstool/tests.sh bind9-9.16.48/bin/tests/system/checkdstool/tests.sh --- bind9-9.16.44/bin/tests/system/checkdstool/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkdstool/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -15,12 +15,12 @@ . $SYSTEMTESTTOP/conf.sh if [ "$CYGWIN" ]; then - DIG=".\dig.bat" - WINDSFROMKEY=`cygpath -w $DSFROMKEY` - CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $WINDSFROMKEY" + DIG=".\dig.bat" + WINDSFROMKEY=$(cygpath -w $DSFROMKEY) + CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $WINDSFROMKEY" else - DIG="./dig.sh" - CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $DSFROMKEY" + DIG="./dig.sh" + CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $DSFROMKEY" fi chmod +x $DIG @@ -29,88 +29,88 @@ echo_i "checking for correct DS, looking up key via 'dig' ($n)" ret=0 -$CHECKDS ok.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$CHECKDS ok.example >checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256' checkds.out.$n >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking for correct DS, obtaining key from file ($n)" ret=0 -$CHECKDS -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$CHECKDS -f ok.example.dnskey.db ok.example >checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256' checkds.out.$n >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking for incorrect DS, looking up key via 'dig' ($n)" ret=0 -$CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$CHECKDS wrong.example >checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256' checkds.out.$n >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking for incorrect DS, obtaining key from file ($n)" ret=0 -$CHECKDS -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$CHECKDS -f wrong.example.dnskey.db wrong.example >checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256' checkds.out.$n >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking for partially missing DS, looking up key via 'dig' ($n)" ret=0 -$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$CHECKDS missing.example >checkds.out.$n 2>&1 && ret=1 +grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-1.*missing' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256.*missing' checkds.out.$n >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking for partially missing DS, obtaining key from file ($n)" ret=0 -$CHECKDS -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$CHECKDS -f missing.example.dnskey.db missing.example >checkds.out.$n 2>&1 && ret=1 +grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-1.*missing' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256.*missing' checkds.out.$n >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)" ret=0 -$CHECKDS none.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` +$CHECKDS none.example >checkds.out.$n 2>&1 && ret=1 +grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 && ret=1 +grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking for entirely missing DS, obtaining key from file ($n)" ret=0 -$CHECKDS -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` +$CHECKDS -f none.example.dnskey.db none.example >checkds.out.$n 2>&1 && ret=1 +grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 && ret=1 +grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking with prepared dsset file ($n)" ret=0 -$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` +$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example >checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1.*found' checkds.out.$n >/dev/null 2>&1 || ret=1 +grep 'SHA-256.*found' checkds.out.$n >/dev/null 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) if [ $status = 0 ]; then $SHELL clean.sh; fi echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/checknames/tests.sh bind9-9.16.48/bin/tests/system/checknames/tests.sh --- bind9-9.16.44/bin/tests/system/checknames/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checknames/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -19,173 +19,173 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -wait_for_record () { - $DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1 - grep NOERROR "$4" > /dev/null || return 1 - return 0 +wait_for_record() { + $DIG $DIGOPTS "$1" "$2" "$3" >"$4" || return 1 + grep NOERROR "$4" >/dev/null || return 1 + return 0 } # Entry should exist. echo_i "check for failure from on zone load for 'check-names fail;' ($n)" ret=0 -$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1 -grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS fail.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep SERVFAIL dig.out.ns1.test$n >/dev/null || ret=1 +grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) # Entry should exist. echo_i "check for warnings from on zone load for 'check-names warn;' ($n)" ret=0 -grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 +grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) # Entry should not exist. echo_i "check for warnings from on zone load for 'check-names ignore;' ($n)" ret=1 grep 'yy_yy.ignore.example: bad owner name (check-names)' ns1/named.run || ret=0 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) # Entry should exist echo_i "check that 'check-names response warn;' works ($n)" ret=0 -$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1 +grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) # Entry should exist echo_i "check that 'check-names response (owner) fails;' works ($n)" ret=0 -$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 -grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1 -grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1 +$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 +grep REFUSED dig.out.ns3.test$n >/dev/null || ret=1 +grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) # Entry should exist echo_i "check that 'check-names response (rdata) fails;' works ($n)" ret=0 -$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 -grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1 -grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1 +$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX >dig.out.ns3.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 +grep SERVFAIL dig.out.ns3.test$n >/dev/null || ret=1 +grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "check that updates to 'check-names fail;' are rejected ($n)" ret=0 not=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || not=0 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || not=0 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.fail.update. 600 A 10.10.10.1 send END if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 -grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1 +grep NXDOMAIN dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)" ret=0 -$NSUPDATE -d < nsupdate.out.test$n 2>&1|| ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.warn.update. 600 A 10.10.10.1 send END -$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0 +grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.4 ${PORT} update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1 -grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +grep NOERROR dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.5 ${PORT} update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0 +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1 -grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A >dig.out.ns5.test$n || ret=1 +grep NOERROR dig.out.ns5.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)" ret=0 # takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary) # and the zone is still loading when we get to this point. retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1 -grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1 +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" ret=0 retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1 -grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/checkzone/setup.sh bind9-9.16.48/bin/tests/system/checkzone/setup.sh --- bind9-9.16.44/bin/tests/system/checkzone/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkzone/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,8 +17,8 @@ ln -s $CHECKZONE named-compilezone ./named-compilezone -D -F raw -o good1.db.raw example \ - zones/good1.db > /dev/null 2>&1 + zones/good1.db >/dev/null 2>&1 ./named-compilezone -D -F map -o good1.db.map example \ - zones/good1.db > /dev/null 2>&1 + zones/good1.db >/dev/null 2>&1 copy_setports zones/bad-tsig.db.in zones/bad-tsig.db diff -Nru bind9-9.16.44/bin/tests/system/checkzone/tests.sh bind9-9.16.48/bin/tests/system/checkzone/tests.sh --- bind9-9.16.44/bin/tests/system/checkzone/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/checkzone/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,129 +17,127 @@ status=0 n=1 -for db in zones/good*.db -do - echo_i "checking $db ($n)" - ret=0 - case $db in - zones/good-gc-msdcs.db|zones/good-spf-exception.db) - $CHECKZONE -k fail -i local example $db > test.out.$n 2>&1 || ret=1 - ;; - zones/good-dns-sd-reverse.db) - $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || ret=1 - ;; - *) - $CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1 - ;; - esac - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +for db in zones/good*.db; do + echo_i "checking $db ($n)" + ret=0 + case $db in + zones/good-gc-msdcs.db | zones/good-spf-exception.db) + $CHECKZONE -k fail -i local example $db >test.out.$n 2>&1 || ret=1 + ;; + zones/good-dns-sd-reverse.db) + $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || ret=1 + ;; + *) + $CHECKZONE -i local example $db >test.out.$n 2>&1 || ret=1 + ;; + esac + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for db in zones/bad*.db -do - echo_i "checking $db ($n)" - ret=0 v=0 - case $db in - zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db) - $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$? - ;; - *) - $CHECKZONE -i local example $db > test.out.$n 2>&1 || v=$? - ;; - esac - test $v = 1 || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +for db in zones/bad*.db; do + echo_i "checking $db ($n)" + ret=0 v=0 + case $db in + zones/bad-dns-sd-reverse.db | zones/bad-svcb-servername.db) + $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || v=$? + ;; + *) + $CHECKZONE -i local example $db >test.out.$n 2>&1 || v=$? + ;; + esac + test $v = 1 || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "checking with journal file ($n)" ret=0 -$CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1 -$CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -o test.orig.db test zones/test1.db >/dev/null 2>&1 || ret=1 +$CHECKZONE -D -o test.changed.db test zones/test2.db >/dev/null 2>&1 || ret=1 $MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1 jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l) [ $jlines = 3 ] || ret=1 -$CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -j -o test.out1.db test test.orig.db >/dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out1.db || ret=1 mv -f test.orig.db.jnl test.journal -$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db >/dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out2.db || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with spf warnings ($n)" ret=0 -$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1 -$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1 -grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1 -grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1 -grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1 -grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1 -grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1 -grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1 -n=$((n+1)) +$CHECKZONE example zones/spf.db >test.out1.$n 2>&1 || ret=1 +$CHECKZONE -T ignore example zones/spf.db >test.out2.$n 2>&1 || ret=1 +grep "'x.example' found type SPF" test.out1.$n >/dev/null && ret=1 +grep "'y.example' found type SPF" test.out1.$n >/dev/null || ret=1 +grep "'example' found type SPF" test.out1.$n >/dev/null && ret=1 +grep "'x.example' found type SPF" test.out2.$n >/dev/null && ret=1 +grep "'y.example' found type SPF" test.out2.$n >/dev/null && ret=1 +grep "'example' found type SPF" test.out2.$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with max ttl (text) ($n)" ret=0 -$CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1 -$CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1 -n=$((n+1)) +$CHECKZONE -l 300 example zones/good1.db >test.out1.$n 2>&1 && ret=1 +$CHECKZONE -l 600 example zones/good1.db >test.out2.$n 2>&1 || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with max ttl (raw) ($n)" ret=0 -$CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1 -$CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1 -n=$((n+1)) +$CHECKZONE -f raw -l 300 example good1.db.raw >test.out1.$n 2>&1 && ret=1 +$CHECKZONE -f raw -l 600 example good1.db.raw >test.out2.$n 2>&1 || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with max ttl (map) ($n)" ret=0 -$CHECKZONE -f map -l 300 example good1.db.map > test.out1.$n 2>&1 && ret=1 -$CHECKZONE -f map -l 600 example good1.db.map > test.out2.$n 2>&1 || ret=1 -n=`expr $n + 1` +$CHECKZONE -f map -l 300 example good1.db.map >test.out1.$n 2>&1 && ret=1 +$CHECKZONE -f map -l 600 example good1.db.map >test.out2.$n 2>&1 || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)" ret=0 -$CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null && ret=1 -n=$((n+1)) +$CHECKZONE example zones/nowarn.inherited.owner.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)" ret=0 -$CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=$((n+1)) +$CHECKZONE example zones/warn.inherit.origin.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)" ret=0 -$CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=$((n+1)) +$CHECKZONE example zones/warn.inherited.owner.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that raw zone with bad class is handled ($n)" ret=0 -$CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1 +$CHECKZONE -f raw example zones/bad-badclass.raw >test.out.$n 2>&1 && ret=1 grep "failed: bad class" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that expirations that loop using serial arithmetic are handled ($n)" ret=0 @@ -166,35 +164,35 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 -$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1 +$CHECKZONE example.com zones/ns-address-below-dname.db >test.out.$n 2>&1 && ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 -$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1 +$CHECKZONE example.com zones/delegating-ns-address-below-dname.db >test.out.$n 2>&1 || ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "checking integer overflow is prevented in \$GENERATE ($n)" -$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1 +$CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1 lines=$(grep -c CNAME test.out.$n) echo $lines [ "$lines" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/ckdnsrps.sh bind9-9.16.48/bin/tests/system/ckdnsrps.sh --- bind9-9.16.44/bin/tests/system/ckdnsrps.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/ckdnsrps.sh 2024-02-11 11:31:39.000000000 +0000 @@ -18,7 +18,6 @@ # Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf # and differ from dnsrpz.conf which is used by dnsrpzd. - SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -30,57 +29,64 @@ SCONF=dnsrps-slave.conf USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-slave.conf]" while getopts "xADM:S:" c; do - case $c in - x) set -x; DEBUG=-x;; - A) AS_NS=yes;; - D) TEST_DNSRPS=yes;; - M) MCONF="$OPTARG";; - S) SCONF="$OPTARG";; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ;; + A) AS_NS=yes ;; + D) TEST_DNSRPS=yes ;; + M) MCONF="$OPTARG" ;; + S) SCONF="$OPTARG" ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done -shift `expr $OPTIND - 1 || true` +shift $(expr $OPTIND - 1 || true) if [ "$#" -ne 0 ]; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # erase any existing conf files -cat /dev/null > $MCONF -cat /dev/null > $SCONF +cat /dev/null >$MCONF +cat /dev/null >$SCONF -add_conf () { - echo "$*" >>$MCONF - echo "$*" >>$SCONF +add_conf() { + echo "$*" >>$MCONF + echo "$*" >>$SCONF } if ! $FEATURETEST --enable-dnsrps; then - if [ -n "$TEST_DNSRPS" ]; then - add_conf "## DNSRPS disabled at compile time" - fi - add_conf "#skip" - exit 0 + if [ -n "$TEST_DNSRPS" ]; then + add_conf "## DNSRPS disabled at compile time" + fi + add_conf "#skip" + exit 0 fi if [ -z "$TEST_DNSRPS" ]; then - add_conf "## testing with native RPZ" - add_conf '#skip' - exit 0 + add_conf "## testing with native RPZ" + add_conf '#skip' + exit 0 else - add_conf "## testing with DNSRPS" + add_conf "## testing with DNSRPS" fi if [ ! -x "$DNSRPS_CMD" ]; then - add_conf "## make $DNSRPS_CMD to test DNSRPS" - add_conf '#skip' - exit 0 + add_conf "## make $DNSRPS_CMD to test DNSRPS" + add_conf '#skip' + exit 0 fi -if $DNSRPS_CMD -a >/dev/null; then : +if $DNSRPS_CMD -a >/dev/null; then + : else - add_conf "## DNSRPS provider library is not available" - add_conf '#skip' - exit 0 + add_conf "## DNSRPS provider library is not available" + add_conf '#skip' + exit 0 fi CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf @@ -91,7 +97,7 @@ MASTER="$CMN" if [ -n "$AS_NS" ]; then - MASTER="$MASTER + MASTER="$MASTER qname-as-ns yes ip-as-ns yes" fi @@ -107,7 +113,6 @@ dnsrpzd '' }; # do not start dnsrpzd EOF - # DNSRPS is available. # The test should fail if the license is bad. add_conf "dnsrps-enable yes;" @@ -118,49 +123,49 @@ # try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist [ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf if [ -s $ALT_L ]; then - SRC_L=$ALT_L - USE_ALT= + SRC_L=$ALT_L + USE_ALT= else - SRC_L=../rpz/dnsrpzd-license.conf - USE_ALT="## consider installing alt-dnsrpzd-license.conf" + SRC_L=../rpz/dnsrpzd-license.conf + USE_ALT="## consider installing alt-dnsrpzd-license.conf" fi cp $SRC_L $CUR_L # parse $CUR_L for the license zone name, master IP addresses, and optional # transfer-source IP addresses -eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\ - -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ - -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ - -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - $CUR_L` +eval $(sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' \ + -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ + -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ + -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + $CUR_L) if [ -z "$NAME" ]; then - add_conf "## no DNSRPS tests; no license domain name in $SRC_L" - add_conf '#fail' - exit 0 + add_conf "## no DNSRPS tests; no license domain name in $SRC_L" + add_conf '#fail' + exit 0 fi if [ -z "$IPV4" ]; then - IPV4=license1.fastrpz.com - TS4= + IPV4=license1.fastrpz.com + TS4= fi if [ -z "$IPV6" ]; then - IPV6=license1.fastrpz.com - TS6= + IPV6=license1.fastrpz.com + TS6= fi # This TSIG key is common and NOT a secret KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' # Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems -if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 -fi -if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 +if $($DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ + | grep -i "^$NAME.*TXT" >/dev/null); then + exit 0 +fi +if $($DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ + | grep -i "^$NAME.*TXT" >/dev/null); then + exit 0 fi add_conf "## DNSRPS lacks a valid license via $SRC_L" diff -Nru bind9-9.16.44/bin/tests/system/cleanall.sh bind9-9.16.48/bin/tests/system/cleanall.sh --- bind9-9.16.44/bin/tests/system/cleanall.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/cleanall.sh 2024-02-11 11:31:39.000000000 +0000 @@ -18,20 +18,17 @@ SYSTEMTESTTOP=. . $SYSTEMTESTTOP/conf.sh - find . -type f \( \ - -name '*~' -o -name 'core' -o -name '*.core' \ - -o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \ - -o -name named.run -o -name ans.run \ - -o -name '*-valgrind-*.log' \) -print | xargs rm -f + -name '*~' -o -name 'core' -o -name '*.core' \ + -o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \ + -o -name named.run -o -name ans.run \) -print | xargs rm -f status=0 rm -f $SYSTEMTESTTOP/random.data -for d in $SUBDIRS -do - test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh ) - rm -f test.output.$d - test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null +for d in $SUBDIRS; do + test ! -f $d/clean.sh || (cd $d && $SHELL clean.sh) + rm -f test.output.$d + test -d $d && find $d -type d -exec rmdir '{}' \; 2>/dev/null done diff -Nru bind9-9.16.44/bin/tests/system/cleanpkcs11.sh bind9-9.16.48/bin/tests/system/cleanpkcs11.sh --- bind9-9.16.44/bin/tests/system/cleanpkcs11.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/cleanpkcs11.sh 2024-02-11 11:31:39.000000000 +0000 @@ -15,4 +15,4 @@ PK11DELBIN=$(echo "$PK11DEL" | awk '{ print $1 }') -[ -x "$PK11DELBIN" ] && $PK11DEL -w0 > /dev/null 2>&1 +[ -x "$PK11DELBIN" ] && $PK11DEL -w0 >/dev/null 2>&1 diff -Nru bind9-9.16.44/bin/tests/system/conf.sh.in bind9-9.16.48/bin/tests/system/conf.sh.in --- bind9-9.16.44/bin/tests/system/conf.sh.in 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/conf.sh.in 2024-02-11 11:31:39.000000000 +0000 @@ -33,12 +33,12 @@ export CHECKZONE=$TOP/bin/check/named-checkzone export COVERAGE=$TOP/bin/python/dnssec-coverage export DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen -if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 - export DELV=$TOP/bin/delv/delv - export RESOLVE=$TOP/bin/tests/system/resolve +if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 + export DELV=$TOP/bin/delv/delv + export RESOLVE=$TOP/bin/tests/system/resolve else - export DELV=: - export RESOLVE=: + export DELV=: + export RESOLVE=: fi export DIG=$TOP/bin/dig/dig export DNSTAPREAD=$TOP/bin/tools/dnstap-read @@ -105,8 +105,8 @@ # export PERL=@PERL@ if ! test -x "$PERL"; then - echo "Perl interpreter is required for system tests." - exit 77 + echo "Perl interpreter is required for system tests." + exit 77 fi export PYTHON=@PYTHON@ @@ -115,7 +115,6 @@ # export CRYPTO=@CRYPTO@ - # Load common values shared between windows and unix/linux. . $TOP/bin/tests/system/conf.sh.common diff -Nru bind9-9.16.44/bin/tests/system/cookie/prereq.sh bind9-9.16.48/bin/tests/system/cookie/prereq.sh --- bind9-9.16.44/bin/tests/system/cookie/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/cookie/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -16,18 +16,16 @@ set -e -if test -n "$PYTHON" -then - if $PYTHON -c "import dns" 2> /dev/null - then - : - else - echo_i "This test requires the dnspython module." >&2 - exit 1 - fi -else - echo_i "This test requires Python and the dnspython module." >&2 +if test -n "$PYTHON"; then + if $PYTHON -c "import dns" 2>/dev/null; then + : + else + echo_i "This test requires the dnspython module." >&2 exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 fi exit 0 diff -Nru bind9-9.16.44/bin/tests/system/cookie/tests.sh bind9-9.16.48/bin/tests/system/cookie/tests.sh --- bind9-9.16.44/bin/tests/system/cookie/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/cookie/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,189 +21,187 @@ n=0 getcookie() { - awk '$2 == "COOKIE:" { + awk '$2 == "COOKIE:" { print $3; - }' < $1 | tr -d '\r' + }' <$1 | tr -d '\r' } fullcookie() { - awk 'BEGIN { n = 0 } + awk 'BEGIN { n = 0 } // { v[n++] = length(); } END { print (v[1] == v[2]); }' } havetc() { - grep 'flags:.* tc[^;]*;' $1 > /dev/null + grep 'flags:.* tc[^;]*;' $1 >/dev/null } -for bad in bad*.conf -do - n=`expr $n + 1` - echo_i "checking that named-checkconf detects error in $bad ($n)" - ret=0 - $CHECKCONF $bad > /dev/null 2>&1 && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +for bad in bad*.conf; do + n=$(expr $n + 1) + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + $CHECKCONF $bad >/dev/null 2>&1 && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done -for good in good*.conf -do - n=`expr $n + 1` - echo_i "checking that named-checkconf detects accepts $good ($n)" - ret=0 - $CHECKCONF $good > /dev/null 2>&1 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +for good in good*.conf; do + n=$(expr $n + 1) + echo_i "checking that named-checkconf detects accepts $good ($n)" + ret=0 + $CHECKCONF $good >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n -grep COOKIE: dig.out.test$n > /dev/null && ret=1 -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n +grep COOKIE: dig.out.test$n >/dev/null && ret=1 +grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n -grep COOKIE: dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n +grep COOKIE: dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking COOKIE token is returned to empty COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n -grep COOKIE: dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n +grep COOKIE: dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking COOKIE is not returned when answer-cookie is false ($n)" ret=0 -$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n -grep COOKIE: dig.out.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 >dig.out.test$n +grep COOKIE: dig.out.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking response size without COOKIE ($n)" ret=0 -$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n +$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n havetc dig.out.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking response size without valid COOKIE ($n)" ret=0 -$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n havetc dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking response size with COOKIE ($n)" ret=0 -$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l -cookie=`getcookie dig.out.test$n.l` -$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l +cookie=$(getcookie dig.out.test$n.l) +$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n havetc dig.out.test$n && ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking response size with COOKIE recursive ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n +$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n havetc dig.out.test$n && ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking COOKIE is learnt for TCP retry ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n -linecount=`getcookie dig.out.test$n | wc -l` +$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n +linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 3 ]; then ret=1; fi -checkfull=`getcookie dig.out.test$n | fullcookie` +checkfull=$(getcookie dig.out.test$n | fullcookie) if [ $checkfull != 1 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking for COOKIE value in adb ($n)" ret=0 rndc_dumpdb ns1 -grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking require-server-cookie default (no) ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n -grep BADCOOKIE dig.out.test$n > /dev/null && ret=1 -linecount=`getcookie dig.out.test$n | wc -l` +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n +grep BADCOOKIE dig.out.test$n >/dev/null && ret=1 +linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking require-server-cookie yes ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n -grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1 -grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 -linecount=`getcookie dig.out.test$n | wc -l` +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n +grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1 +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 +grep BADCOOKIE dig.out.test$n >/dev/null || ret=1 +linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking require-server-cookie yes with rate-limit ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n -grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 -linecount=`getcookie dig.out.test$n | wc -l` +$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 +grep BADCOOKIE dig.out.test$n >/dev/null || ret=1 +linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "send undersized cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1 -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1 +grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "send oversized for named cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1 -grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1 +grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "send oversized for named cookie with server requiring a good cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1 -grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1 +grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # # Test shared cookie-secret support. @@ -222,293 +220,292 @@ # Force local address so that the client's address is the same to all servers. # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "get NS4 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -ns4cookie=`getcookie dig.out.test$n` +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +ns4cookie=$(getcookie dig.out.test$n) test -n "$ns4cookie" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "get NS5 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -ns5cookie=`getcookie dig.out.test$n` +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +ns5cookie=$(getcookie dig.out.test$n) test -n "$ns5cookie" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "get NS6 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -ns6cookie=`getcookie dig.out.test$n` +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +ns6cookie=$(getcookie dig.out.test$n) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test NS4 cookie on NS5 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test NS5 cookie on NS4 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "test NS6 cookie on NS5 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that test server is correctly configured ($n)" ret=0 pat="; COOKIE: ................................ (good)" #UDP -$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3 -grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4 -grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.1 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3 +grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4 +grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1 #TCP -$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5 -grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6 -grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7 -grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8 -grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.8 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5 +grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.5 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6 +grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.6 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7 +grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8 +grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.8 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that spoofed response is dropped when we have a server cookie ($n)" ret=0 msg="missing expected cookie from" pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # spoofed response contains 10.53.0.10 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2 +$DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2 wait_for_log 5 "$msg" ns1/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)" ret=0 msg="missing expected cookie from" pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # check the disabled server response nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2 +$DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2 wait_for_log 5 "$msg" ns1/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)" ret=0 pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # spoofed response contains 10.53.0.10 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 -nextpart ns1/named.run > named.run.test$n +$DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 +nextpart ns1/named.run >named.run.test$n count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) test $count -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) if $PYTHON -c ' import dns.version, sys; if dns.version.MAJOR > 1: sys.exit(0); if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0); -sys.exit(1)' -then - n=`expr $n + 1` +sys.exit(1)'; then + n=$(expr $n + 1) echo_i "check that TSIG test server is correctly configured ($n)" ret=0 pat="; COOKIE: ................................ (good)" key=hmac-sha256:foo:aaaaaaaaaaaa #UDP - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1 - grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2 - grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3 - grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1 + grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.1 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2 + grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3 + grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 #TCP - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5 - grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6 - grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7 - grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5 + grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.5 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6 + grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.6 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7 + grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$(expr $status + $ret) - n=`expr $n + 1` + n=$(expr $n + 1) echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)" ret=0 pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state - $DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1 - grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1 + grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 - grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 + grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # check the disabled server response nextpart ns1/named.run >/dev/null - $DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2 - grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 - nextpart ns1/named.run > named.run.test$n + $DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2 + grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 + nextpart ns1/named.run >named.run.test$n count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) test $count -eq 2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$(expr $status + $ret) fi echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/coverage/setup.sh bind9-9.16.48/bin/tests/system/coverage/setup.sh --- bind9-9.16.44/bin/tests/system/coverage/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/coverage/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,40 +21,40 @@ # Test 1: KSK goes inactive before successor is active dir=01-ksk-inactive ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) -$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1 ksk2=$($KEYGEN -q -K $dir -S $ksk1) -$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +7mo $ksk1 >/dev/null 2>&1 zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) # Test 2: ZSK goes inactive before successor is active dir=02-zsk-inactive zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) -$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1 zsk2=$($KEYGEN -q -K $dir -S $zsk1) -$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +7mo $zsk1 >/dev/null 2>&1 ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) # Test 3: KSK is unpublished before its successor is published dir=03-ksk-unpublished ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) -$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1 ksk2=$($KEYGEN -q -K $dir -S $ksk1) -$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 +$SETTIME -K $dir -D +6mo $ksk1 >/dev/null 2>&1 zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) # Test 4: ZSK is unpublished before its successor is published dir=04-zsk-unpublished zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) -$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1 zsk2=$($KEYGEN -q -K $dir -S $zsk1) -$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -D +6mo $zsk1 >/dev/null 2>&1 ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) # Test 5: KSK deleted and successor published before KSK is deactivated # and successor activated. dir=05-ksk-unpub-active ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) -$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +8mo $ksk1 >/dev/null 2>&1 ksk2=$($KEYGEN -q -K $dir -S $ksk1) zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) @@ -62,50 +62,50 @@ # and successor activated. dir=06-zsk-unpub-active zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) -$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +8mo $zsk1 >/dev/null 2>&1 zsk2=$($KEYGEN -q -K $dir -S $zsk1) ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) # Test 7: KSK rolled with insufficient delay after prepublication. dir=07-ksk-ttl ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) -$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1 ksk2=$($KEYGEN -q -K $dir -S $ksk1) # allow only 1 day between publication and activation -$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 +$SETTIME -K $dir -P +269d $ksk2 >/dev/null 2>&1 zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) # Test 8: ZSK rolled with insufficient delay after prepublication. dir=08-zsk-ttl zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) -$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1 zsk2=$($KEYGEN -q -K $dir -S $zsk1) # allow only 1 day between publication and activation -$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 +$SETTIME -K $dir -P +269d $zsk2 >/dev/null 2>&1 ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) # Test 9: KSK goes inactive before successor is active, but checking ZSKs dir=09-check-zsk ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) -$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +1y $ksk1 >/dev/null 2>&1 ksk2=$($KEYGEN -q -K $dir -S $ksk1) -$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +7mo $ksk1 >/dev/null 2>&1 zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) # Test 10: ZSK goes inactive before successor is active, but checking KSKs dir=10-check-ksk zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) -$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +9mo -D +1y $zsk1 >/dev/null 2>&1 zsk2=$($KEYGEN -q -K $dir -S $zsk1) -$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +7mo $zsk1 >/dev/null 2>&1 ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) # Test 11: ZSK goes inactive before successor is active, but after cutoff dir=11-cutoff zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) -$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +18mo -D +2y $zsk1 >/dev/null 2>&1 zsk2=$($KEYGEN -q -K $dir -S $zsk1) -$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1 +$SETTIME -K $dir -I +16mo $zsk1 >/dev/null 2>&1 ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) # Test 12: Too early KSK deletion diff -Nru bind9-9.16.44/bin/tests/system/coverage/tests.sh bind9-9.16.48/bin/tests/system/coverage/tests.sh --- bind9-9.16.44/bin/tests/system/coverage/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/coverage/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -19,68 +19,68 @@ status=0 n=1 -matchall () { - file=$1 - echo "$2" | while read matchline; do - grep "$matchline" $file > /dev/null 2>&1 || { - echo "FAIL" - return - } - done +matchall() { + file=$1 + echo "$2" | while read matchline; do + grep "$matchline" $file >/dev/null 2>&1 || { + echo "FAIL" + return + } + done } echo_i "checking for DNSSEC key coverage issues" ret=0 for dir in [0-9][0-9]-*; do - ret=0 - echo_i "$dir" - args= warn= error= ok= retcode= match= zones= - . $dir/expect - $COVERAGE $args -K $dir ${zones:-example.com} > coverage.$n 2>&1 - - # check that return code matches expectations - found=$? - if [ $found -ne $retcode ]; then - echo "retcode was $found expected $retcode" - ret=1 - fi - - # check for correct number of errors - found=`grep ERROR coverage.$n | wc -l` - if [ $found -ne $error ]; then - echo "error count was $found expected $error" - ret=1 - fi - - # check for correct number of warnings - found=`grep WARNING coverage.$n | wc -l` - if [ $found -ne $warn ]; then - echo "warning count was $found expected $warn" - ret=1 - fi - - # check for correct number of OKs - found=`grep "No errors found" coverage.$n | wc -l` - if [ $found -ne $ok ]; then - echo "good count was $found expected $ok" - ret=1 - fi - - found=`matchall coverage.$n "$match"` - if [ "$found" = "FAIL" ]; then - echo "no match on '$match'" - ret=1 - fi - - found=`grep Traceback coverage.$n | wc -l` - if [ $found -ne 0 ]; then - echo "python exception detected" - ret=1 - fi - - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + ret=0 + echo_i "$dir" + args= warn= error= ok= retcode= match= zones= + . $dir/expect + $COVERAGE $args -K $dir ${zones:-example.com} >coverage.$n 2>&1 + + # check that return code matches expectations + found=$? + if [ $found -ne $retcode ]; then + echo "retcode was $found expected $retcode" + ret=1 + fi + + # check for correct number of errors + found=$(grep ERROR coverage.$n | wc -l) + if [ $found -ne $error ]; then + echo "error count was $found expected $error" + ret=1 + fi + + # check for correct number of warnings + found=$(grep WARNING coverage.$n | wc -l) + if [ $found -ne $warn ]; then + echo "warning count was $found expected $warn" + ret=1 + fi + + # check for correct number of OKs + found=$(grep "No errors found" coverage.$n | wc -l) + if [ $found -ne $ok ]; then + echo "good count was $found expected $ok" + ret=1 + fi + + found=$(matchall coverage.$n "$match") + if [ "$found" = "FAIL" ]; then + echo "no match on '$match'" + ret=1 + fi + + found=$(grep Traceback coverage.$n | wc -l) + if [ $found -ne 0 ]; then + echo "python exception detected" + ret=1 + fi + + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/database/tests.sh bind9-9.16.48/bin/tests/system/database/tests.sh --- bind9-9.16.44/bin/tests/system/database/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/database/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -26,11 +26,11 @@ echo_i "checking pre reload zone ($n)" ret=0 -$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "hostmaster\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) copy_setports ns1/named2.conf.in ns1/named.conf $RNDCCMD reload 2>&1 >/dev/null @@ -38,18 +38,17 @@ echo_i "checking post reload zone ($n)" ret=1 try=0 -while test $try -lt 6 -do - sleep 1 - ret=0 - $DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 - grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 - try=`expr $try + 1` - test $ret -eq 0 && break +while test $try -lt 6; do + sleep 1 + ret=0 + $DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1 + grep "marka\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1 + try=$(expr $try + 1) + test $ret -eq 0 && break done -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/dialup/tests.sh bind9-9.16.48/bin/tests/system/dialup/tests.sh --- bind9-9.16.44/bin/tests/system/dialup/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dialup/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -22,44 +22,40 @@ # Check the example. domain -$DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1 +$DIG $DIGOPTS example. @10.53.0.1 soa >dig.out.ns1.test || ret=1 echo_i "checking that first zone transfer worked" ret=0 try=0 -while test $try -lt 120 -do - $DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1 - if grep SERVFAIL dig.out.ns2.test > /dev/null - then - try=`expr $try + 1` - sleep 1 - else - digcomp dig.out.ns1.test dig.out.ns2.test || ret=1 - break; - fi +while test $try -lt 120; do + $DIG $DIGOPTS example. @10.53.0.2 soa >dig.out.ns2.test || ret=1 + if grep SERVFAIL dig.out.ns2.test >/dev/null; then + try=$(expr $try + 1) + sleep 1 + else + digcomp dig.out.ns1.test dig.out.ns2.test || ret=1 + break + fi done echo_i "try $try" if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking that second zone transfer worked" ret=0 try=0 -while test $try -lt 120 -do - $DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1 - if grep SERVFAIL dig.out.ns3.test > /dev/null - then - try=`expr $try + 1` - sleep 1 - else - digcomp dig.out.ns1.test dig.out.ns3.test || ret=1 - break; - fi +while test $try -lt 120; do + $DIG $DIGOPTS example. @10.53.0.3 soa >dig.out.ns3.test || ret=1 + if grep SERVFAIL dig.out.ns3.test >/dev/null; then + try=$(expr $try + 1) + sleep 1 + else + digcomp dig.out.ns1.test dig.out.ns3.test || ret=1 + break + fi done echo_i "try $try" if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/digdelv/ns2/sign.sh bind9-9.16.48/bin/tests/system/digdelv/ns2/sign.sh --- bind9-9.16.44/bin/tests/system/digdelv/ns2/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/digdelv/ns2/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -20,10 +20,10 @@ cp example.db.in example.db -"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1 +"$SIGNER" -Sz -f example.db -o example example.db.in >/dev/null 2>&1 -keyfile_to_key_id "$ksk" > keyid -grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata +keyfile_to_key_id "$ksk" >keyid +grep -Ev '^;' <"$ksk.key" | cut -f 7- -d ' ' >keydata -keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey -keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds +keyfile_to_initial_keys "$ksk" >../ns3/anchor.dnskey +keyfile_to_initial_ds "$ksk" >../ns3/anchor.ds diff -Nru bind9-9.16.44/bin/tests/system/digdelv/prereq.sh bind9-9.16.48/bin/tests/system/digdelv/prereq.sh --- bind9-9.16.44/bin/tests/system/digdelv/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/digdelv/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -16,10 +16,9 @@ set -e -if $PERL -e 'use Net::DNS;' 2>/dev/null -then - : +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + : else - echo_i "This test requires the Net::DNS library." >&2 - exit 1 + echo_i "This test requires the Net::DNS library." >&2 + exit 1 fi diff -Nru bind9-9.16.44/bin/tests/system/digdelv/tests.sh bind9-9.16.48/bin/tests/system/digdelv/tests.sh --- bind9-9.16.44/bin/tests/system/digdelv/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/digdelv/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,15 +21,15 @@ n=0 sendcmd() { - "$PERL" "$SYSTEMTESTTOP/send.pl" "${1}" "$EXTRAPORT1" + "$PERL" "$SYSTEMTESTTOP/send.pl" "${1}" "$EXTRAPORT1" } dig_with_opts() { - "$DIG" -p "$PORT" "$@" + "$DIG" -p "$PORT" "$@" } mdig_with_opts() { - "$MDIG" -p "$PORT" "$@" + "$MDIG" -p "$PORT" "$@" } # Check if response in file $1 has the correct TTL range. @@ -38,212 +38,211 @@ # the second word on the line. TTL position can be adjusted with # setting the position $4, but that requires updating this function. check_ttl_range() { - file=$1 - pos=$4 + file=$1 + pos=$4 - case "$pos" in + case "$pos" in "3") - awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file - ;; + awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' <$file + ;; *) - awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file - ;; - esac - - result=$? - [ $result -eq 0 ] || echo_i "ttl check failed" - return $result + awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' <$file + ;; + esac + + result=$? + [ $result -eq 0 ] || echo_i "ttl check failed" + return $result } # using delv insecure mode as not testing dnssec here delv_with_opts() { - "$DELV" +noroot -p "$PORT" "$@" + "$DELV" +noroot -p "$PORT" "$@" } KEYID="$(cat ns2/keyid)" -KEYDATA="$(< ns2/keydata sed -e 's/+/[+]/g')" -NOSPLIT="$(< ns2/keydata sed -e 's/+/[+]/g' -e 's/ //g')" +KEYDATA="$(sed /dev/null && HAS_PYYAML=1 +if [ -n "$PYTHON" ]; then + $PYTHON -c "import yaml" 2>/dev/null && HAS_PYYAML=1 fi # # test whether ans7/ans.pl will be able to send a UPDATE response. # if it can't, we will log that below. # -if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' > /dev/null 2>&1 -then - checkupdate=1 +if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' >/dev/null 2>&1; then + checkupdate=1 else - checkupdate=0 + checkupdate=0 fi -if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ] ; then +if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check nslookup handles UPDATE response ($n)" ret=0 - "$NSLOOKUP" -q=CNAME "-port=$PORT" foo.bar 10.53.0.7 > nslookup.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" nslookup.out.test$n > /dev/null || ret=1 + "$NSLOOKUP" -q=CNAME "-port=$PORT" foo.bar 10.53.0.7 >nslookup.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" nslookup.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$HOST" -a $checkupdate -eq 1 ] ; then +if [ -x "$HOST" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check host handles UPDATE response ($n)" ret=0 - "$HOST" -t CNAME -p $PORT foo.bar 10.53.0.7 > host.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" host.out.test$n > /dev/null || ret=1 + "$HOST" -t CNAME -p $PORT foo.bar 10.53.0.7 >host.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" host.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ] ; then +if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check nsupdate handles UPDATE response to QUERY ($n)" ret=0 res=0 - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || res=$? + $NSUPDATE <nsupdate.out.test$n 2>&1 || res=$? server 10.53.0.7 ${PORT} add x.example.com 300 in a 1.2.3.4 send EOF test $res -eq 1 || ret=1 - grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n > /dev/null || ret=1 + grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$DIG" ] ; then +if [ -x "$DIG" ]; then - if [ $checkupdate -eq 1 ] ; then + if [ $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check dig handles UPDATE response ($n)" ret=0 - dig_with_opts @10.53.0.7 cname foo.bar > dig.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.7 cname foo.bar >dig.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "Skipped UPDATE handling test" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig short form works ($n)" ret=0 - dig_with_opts @10.53.0.3 +short a a.example > dig.out.test$n || ret=1 - test "$(wc -l < dig.out.test$n)" -eq 1 || ret=1 + dig_with_opts @10.53.0.3 +short a a.example >dig.out.test$n || ret=1 + test "$(wc -l dig.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +split=4 -t sshfp foo.example >dig.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " /dev/null || ret=1 check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +unknownformat works ($n)" ret=0 - dig_with_opts @10.53.0.3 +unknownformat a a.example > dig.out.test$n || ret=1 - grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +unknownformat a a.example >dig.out.test$n || ret=1 + grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" /dev/null || ret=1 check_ttl_range dig.out.test$n "TYPE1" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig with reverse lookup works ($n)" ret=0 - dig_with_opts @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 -x 127.0.0.1 >dig.out.test$n 2>&1 || ret=1 # doesn't matter if has answer - grep -i "127\\.in-addr\\.arpa\\." < dig.out.test$n > /dev/null || ret=1 + grep -i "127\\.in-addr\\.arpa\\." /dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 86400 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig over TCP works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1 - grep "10\\.0\\.0\\.1$" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 a a.example >dig.out.test$n || ret=1 + grep "10\\.0\\.0\\.1$" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1 - grep "; serial" dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example >dig.out.test$n || ret=1 + grep "; serial" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null || ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +nosplit works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > dig.out.test$n || ret=1 - grep "$NOSPLIT" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example >dig.out.test$n || ret=1 + grep "$NOSPLIT" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" dig.out.nn.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti > dig.out.mn.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi > dig.out.nm.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi > dig.out.mm.$n || ret=1 - lcnn=$(wc -l < dig.out.nn.$n) - lcmn=$(wc -l < dig.out.mn.$n) - lcnm=$(wc -l < dig.out.nm.$n) - lcmm=$(wc -l < dig.out.mm.$n) + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +nomulti >dig.out.nn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti >dig.out.mn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi >dig.out.nm.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi >dig.out.mm.$n || ret=1 + lcnn=$(wc -l dig.out.test$n || ret=1 - grep "Got answer:" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +noheader-only A example >dig.out.test$n || ret=1 + grep "Got answer:" /dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" dig.out.test$n || ret=1 - grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +header-only example >dig.out.test$n || ret=1 + grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," /dev/null || ret=1 + grep "^;; QUESTION SECTION:" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +raflag works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +raflag +qr example > dig.out.test$n || ret=1 - grep "^;; flags: rd ra ad; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +raflag +qr example >dig.out.test$n || ret=1 + grep "^;; flags: rd ra ad; QUERY: 1, ANSWER: 0," /dev/null || ret=1 + grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," /dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +tcflag works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +tcflag +qr example > dig.out.test$n || ret=1 - grep "^;; flags: tc rd ad; QUERY: 1, ANSWER: 0" < dig.out.test$n > /dev/null || ret=1 - grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +tcflag +qr example >dig.out.test$n || ret=1 + grep "^;; flags: tc rd ad; QUERY: 1, ANSWER: 0" /dev/null || ret=1 + grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," /dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +header-only works (with class and type set) ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +header-only -c IN -t A example > dig.out.test$n || ret=1 - grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +header-only -c IN -t A example >dig.out.test$n || ret=1 + grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," /dev/null || ret=1 + grep "^;; QUESTION SECTION:" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +zflag works, and that BIND properly ignores it ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +zflag +qr A example > dig.out.test$n || ret=1 - sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" > /dev/null || ret=1 - sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +zflag +qr A example >dig.out.test$n || ret=1 + sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" >/dev/null || ret=1 + sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" >/dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +qr +ednsopt=08 does not cause an INSIST failure ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=08 +qr a a.example > dig.out.test$n || ret=1 - grep "INSIST" < dig.out.test$n > /dev/null && ret=1 - grep "FORMERR" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=08 +qr a a.example >dig.out.test$n || ret=1 + grep "INSIST" /dev/null && ret=1 + grep "FORMERR" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ttlunits works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ttlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 3w" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A days.example > dig.out.test$n || ret=1 - grep "^days.example. 3d" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A hours.example > dig.out.test$n || ret=1 - grep "^hours.example. 3h" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A minutes.example > dig.out.test$n || ret=1 - grep "^minutes.example. 45m" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A seconds.example > dig.out.test$n || ret=1 - grep "^seconds.example. 45s" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 3w" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A days.example >dig.out.test$n || ret=1 + grep "^days.example. 3d" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A hours.example >dig.out.test$n || ret=1 + grep "^hours.example. 3h" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A minutes.example >dig.out.test$n || ret=1 + grep "^minutes.example. 45m" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A seconds.example >dig.out.test$n || ret=1 + grep "^seconds.example. 45s" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig respects precedence of options with +ttlunits ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ttlunits +nottlid A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. IN" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +nottlid +ttlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 3w" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +nottlid +nottlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 1814400" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits +nottlid A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. IN" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +nottlid +ttlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 3w" /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +nottlid +nottlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 1814400" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig preserves origin on TCP retries ($n)" ret=0 # Ask ans4 to still accept TCP connections, but not respond to queries echo "//" | sendcmd 10.53.0.4 - dig_with_opts -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo > dig.out.test$n 2>&1 && ret=1 + dig_with_opts -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo >dig.out.test$n 2>&1 && ret=1 test "$(grep -c "trying origin bar" dig.out.test$n)" -eq 2 || ret=1 - grep "using root origin" < dig.out.test$n > /dev/null && ret=1 + grep "using root origin" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig -6 -4 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 -4 -6 A a.example > dig.out.test$n 2>&1 && ret=1 - grep "only one of -4 and -6 allowed" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 -4 -6 A a.example >dig.out.test$n 2>&1 && ret=1 + grep "only one of -4 and -6 allowed" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig @IPv6addr -4 A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +tcp @fd92:7065:b8e:ffff::2 -4 A a.example > dig.out.test$n 2>&1 && ret=1 - grep "address family not supported" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @fd92:7065:b8e:ffff::2 -4 A a.example >dig.out.test$n 2>&1 && ret=1 + grep "address family not supported" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig @IPv4addr -6 +mapped A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null && [ "$(uname -s)" != "OpenBSD" ] - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null && [ "$(uname -s)" != "OpenBSD" ]; then ret=0 - dig_with_opts +tcp @10.53.0.2 -6 +mapped A a.example > dig.out.test$n 2>&1 || ret=1 - grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 -6 +mapped A a.example >dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 or IPv4-to-IPv6 mapping unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +tcp @IPv4addr -6 +nomapped A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +tcp @10.53.0.2 -6 +nomapped A a.example > dig.out.test$n 2>&1 || ret=1 - grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.2 -6 +nomapped A a.example >dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +notcp @IPv4addr -6 +nomapped A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +notcp @10.53.0.2 -6 +nomapped A a.example > dig.out.test$n 2>&1 || ret=1 - grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +notcp @10.53.0.2 -6 +nomapped A a.example >dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "CLIENT-SUBNET: 127.0.0.1/32/0" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet +subnet ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "CLIENT-SUBNET: 127.0.0.1/32/0" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet with various prefix lengths ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24; do - dig_with_opts +tcp @10.53.0.2 +subnet=255.255.255.255/$i A a.example > dig.out.$i.test$n 2>&1 || ret=1 - case $i in - 1|9|17) octet=128 ;; - 2|10|18) octet=192 ;; - 3|11|19) octet=224 ;; - 4|12|20) octet=240 ;; - 5|13|21) octet=248 ;; - 6|14|22) octet=252 ;; - 7|15|23) octet=254 ;; - 8|16|24) octet=255 ;; - esac - case $i in - 1|2|3|4|5|6|7|8) addr="${octet}.0.0.0";; - 9|10|11|12|13|14|15|16) addr="255.${octet}.0.0";; - 17|18|19|20|21|22|23|24) addr="255.255.${octet}.0" ;; - esac - grep "FORMERR" < dig.out.$i.test$n > /dev/null && ret=1 - grep "CLIENT-SUBNET: $addr/$i/0" < dig.out.$i.test$n > /dev/null || ret=1 - check_ttl_range dig.out.$i.test$n "A" 300 || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=255.255.255.255/$i A a.example >dig.out.$i.test$n 2>&1 || ret=1 + case $i in + 1 | 9 | 17) octet=128 ;; + 2 | 10 | 18) octet=192 ;; + 3 | 11 | 19) octet=224 ;; + 4 | 12 | 20) octet=240 ;; + 5 | 13 | 21) octet=248 ;; + 6 | 14 | 22) octet=252 ;; + 7 | 15 | 23) octet=254 ;; + 8 | 16 | 24) octet=255 ;; + esac + case $i in + 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8) addr="${octet}.0.0.0" ;; + 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16) addr="255.${octet}.0.0" ;; + 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24) addr="255.255.${octet}.0" ;; + esac + grep "FORMERR" /dev/null && ret=1 + grep "CLIENT-SUBNET: $addr/$i/0" /dev/null || ret=1 + check_ttl_range dig.out.$i.test$n "A" 300 || ret=1 done if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=0/0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=0/0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=0/0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" /dev/null || ret=1 + grep "CLIENT-SUBNET: 0.0.0.0/0/0" /dev/null || ret=1 + grep "10.0.0.1" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" /dev/null || ret=1 + grep "CLIENT-SUBNET: 0.0.0.0/0/0" /dev/null || ret=1 + grep "10.0.0.1" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=::/0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=::/0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: ::/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=::/0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" /dev/null || ret=1 + grep "CLIENT-SUBNET: ::/0/0" /dev/null || ret=1 + grep "10.0.0.1" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt=8:00000000 (family=0, source=0, scope=0) ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" /dev/null || ret=1 + grep "CLIENT-SUBNET: 0/0/0" /dev/null || ret=1 + grep "10.0.0.1" /dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt=8:00030000 (family=3, source=0, scope=0) ($n)" ret=0 - dig_with_opts +qr +tcp @10.53.0.2 +ednsopt=8:00030000 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: FORMERR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 00 03 00 00" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +qr +tcp @10.53.0.2 +ednsopt=8:00030000 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: FORMERR" /dev/null || ret=1 + grep "CLIENT-SUBNET: 00 03 00 00" /dev/null || ret=1 test "$(grep -c "CLIENT-SUBNET: 00 03 00 00" dig.out.test$n)" -eq 1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet with prefix lengths between byte boundaries ($n)" ret=0 for p in 9 10 11 12 13 14 15; do - dig_with_opts +tcp @10.53.0.2 +subnet=10.53/$p A a.example > dig.out.test.$p.$n 2>&1 || ret=1 - grep "FORMERR" < dig.out.test.$p.$n > /dev/null && ret=1 - grep "CLIENT-SUBNET.*/$p/0" < dig.out.test.$p.$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=10.53/$p A a.example >dig.out.test.$p.$n 2>&1 || ret=1 + grep "FORMERR" /dev/null && ret=1 + grep "CLIENT-SUBNET.*/$p/0" /dev/null || ret=1 check_ttl_range dig.out.test.$p.$n "A" 300 || ret=1 done if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +sp works as an abbreviated form of split ($n)" ret=0 - dig_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example > dig.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example >dig.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " /dev/null || ret=1 check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig -c works ($n)" ret=0 - dig_with_opts @10.53.0.3 -c CHAOS -t txt version.bind > dig.out.test$n || ret=1 - grep "version.bind. 0 CH TXT" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 -c CHAOS -t txt version.bind >dig.out.test$n || ret=1 + grep "version.bind. 0 CH TXT" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +dscp ($n)" ret=0 - dig_with_opts @10.53.0.3 +dscp=32 a a.example > /dev/null 2>&1 || ret=1 - dig_with_opts @10.53.0.3 +dscp=-1 a a.example > /dev/null 2>&1 && ret=1 - dig_with_opts @10.53.0.3 +dscp=64 a a.example > /dev/null 2>&1 && ret=1 + dig_with_opts @10.53.0.3 +dscp=32 a a.example >/dev/null 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +dscp=-1 a a.example >/dev/null 2>&1 && ret=1 + dig_with_opts @10.53.0.3 +dscp=64 a a.example >/dev/null 2>&1 && ret=1 #TODO add a check to make sure dig is actually setting the dscp on the query #we might have to add better logging to named for this if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt with option number ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=3 a.example > dig.out.test$n 2>&1 || ret=1 - grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=3 a.example >dig.out.test$n 2>&1 || ret=1 + grep 'NSID: .* ("ns3")' dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt with option name ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=nsid a.example > dig.out.test$n 2>&1 || ret=1 - grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=nsid a.example >dig.out.test$n 2>&1 || ret=1 + grep 'NSID: .* ("ns3")' dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking ednsopt LLQ prints as expected ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example >dig.out.test$n 2>&1 || ret=1 pat='LLQ: Version: 1, Opcode: 2, Error: 0, Identifier: 1311768465173141112, Lifetime: 4278124286$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + tr -d '\r' /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking that dig warns about .local queries ($n)" ret=0 - dig_with_opts @10.53.0.3 local soa > dig.out.test$n 2>&1 || ret=1 - grep ";; WARNING: .local is reserved for Multicast DNS" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 local soa >dig.out.test$n 2>&1 || ret=1 + grep ";; WARNING: .local is reserved for Multicast DNS" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag and FORMERR is returned ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: *$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: *$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag: ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: 1, 2$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: 1, 2$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag: and FORMERR is returned ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag:0001000201 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: 00 01 00 02 01" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag:0001000201 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: 00 01 00 02 01" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=client-tag:value ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG: 1$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:0001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG: 1$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too short client-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:01 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too long client-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:000001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=server-tag:value ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG: 1$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:0001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG: 1$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too short server-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:01 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too long server-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:000001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 0 is printed correctly ($n)" # First defined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 0 (Other): (foo)$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + tr -d '\r' /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 24 is printed correctly ($n)" # Last defined EDE code, no additional text. - dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 24 (Invalid Data)$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + tr -d '\r' /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 25 is printed correctly ($n)" # First undefined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 25: (foo)$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + tr -d '\r' /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)" # EDE payload is too short - dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE:$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + tr -d '\r' /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that invalid Extended DNS Error (length 1) is printed ($n)" # EDE payload is too short - dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 00 (".")$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + tr -d '\r' /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check that +yaml Extended DNS Error 0 is printed correctly ($n)" # First defined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0000666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0018 a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 && ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that +yaml Extended DNS Error 25 is printed correctly ($n)" # First undefined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0019666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:00 a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n 2>&1 && ret=1 - grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=: a.example >dig.out.test$n 2>&1 && ret=1 + grep "ednsopt no code point specified" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig gracefully handles bad escape in domain name ($n)" ret=0 digstatus=0 - dig_with_opts @10.53.0.3 '\0.' > dig.out.test$n 2>&1 || digstatus=$? - echo digstatus=$digstatus >> dig.out.test$n + dig_with_opts @10.53.0.3 '\0.' >dig.out.test$n 2>&1 || digstatus=$? + echo digstatus=$digstatus >>dig.out.test$n test $digstatus -eq 10 || ret=1 - grep REQUIRE dig.out.test$n > /dev/null && ret=1 - grep "is not a legal name (bad escape)" dig.out.test$n > /dev/null || ret=1 + grep REQUIRE dig.out.test$n >/dev/null && ret=1 + grep "is not a legal name (bad escape)" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -q -m works ($n)" ret=0 - dig_with_opts @10.53.0.3 -q -m > dig.out.test$n 2>&1 + dig_with_opts @10.53.0.3 -q -m >dig.out.test$n 2>&1 pat='^;-m\..*IN.*A$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 - grep "Dump of all outstanding memory allocations" dig.out.test$n > /dev/null && ret=1 + tr -d '\r' /dev/null || ret=1 + grep "Dump of all outstanding memory allocations" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> immediate) ($n)" ret=0 echo "no_response no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> partial AXFR) ($n)" ret=0 echo "partial_axfr partial_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> partial AXFR) ($n)" ret=0 echo "no_response partial_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> immediate) ($n)" ret=0 echo "partial_axfr no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> complete AXFR) ($n)" ret=0 echo "no_response complete_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 || ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> complete AXFR) ($n)" ret=0 echo "partial_axfr complete_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 || ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking +tries=1 won't retry twice upon TCP EOF ($n)" ret=0 echo "no_response no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=1 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=1 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking +retry=0 won't retry twice upon TCP EOF ($n)" ret=0 - dig_with_opts @10.53.0.5 example AXFR +retry=0 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +retry=0 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. - [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +expandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:0b8e:ffff:0000:0000:0000:0002" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +expandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:0b8e:ffff:0000:0000:0000:0002" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +noexpandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +noexpandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +noexpandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig default for +[no]expandaaa (+noexpandaaaa) works ($n)" ret=0 - dig_with_opts @10.53.0.3 AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +short +expandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 pat='^fd92:7065:0b8e:ffff:0000:0000:0000:0002$' - tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + tr -d '\r' /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check dig +yaml output ($n)" ret=0 - dig_with_opts +qr +yaml @10.53.0.3 any ns2.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +qr +yaml @10.53.0.3 any ns2.example >dig.out.test$n 2>&1 || ret=1 value=$($PYTHON yamlget.py dig.out.test$n 0 message query_message_data status || ret=1) [ "$value" = "NOERROR" ] || ret=1 value=$($PYTHON yamlget.py dig.out.test$n 1 message response_message_data status || ret=1) @@ -943,401 +938,399 @@ value=$($PYTHON yamlget.py dig.out.test$n 1 message response_message_data QUESTION_SECTION 0 || ret=1) [ "$value" = "ns2.example. IN ANY" ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check dig +yaml output of an IPv6 address ending in zeroes ($n)" ret=0 - dig_with_opts +qr +yaml @10.53.0.3 aaaa d.example > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 1 message response_message_data ANSWER_SECTION 0 > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts +qr +yaml @10.53.0.3 aaaa d.example >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 1 message response_message_data ANSWER_SECTION 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value dig.out.test$n || ret=1 - grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1 - grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.6 +unexpected a a.example >dig.out.test$n || ret=1 + grep 'reply from unexpected source' dig.out.test$n >/dev/null || ret=1 + grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +nounexpected works ($n)" ret=0 - dig_with_opts @10.53.0.6 +nounexpected +tries=1 +time=2 a a.example > dig.out.test$n && ret=1 - grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.6 +nounexpected +tries=1 +time=2 a a.example >dig.out.test$n && ret=1 + grep 'reply from unexpected source' dig.out.test$n >/dev/null || ret=1 + grep "status: NOERROR" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig default for +[no]unexpected (+nounexpected) works ($n)" ret=0 - dig_with_opts @10.53.0.6 +tries=1 +time=2 a a.example > dig.out.test$n && ret=1 - grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.6 +tries=1 +time=2 a a.example >dig.out.test$n && ret=1 + grep 'reply from unexpected source' dig.out.test$n >/dev/null || ret=1 + grep "status: NOERROR" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +bufsize=0 disables EDNS ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example +bufsize=0 +qr > dig.out.test$n 2>&1 || ret=1 - grep "EDNS:" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +qr >dig.out.test$n 2>&1 || ret=1 + grep "EDNS:" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +bufsize=0 +edns sends EDNS with bufsize of 0 ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example +bufsize=0 +edns +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +edns +qr >dig.out.test$n 2>&1 || ret=1 pat='EDNS:.* udp: 0$' - tr -d '\r' < dig.out.test$n | grep -E "$pat" > /dev/null || ret=1 + tr -d '\r' /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +bufsize restores default bufsize ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr > dig.out.test$n 2>&1 || ret=1 - lines1232=`grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l` - lines4096=`grep "EDNS:.* udp: 4096" dig.out.test$n | wc -l` + dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr >dig.out.test$n 2>&1 || ret=1 + lines1232=$(grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l) + lines4096=$(grep "EDNS:.* udp: 4096" dig.out.test$n | wc -l) test $lines1232 -eq 1 || ret=1 test $lines4096 -eq 1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig without -u displays 'Query time' in millseconds ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep ';; Query time: [0-9][0-9]* msec' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -u displays 'Query time' in microseconds ($n)" ret=0 - dig_with_opts -u @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts -u @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep ';; Query time: [0-9][0-9]* usec' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +yaml without -u displays timestamps in milliseconds ($n)" ret=0 - dig_with_opts +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +yaml @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep 'query_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1 grep 'response_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -u +yaml displays timestamps in microseconds ($n)" ret=0 - dig_with_opts -u +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts -u +yaml @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep 'query_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1 grep 'response_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "$DIG is needed, so skipping these dig tests" fi -if [ -x "$MDIG" ] ; then - n=$((n+1)) +if [ -x "$MDIG" ]; then + n=$((n + 1)) echo_i "check that mdig handles malformed option '+ednsopt=:' gracefully ($n)" ret=0 - mdig_with_opts @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1 - grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1 + mdig_with_opts @10.53.0.3 +ednsopt=: a.example >dig.out.test$n 2>&1 && ret=1 + grep "ednsopt no code point specified" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking mdig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example >dig.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking mdig +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1 - grep "; serial" < dig.out.test$n > /dev/null && ret=1 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example >dig.out.test$n || ret=1 + grep "; serial" /dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check mdig +yaml output ($n)" ret=0 - mdig_with_opts +yaml @10.53.0.3 -t any ns2.example > dig.out.test$n || ret=1 + mdig_with_opts +yaml @10.53.0.3 -t any ns2.example >dig.out.test$n || ret=1 value=$($PYTHON yamlget.py dig.out.test$n 0 message response_message_data status || ret=1) [ "$value" = "NOERROR" ] || ret=1 value=$($PYTHON yamlget.py dig.out.test$n 0 message response_message_data QUESTION_SECTION 0 || ret=1) [ "$value" = "ns2.example. IN ANY" ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi else echo_i "$MDIG is needed, so skipping these mdig tests" fi -if [ -x "$DELV" ] ; then - n=$((n+1)) +if [ -x "$DELV" ]; then + n=$((n + 1)) echo_i "checking delv short form works ($n)" ret=0 - delv_with_opts @10.53.0.3 +short a a.example > delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + delv_with_opts @10.53.0.3 +short a a.example >delv.out.test$n || ret=1 + test "$(wc -l delv.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +split=4 -t sshfp foo.example >delv.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " /dev/null || ret=1 check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +unknownformat works ($n)" ret=0 - delv_with_opts @10.53.0.3 +unknownformat a a.example > delv.out.test$n || ret=1 - grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +unknownformat a a.example >delv.out.test$n || ret=1 + grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" /dev/null || ret=1 check_ttl_range delv.out.test$n "TYPE1" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv -4 -6 ($n)" ret=0 - delv_with_opts @10.53.0.3 -4 -6 A a.example > delv.out.test$n 2>&1 && ret=1 - grep "only one of -4 and -6 allowed" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -4 -6 A a.example >delv.out.test$n 2>&1 && ret=1 + grep "only one of -4 and -6 allowed" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with IPv6 on IPv4 does not work ($n)" - if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null; then ret=0 # following should fail because @IPv4 overrides earlier @IPv6 above # and -6 forces IPv6 so this should fail, with a message # "Use of IPv4 disabled by -6" - delv_with_opts @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example > delv.out.test$n 2>&1 && ret=1 + delv_with_opts @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example >delv.out.test$n 2>&1 && ret=1 # it should have no results but error output - grep "testing" < delv.out.test$n > /dev/null && ret=1 - grep "Use of IPv4 disabled by -6" delv.out.test$n > /dev/null || ret=1 + grep "testing" /dev/null && ret=1 + grep "Use of IPv4 disabled by -6" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with IPv4 on IPv6 does not work ($n)" - if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null; then ret=0 # following should fail because @IPv6 overrides earlier @IPv4 above # and -4 forces IPv4 so this should fail, with a message # "Use of IPv6 disabled by -4" - delv_with_opts @10.53.0.3 @fd92:7065:b8e:ffff::3 -4 -t txt foo.example > delv.out.test$n 2>&1 && ret=1 + delv_with_opts @10.53.0.3 @fd92:7065:b8e:ffff::3 -4 -t txt foo.example >delv.out.test$n 2>&1 && ret=1 # it should have no results but error output - grep "testing" delv.out.test$n > /dev/null && ret=1 - grep "Use of IPv6 disabled by -4" delv.out.test$n > /dev/null || ret=1 + grep "testing" delv.out.test$n >/dev/null && ret=1 + grep "Use of IPv6 disabled by -4" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with reverse lookup works ($n)" ret=0 - delv_with_opts @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1 + delv_with_opts @10.53.0.3 -x 127.0.0.1 >delv.out.test$n 2>&1 || ret=1 # doesn't matter if has answer - grep -i "127\\.in-addr\\.arpa\\." < delv.out.test$n > /dev/null || ret=1 + grep -i "127\\.in-addr\\.arpa\\." /dev/null || ret=1 check_ttl_range delv.out.test$n '\\-ANY' 10800 3 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv over TCP works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 a a.example > delv.out.test$n || ret=1 - grep "10\\.0\\.0\\.1$" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 a a.example >delv.out.test$n || ret=1 + grep "10\\.0\\.0\\.1$" /dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null && ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments SOA example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null && ret=1 check_ttl_range delv.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null || ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +short +rrcomments works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" delv.out.test$n || ret=1 - grep -q "$NOSPLIT" < delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 - test "$(awk '{print NF}' < delv.out.test$n)" -eq 14 || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example >delv.out.test$n || ret=1 + grep -q "$NOSPLIT" delv.out.test$n || ret=1 - grep -q "$NOSPLIT\$" < delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 - test "$(awk '{print NF}' < delv.out.test$n)" -eq 4 || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY example >delv.out.test$n || ret=1 + grep -q "$NOSPLIT\$" delv.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example >delv.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " /dev/null || ret=1 check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +sh works as an abbriviated form of short ($n)" ret=0 - delv_with_opts @10.53.0.3 +sh a a.example > delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + delv_with_opts @10.53.0.3 +sh a a.example >delv.out.test$n || ret=1 + test "$(wc -l delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c IN -t a a.example >delv.out.test$n || ret=1 + grep "a.example." /dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv -c CH is ignored, and treated like IN ($n)" ret=0 - delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c CH -t a a.example >delv.out.test$n || ret=1 + grep "a.example." /dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv H is ignored, and treated like IN ($n)" ret=0 - delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c CH -t a a.example >delv.out.test$n || ret=1 + grep "a.example." /dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv -q -m works ($n)" ret=0 - delv_with_opts @10.53.0.3 -q -m > delv.out.test$n 2>&1 || ret=1 - grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n > /dev/null || ret=1 - grep "^add " delv.out.test$n > /dev/null && ret=1 - grep "^del " delv.out.test$n > /dev/null && ret=1 + delv_with_opts @10.53.0.3 -q -m >delv.out.test$n 2>&1 || ret=1 + grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n >/dev/null || ret=1 + grep "^add " delv.out.test$n >/dev/null && ret=1 + grep "^del " delv.out.test$n >/dev/null && ret=1 check_ttl_range delv.out.test$n '\\-ANY' 300 3 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv -t ANY works ($n)" ret=0 - delv_with_opts @10.53.0.3 -t ANY example > delv.out.test$n 2>&1 || ret=1 - grep "^example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -t ANY example >delv.out.test$n 2>&1 || ret=1 + grep "^example." /dev/null || ret=1 check_ttl_range delv.out.test$n NS 300 || ret=1 check_ttl_range delv.out.test$n SOA 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv loads key-style trust anchors ($n)" ret=0 - delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 - grep "fully validated" delv.out.test$n > /dev/null || ret=1 + delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example >delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv loads DS-style trust anchors ($n)" ret=0 - delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 - grep "fully validated" delv.out.test$n > /dev/null || ret=1 + delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example >delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check delv +yaml output ($n)" ret=0 - delv_with_opts +yaml @10.53.0.3 any ns2.example > delv.out.test$n || ret=1 + delv_with_opts +yaml @10.53.0.3 any ns2.example >delv.out.test$n || ret=1 value=$($PYTHON yamlget.py delv.out.test$n status || ret=1) [ "$value" = "success" ] || ret=1 value=$($PYTHON yamlget.py delv.out.test$n query_name || ret=1) [ "$value" = "ns2.example" ] || ret=1 value=$($PYTHON yamlget.py delv.out.test$n records 0 answer_not_validated 0 || ret=1) - count=$(echo $value | wc -w ) + count=$(echo $value | wc -w) [ ${count:-0} -eq 5 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi else echo_i "$DELV is needed, so skipping these delv tests" diff -Nru bind9-9.16.44/bin/tests/system/dlz/prereq.sh bind9-9.16.48/bin/tests/system/dlz/prereq.sh --- bind9-9.16.44/bin/tests/system/dlz/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dlz/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -15,7 +15,7 @@ . $SYSTEMTESTTOP/conf.sh if ! $FEATURETEST --with-dlz-filesystem; then - echo_i "DLZ filesystem driver not supported" - exit 255 + echo_i "DLZ filesystem driver not supported" + exit 255 fi exit 0 diff -Nru bind9-9.16.44/bin/tests/system/dlz/tests.sh bind9-9.16.48/bin/tests/system/dlz/tests.sh --- bind9-9.16.44/bin/tests/system/dlz/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dlz/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -26,52 +26,52 @@ echo_i "checking DNAME at apex works ($n)" ret=0 $DIG $DIGOPTS +norec foo.example.com. \ - @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*DNAME.*example.net." dig.out.ns1.test$n > /dev/null || ret=1 -grep "foo.example.com..*CNAME.*foo.example.net." dig.out.ns1.test$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` + @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "example.com..*DNAME.*example.net." dig.out.ns1.test$n >/dev/null || ret=1 +grep "foo.example.com..*CNAME.*foo.example.net." dig.out.ns1.test$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking DLZ IXFR=2010062899 (less than serial) ($n)" ret=0 -$DIG $DIGOPTS ixfr=2010062899 example.com @10.53.0.1 +all > dig.out.ns1.test$n -grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS ixfr=2010062899 example.com @10.53.0.1 +all >dig.out.ns1.test$n +grep "example.com..*IN.IXFR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n >/dev/null || ret=1 +grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking DLZ IXFR=2010062900 (equal serial) ($n)" ret=0 -$DIG $DIGOPTS ixfr=2010062900 example.com @10.53.0.1 +all > dig.out.ns1.test$n -grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1 -grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS ixfr=2010062900 example.com @10.53.0.1 +all >dig.out.ns1.test$n +grep "example.com..*IN.IXFR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n >/dev/null && ret=1 +grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n >/dev/null && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking DLZ IXFR=2010062901 (greater than serial) ($n)" ret=0 -$DIG $DIGOPTS ixfr=2010062901 example.com @10.53.0.1 +all > dig.out.ns1.test$n -grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1 -grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS ixfr=2010062901 example.com @10.53.0.1 +all >dig.out.ns1.test$n +grep "example.com..*IN.IXFR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n >/dev/null && ret=1 +grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n >/dev/null && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking DLZ with a malformed SOA record" ret=0 -$DIG $DIGOPTS broken.com type600 @10.53.0.1 > dig.out.ns1.test$n -grep status: dig.out.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS broken.com type600 @10.53.0.1 >dig.out.ns1.test$n +grep status: dig.out.ns1.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/dlzexternal/prereq.sh bind9-9.16.48/bin/tests/system/dlzexternal/prereq.sh --- bind9-9.16.44/bin/tests/system/dlzexternal/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dlzexternal/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,14 +14,14 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -$FEATURETEST --have-dlopen || { - echo_i "dlopen() not supported - skipping dlzexternal test" - exit 255 +$FEATURETEST --have-dlopen || { + echo_i "dlopen() not supported - skipping dlzexternal test" + exit 255 } $FEATURETEST --tsan && { - echo_i "TSAN - skipping dlzexternal test" - exit 255 + echo_i "TSAN - skipping dlzexternal test" + exit 255 } exit 0 diff -Nru bind9-9.16.44/bin/tests/system/dlzexternal/setup.sh bind9-9.16.48/bin/tests/system/dlzexternal/setup.sh --- bind9-9.16.44/bin/tests/system/dlzexternal/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dlzexternal/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,6 +14,6 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -$DDNSCONFGEN -q -z example.nil > ns1/ddns.key +$DDNSCONFGEN -q -z example.nil >ns1/ddns.key copy_setports ns1/named.conf.in ns1/named.conf diff -Nru bind9-9.16.44/bin/tests/system/dlzexternal/tests.sh bind9-9.16.48/bin/tests/system/dlzexternal/tests.sh --- bind9-9.16.44/bin/tests/system/dlzexternal/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dlzexternal/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,210 +21,210 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" newtest() { - n=`expr $n + 1` - echo_i "${1} (${n})" - ret=0 + n=$(expr $n + 1) + echo_i "${1} (${n})" + ret=0 } test_update() { - host="$1" - type="$2" - cmd="$3" - digout="$4" - should_fail="$5" + host="$1" + type="$2" + cmd="$3" + digout="$4" + should_fail="$5" - cat < ns1/update.txt + cat <ns1/update.txt server 10.53.0.1 ${PORT} update add $host $cmd send EOF - newtest "testing update for $host $type $cmd${comment:+ }$comment" - $NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed for $host $type $cmd" - return 1 - } - - out=`$DIG $DIGOPTS -t $type -q $host | grep -E "^$host"` - lines=`echo "$out" | grep "$digout" | wc -l` - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - return 0 + newtest "testing update for $host $type $cmd${comment:+ }$comment" + $NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed for $host $type $cmd" + return 1 + } + + out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host") + lines=$(echo "$out" | grep "$digout" | wc -l) + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 } test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_update testdc3.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fail && ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing nxrrset" -$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1 -status=`expr $status + $ret` +$DIG $DIGOPTS testdc1.example.nil AAAA >dig.out.$n +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.$n >/dev/null || ret=1 +status=$(expr $status + $ret) newtest "testing prerequisites are checked correctly" -cat > ns1/update.txt << EOF +cat >ns1/update.txt < /dev/null 2>&1 && ret=1 -out=`$DIG $DIGOPTS +short a testdc3.example.nil` +$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 && ret=1 +out=$($DIG $DIGOPTS +short a testdc3.example.nil) [ "$out" = "10.53.0.12" ] && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing passing client info into DLZ driver" -out=`$DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;'` -addr=`eval echo "$out" | cut -f1 -d'#'` +out=$($DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;') +addr=$(eval echo "$out" | cut -f1 -d'#') [ "$addr" = "10.53.0.1" ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing DLZ driver is cleaned up on reload" rndc_reload ns1 10.53.0.1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - grep 'dlz_example: shutting down zone example.nil' ns1/named.run > /dev/null 2>&1 || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + grep 'dlz_example: shutting down zone example.nil' ns1/named.run >/dev/null 2>&1 || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing multiple DLZ drivers" test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing AXFR from DLZ drivers" -$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n -lines=`cat dig.out.example.ns1.test$n | wc -l` +$DIG $DIGOPTS +noall +answer axfr example.nil >dig.out.example.ns1.test$n +lines=$(cat dig.out.example.ns1.test$n | wc -l) [ ${lines:-0} -eq 4 ] || ret=1 -$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n -lines=`cat dig.out.alternate.ns1.test$n | wc -l` +$DIG $DIGOPTS +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n +lines=$(cat dig.out.alternate.ns1.test$n | wc -l) [ ${lines:-0} -eq 5 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing AXFR denied from DLZ drivers" -$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n -grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n -grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil >dig.out.example.ns1.test$n +grep "; Transfer failed" dig.out.example.ns1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n +grep "; Transfer failed" dig.out.alternate.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing AXFR denied based on view ACL" # 10.53.0.1 should be disallowed -$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1 -grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org >dig.out.example.ns1.test$n.1 +grep "; Transfer failed" dig.out.example.ns1.test$n.1 >/dev/null || ret=1 # 10.53.0.2 should be allowed -$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2 -grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1 +$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org >dig.out.example.ns1.test$n.2 +grep "; Transfer failed" dig.out.example.ns1.test$n.2 >/dev/null && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing unsearched/unregistered DLZ zone is not found" -$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n -grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer ns other.nil >dig.out.ns1.test$n +grep "3600.IN.NS.other.nil." dig.out.ns1.test$n >/dev/null && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing unsearched/registered DLZ zone is found" -$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n -grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n +grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing unsearched/registered DLZ zone is found" -$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n -grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n +grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing correct behavior with findzone returning ISC_R_NOMORE" -$DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +noall a test.example.com >/dev/null 2>&1 || ret=1 # we should only find one logged lookup per searched DLZ database -lines=`grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 -lines=`grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing findzone can return different results per client" -$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net >/dev/null 2>&1 || ret=1 # we should only find one logged lookup per searched DLZ database -lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 -lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 -$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net >/dev/null 2>&1 || ret=1 # we should find several logged lookups this time -lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l) [ $lines -gt 2 ] || ret=1 -lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l` +lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l) [ $lines -gt 2 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing zone returning oversized data" -$DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt too-long.example.nil >dig.out.ns1.test$n 2>&1 || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "testing zone returning oversized data at zone origin" -$DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt bigcname.domain >dig.out.ns1.test$n 2>&1 || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "checking redirected lookup for nonexistent name" -$DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 unexists a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "checking no redirected lookup for nonexistent type" -$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 exists aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "checking redirected lookup for a long nonexistent name" -$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 -lookups=`grep "lookup #.*\.not\.there" ns1/named.run | wc -l` +$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1 +lookups=$(grep "lookup #.*\.not\.there" ns1/named.run | wc -l) [ "$lookups" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "checking ECS data is passed to driver in clientinfo" -$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1 -grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1 -$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1 -grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt >dig.out.ns1.test$n.1 || ret=1 +grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 >/dev/null || ret=1 +$DIG $DIGOPTS +short source-addr.example.nil txt >dig.out.ns1.test$n.2 || ret=1 +grep "not.*present" dig.out.ns1.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/dns64/ns1/sign.sh bind9-9.16.48/bin/tests/system/dns64/ns1/sign.sh --- bind9-9.16.44/bin/tests/system/dns64/ns1/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dns64/ns1/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,6 +21,6 @@ key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone) key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null diff -Nru bind9-9.16.44/bin/tests/system/dns64/tests.sh bind9-9.16.48/bin/tests/system/dns64/tests.sh --- bind9-9.16.44/bin/tests/system/dns64/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dns64/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,1386 +21,1382 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -for conf in conf/good*.conf -do - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +for conf in conf/good*.conf; do + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done -for conf in conf/bad*.conf -do - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +for conf in conf/bad*.conf; do + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done # Check the example. domain echo_i "checking non-excluded AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking default exclude acl ignores mapped A records (all mapped) ($n)" ret=0 -$DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking default exclude acl ignores mapped A records (some mapped) ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::4" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::ffff:1.2.3.4" dig.out.ns2.test$n > /dev/null && ret=1 -grep "::ffff:1.2.3.5" dig.out.ns2.test$n > /dev/null && ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-and-aaaa-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::4" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::ffff:1.2.3.4" dig.out.ns2.test$n >/dev/null && ret=1 +grep "::ffff:1.2.3.5" dig.out.ns2.test$n >/dev/null && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking default exclude acl works with AAAA only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking default exclude acl A only lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially excluded only AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially-excluded AAAA and non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially-excluded only AAAA and mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-excluded AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Check the example. domain recursive only echo_i "checking non-excluded AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially excluded only AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:304" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:304" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Check the example. domain recursive only w/o recursion echo_i "checking non-excluded AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially excluded only AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-only.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Check the example. domain from non client echo_i "checking non-excluded AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-excluded AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Check the signed. domain echo_i "checking non-excluded AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:304" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:304" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.signed." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Check the signed. domain echo_i "checking non-excluded AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AAAA only via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A only via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null && ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null && ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking A and AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking NODATA AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.signed." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking non-existent AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking reverse mapping ($n)" ret=0 -$DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -list=`$DIG $DIGOPTS -b 10.53.0.6 @10.53.0.2 +short aaaa a-only.example | sort` -for a in $list -do - ret=0 - echo_i "checking reverse mapping of $a ($n)" - $DIG $DIGOPTS -x $a @10.53.0.2 > dig.out.ns2.test$n || ret=1 - grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +$DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$(expr $status + $ret) + +list=$($DIG $DIGOPTS -b 10.53.0.6 @10.53.0.2 +short aaaa a-only.example | sort) +for a in $list; do + ret=0 + echo_i "checking reverse mapping of $a ($n)" + $DIG $DIGOPTS -x $a @10.53.0.2 >dig.out.ns2.test$n || ret=1 + grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n >/dev/null || ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done -rev=`$ARPANAME 2001:aaaa::10.0.0.1` +rev=$($ARPANAME 2001:aaaa::10.0.0.1) regex='..\(.*.IP6.ARPA\)' -rev=`expr "${rev}" : "${regex}"` -fin=`expr "${rev}" : "............${regex}"` -while test "${rev}" != "${fin}" -do - ret=0 - echo_i "checking $rev ($n)" - $DIG $DIGOPTS $rev ptr @10.53.0.2 > dig.out.ns2.test$n || ret=1 - grep -i "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 - grep -i "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - rev=`expr "${rev}" : "${regex}"` +rev=$(expr "${rev}" : "${regex}") +fin=$(expr "${rev}" : "............${regex}") +while test "${rev}" != "${fin}"; do + ret=0 + echo_i "checking $rev ($n)" + $DIG $DIGOPTS $rev ptr @10.53.0.2 >dig.out.ns2.test$n || ret=1 + grep -i "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 + grep -i "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 + n=$(expr $n + 1) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + rev=$(expr "${rev}" : "${regex}") done echo_i "checking dns64-server and dns64-contact ($n)" ret=0 -$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` +$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n >/dev/null || ret=1 +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TTL less than 600 from zone ($n)" ret=0 #expect 500 -$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TTL more than 600 from zone ($n)" ret=0 #expect 700 -$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TTL less than minimum from zone ($n)" ret=0 #expect 1100 -$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TTL limited to minimum from zone ($n)" ret=0 #expect 1200 -$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TTL less than 600 via cache ($n)" ret=0 #expect 500 -$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TTL more than 600 via cache ($n)" ret=0 #expect 700 -$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TTL less than minimum via cache ($n)" ret=0 #expect 1100 -$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TTL limited to minimum via cache ($n)" ret=0 #expect 1200 -$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking synthesis of AAAA from RPZ-remapped A ($n)" ret=0 -$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$(expr $n + 1) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/dnssec/ns1/sign.sh bind9-9.16.48/bin/tests/system/dnssec/ns1/sign.sh --- bind9-9.16.44/bin/tests/system/dnssec/ns1/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/ns1/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -20,9 +20,9 @@ infile=root.db.in zonefile=root.db -(cd ../ns2 && $SHELL sign.sh ) -(cd ../ns6 && $SHELL sign.sh ) -(cd ../ns7 && $SHELL sign.sh ) +(cd ../ns2 && $SHELL sign.sh) +(cd ../ns6 && $SHELL sign.sh) +(cd ../ns7 && $SHELL sign.sh) echo_i "ns1/sign.sh" @@ -30,18 +30,18 @@ cp "../ns2/dsset-in-addr.arpa$TP" . cp "../ns2/dsset-too-many-iterations$TP" . -grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP" +grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" >"dsset-algroll$TP" cp "../ns6/dsset-optout-tld$TP" . ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 # Configure the resolving server with a staitc key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf @@ -49,14 +49,14 @@ cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf -keyfile_to_trusted_keys "$ksk" > trusted.keys +keyfile_to_trusted_keys "$ksk" >trusted.keys # ...or with an initializing key. -keyfile_to_initial_ds "$ksk" > managed.conf +keyfile_to_initial_ds "$ksk" >managed.conf cp managed.conf ../ns4/managed.conf # # Save keyid for managed key id test. # -keyfile_to_key_id "$ksk" > managed.key.id +keyfile_to_key_id "$ksk" >managed.key.id diff -Nru bind9-9.16.44/bin/tests/system/dnssec/ns2/sign.sh bind9-9.16.48/bin/tests/system/dnssec/ns2/sign.sh --- bind9-9.16.44/bin/tests/system/dnssec/ns2/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/ns2/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,15 +17,14 @@ set -e # Sign child zones (served by ns3). -( cd ../ns3 && $SHELL sign.sh ) +(cd ../ns3 && $SHELL sign.sh) echo_i "ns2/sign.sh" # Get the DS records for the "trusted." and "managed." zones. -for subdomain in secure unsupported disabled enabled -do - cp "../ns3/dsset-$subdomain.managed$TP" . - cp "../ns3/dsset-$subdomain.trusted$TP" . +for subdomain in secure unsupported disabled enabled; do + cp "../ns3/dsset-$subdomain.managed$TP" . + cp "../ns3/dsset-$subdomain.trusted$TP" . done # Sign the "trusted." and "managed." zones. @@ -36,9 +35,9 @@ keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 zone=trusted. infile=key.db.in @@ -47,9 +46,9 @@ keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # The "example." zone. zone=example. @@ -58,23 +57,22 @@ # Get the DS records for the "example." zone. for subdomain in secure badds bogus dynamic keyless nsec3 optout \ - nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ - kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ - ttlpatch split-dnssec split-smart expired expiring upper lower \ - dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ - dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded -do - cp "../ns3/dsset-$subdomain.example$TP" . + nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ + kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ + dnskey-nsec3-unknown managed-future revkey \ + dname-at-apex-nsec3 occluded; do + cp "../ns3/dsset-$subdomain.example$TP" . done # Sign the "example." zone. keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # lower/uppercase the signature bits with the exception of the last characters @@ -82,9 +80,9 @@ # zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 -"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | -tr -d '\r' | -awk ' +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | tr -d '\r' \ + | awk ' tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { for (i = 1; i <= NF; i++ ) { if (i <= 12) { @@ -123,7 +121,7 @@ next; } -{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" +{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" # # signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. @@ -135,8 +133,8 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # Sign the badparam secure file @@ -147,11 +145,11 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 -sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" +sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad" # Sign the single-nsec3 secure zone with optout @@ -162,9 +160,9 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # algroll has just has the old DNSKEY records removed and is waiting @@ -180,9 +178,9 @@ keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" +cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile" -"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1 # # Make a zone big enough that it takes several seconds to generate a new @@ -190,7 +188,7 @@ # zone=nsec3chain-test zonefile=nsec3chain-test.db -cat > "$zonefile" << EOF +cat >"$zonefile" <> "$zonefile" + echo "host$i 10 IN NS ns.elsewhere" + i=$((i + 1)) +done >>"$zonefile" key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$key1.key" "$key2.key" >> "$zonefile" -"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 +cat "$key1.key" "$key2.key" >>"$zonefile" +"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1 zone=cds.secure infile=cds.secure.db.in zonefile=cds.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-x.secure infile=cds.secure.db.in @@ -223,43 +221,43 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key2.key" > "$key2.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" -"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$DSFROMKEY" -C "$key2.key" >"$key2.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile" +"$SIGNER" -P -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-update.secure infile=cds-update.secure.db.in zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-kskonly.secure infile=cds-kskonly.secure.db.in zonefile=cds-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cds-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cds-kskonly.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in zonefile=cds-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=cdnskey.secure infile=cdnskey.secure.db.in zonefile=cdnskey.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-x.secure infile=cdnskey.secure.db.in @@ -267,34 +265,34 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" -"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile" +"$SIGNER" -P -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-update.secure infile=cdnskey-update.secure.db.in zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-kskonly.secure infile=cdnskey-kskonly.secure.db.in zonefile=cdnskey-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in zonefile=cdnskey-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=updatecheck-kskonly.secure infile=template.secure.db.in @@ -302,14 +300,14 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") # Save key id's for checking active key usage -keyfile_to_key_id "$key1" > $zone.ksk.id -keyfile_to_key_id "$key2" > $zone.zsk.id -echo "${key1}" > $zone.ksk.key -echo "${key2}" > $zone.zsk.key +keyfile_to_key_id "$key1" >$zone.ksk.id +keyfile_to_key_id "$key2" >$zone.zsk.id +echo "${key1}" >$zone.ksk.key +echo "${key2}" >$zone.zsk.key # Add CDS and CDNSKEY records -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile" # Don't sign, let auto-dnssec maintain do it. mv $zonefile "$zonefile.signed" @@ -318,8 +316,8 @@ zonefile=hours-vs-days.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" # # Negative result from this zone should come back as insecure. @@ -329,5 +327,5 @@ zonefile=too-many-iterations.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1 diff -Nru bind9-9.16.44/bin/tests/system/dnssec/ns3/secure.example.db.in bind9-9.16.48/bin/tests/system/dnssec/ns3/secure.example.db.in --- bind9-9.16.44/bin/tests/system/dnssec/ns3/secure.example.db.in 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/ns3/secure.example.db.in 2024-02-11 11:31:39.000000000 +0000 @@ -47,3 +47,8 @@ cnameandkey CNAME @ cnamenokey CNAME @ dnameandkey DNAME @ + +mixedcase A 10.0.0.30 +mixedCASE TXT "mixed case" +MIXEDcase AAAA 2002:: +mIxEdCaSe LOC 37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m diff -Nru bind9-9.16.44/bin/tests/system/dnssec/ns3/sign.sh bind9-9.16.48/bin/tests/system/dnssec/ns3/sign.sh --- bind9-9.16.44/bin/tests/system/dnssec/ns3/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/ns3/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -19,61 +19,60 @@ echo_i "ns3/sign.sh" infile=key.db.in -for tld in managed trusted -do - # A secure zone to test. - zone=secure.${tld} - zonefile=${zone}.db - - keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname1.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor that matches disabled algorithm. - zone=disabled.${tld} - zonefile=${zone}.db - - keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") - cat "$infile" "$keyname2.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor that has disabled algorithm for other domain. - zone=enabled.${tld} - zonefile=${zone}.db - - keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") - cat "$infile" "$keyname3.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor with unsupported algorithm. - zone=unsupported.${tld} - zonefile=${zone}.db - - keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname4.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null - awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed - - # Make trusted-keys and managed keys conf sections for ns8. - mv ${keyname4}.key ${keyname4}.tmp - awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key - - # Zone to test trust anchor that is revoked. - zone=revoked.${tld} - zonefile=${zone}.db - - keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname5.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - case $tld in - "managed") - keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf - ;; - "trusted") - keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf - ;; - esac +for tld in managed trusted; do + # A secure zone to test. + zone=secure.${tld} + zonefile=${zone}.db + + keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname1.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor that matches disabled algorithm. + zone=disabled.${tld} + zonefile=${zone}.db + + keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname2.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor that has disabled algorithm for other domain. + zone=enabled.${tld} + zonefile=${zone}.db + + keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname3.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor with unsupported algorithm. + zone=unsupported.${tld} + zonefile=${zone}.db + + keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname4.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null + awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed + + # Make trusted-keys and managed keys conf sections for ns8. + mv ${keyname4}.key ${keyname4}.tmp + awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key + + # Zone to test trust anchor that is revoked. + zone=revoked.${tld} + zonefile=${zone}.db + + keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname5.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + case $tld in + "managed") + keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf + ;; + "trusted") + keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf + ;; + esac done echo_i "ns3/sign.sh: example zones" @@ -86,9 +85,11 @@ dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone") keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" +cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null +cat "$zonefile" "$zonefile".signed >"$zonefile".tmp +mv "$zonefile".tmp "$zonefile".signed zone=bogus.example. infile=bogus.example.db.in @@ -96,9 +97,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null zone=dynamic.example. infile=dynamic.example.db.in @@ -107,9 +108,9 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null zone=keyless.example. infile=generic.example.db.in @@ -117,16 +118,16 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # Change the signer field of the a.b.keyless.example RRSIG A # to point to a provably nonexistent DNSKEY record. zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 mv "$zonefile.signed" "$zonefiletmp" -<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/ - if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed" +"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/ + if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed" rm -f "$zonefiletmp" # @@ -138,9 +139,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # NSEC3/NSEC3 test zone @@ -151,9 +152,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC3 test zone @@ -164,9 +165,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" >/dev/null # # A nsec3 zone (non-optout). @@ -177,9 +178,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC test zone @@ -190,9 +191,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC3 test zone @@ -203,9 +204,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/OPTOUT test zone @@ -216,9 +217,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" >/dev/null # # A optout nsec3 zone. @@ -229,9 +230,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" >/dev/null # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -242,9 +243,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" >/dev/null # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -255,9 +256,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" >/dev/null # # A zone that is signed with an unknown DNSKEY algorithm. @@ -269,14 +270,14 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}${TP}" -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A zone that is signed with an unsupported DNSKEY algorithm (3). @@ -288,14 +289,14 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}${TP}" -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A zone with a published unsupported DNSKEY algorithm (Reserved). @@ -308,9 +309,9 @@ ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -322,14 +323,14 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}${TP}" -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A multiple parameter nsec3 zone. @@ -340,19 +341,19 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -u3 - -o "$zone" "$zonefile" >/dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" >/dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" >/dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" >/dev/null mv "$zonefile".signed "$zonefile" -"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" >/dev/null # # A RSASHA256 zone. @@ -363,9 +364,9 @@ keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A RSASHA512 zone. @@ -376,9 +377,9 @@ keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A zone with the DNSKEY set only signed by the KSK @@ -389,8 +390,8 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null # # A zone with the expired signatures @@ -401,8 +402,8 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null rm -f "$kskname.*" "$zskname.*" # @@ -414,8 +415,8 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # A NSEC signed zone that will have auto-dnssec enabled and @@ -429,8 +430,8 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A NSEC3 signed zone that will have auto-dnssec enabled and @@ -444,8 +445,8 @@ zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # Secure below cname test zone. @@ -454,8 +455,8 @@ infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$keyname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # Patched TTL test zone. @@ -467,11 +468,11 @@ patchedfile=ttlpatch.example.db.patched keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null -$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \ - awk '{$2 = "3600"; print}' > $patchedfile +"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null +$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \ + | awk '{$2 = "3600"; print}' >$patchedfile # # Separate DNSSEC records. @@ -482,10 +483,10 @@ signedfile=split-dnssec.example.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" -echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" -: > "$signedfile" -"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$keyname.key" >"$zonefile" +echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" +: >"$signedfile" +"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null # # Separate DNSSEC records smart signing. @@ -498,9 +499,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cp "$infile" "$zonefile" # shellcheck disable=SC2016 -echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" -: > "$signedfile" -"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null +echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" +: >"$signedfile" +"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null # # Zone with signatures about to expire, but no private key to replace them @@ -512,7 +513,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null mv -f "${zskname}.private" "${zskname}.private.moved" mv -f "${kskname}.private" "${kskname}.private.moved" @@ -527,9 +528,9 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null -$CHECKZONE -D upper.example $lower 2>/dev/null | \ - sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile +"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null +$CHECKZONE -D upper.example $lower 2>/dev/null \ + | sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile # # Check that the signer's name is in lower case when zone name is in @@ -542,7 +543,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null # # Zone with signatures about to expire, and dynamic, but configured @@ -555,11 +556,11 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" >/dev/null # preserve a normalized copy of the NS RRSIG for comparison later -$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ - awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ - sed 's/[ ][ ]*/ /g'> ../nosign.before +$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null \ + | awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' \ + | sed 's/[ ][ ]*/ /g' >../nosign.before # # An inline signing zone @@ -580,7 +581,7 @@ kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -o "$zone" "$zonefile" >/dev/null # # A zone which will change its sig-validity-interval @@ -602,10 +603,10 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null +sed -e 's/bogus/badds/g' dsset-badds.example$TP # # A zone with future signatures. @@ -615,8 +616,8 @@ zonefile=future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null cp -f "$kskname.key" trusted-future.key # @@ -627,8 +628,8 @@ zonefile=managed-future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null # # A zone with a revoked key @@ -642,8 +643,8 @@ ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone") -cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # Check that NSEC3 are correctly signed and returned from below a DNAME @@ -655,7 +656,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone") cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # A NSEC zone with occuded data at the delegation @@ -667,7 +668,7 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone") dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone") keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") -$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP" +$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}$TP" cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ - "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null diff -Nru bind9-9.16.44/bin/tests/system/dnssec/ns5/sign.sh bind9-9.16.48/bin/tests/system/dnssec/ns5/sign.sh --- bind9-9.16.44/bin/tests/system/dnssec/ns5/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/ns5/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -25,15 +25,15 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") # copy the KSK out first, then revoke it -keyfile_to_initial_ds "$keyname" > revoked.conf +keyfile_to_initial_ds "$keyname" >revoked.conf -"$SETTIME" -R now "${keyname}.key" > /dev/null +"$SETTIME" -R now "${keyname}.key" >/dev/null # create a current set of keys, and sign the root zone -"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null -"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null -"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1 +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone >/dev/null +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone >/dev/null +"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" >/dev/null 2>&1 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf diff -Nru bind9-9.16.44/bin/tests/system/dnssec/ns6/sign.sh bind9-9.16.48/bin/tests/system/dnssec/ns6/sign.sh --- bind9-9.16.44/bin/tests/system/dnssec/ns6/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/ns6/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -24,6 +24,6 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1 diff -Nru bind9-9.16.44/bin/tests/system/dnssec/ns7/sign.sh bind9-9.16.48/bin/tests/system/dnssec/ns7/sign.sh --- bind9-9.16.44/bin/tests/system/dnssec/ns7/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/ns7/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -25,7 +25,7 @@ k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$k1.key" "$k2.key" > "$zonefile" +cat "$infile" "$k1.key" "$k2.key" >"$zonefile" # The awk script below achieves two goals: # @@ -37,8 +37,8 @@ # - it places a copy of one of the RRSIG(SOA) records somewhere else than at the # zone apex; the test then checks whether such signatures are automatically # removed from the zone after it is loaded. -"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 awk 'BEGIN { r = ""; } $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } { print } - END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed" + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" diff -Nru bind9-9.16.44/bin/tests/system/dnssec/prereq.sh bind9-9.16.48/bin/tests/system/dnssec/prereq.sh --- bind9-9.16.44/bin/tests/system/dnssec/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -16,30 +16,26 @@ set -e -if test -n "$PYTHON" -then - if $PYTHON -c "import dns" 2> /dev/null - then - : - else - echo_i "This test requires the dnspython module." >&2 - exit 1 - fi -else - echo_i "This test requires Python and the dnspython module." >&2 +if test -n "$PYTHON"; then + if $PYTHON -c "import dns" 2>/dev/null; then + : + else + echo_i "This test requires the dnspython module." >&2 exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 fi -if "$PERL" -e 'use Net::DNS;' 2>/dev/null -then - # shellcheck disable=SC2016 - if "$PERL" -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null - then - : - else - echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2 - exit 1 - fi +if "$PERL" -e 'use Net::DNS;' 2>/dev/null; then + # shellcheck disable=SC2016 + if "$PERL" -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null; then + : + else + echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2 + exit 1 + fi fi exit 0 diff -Nru bind9-9.16.44/bin/tests/system/dnssec/setup.sh bind9-9.16.48/bin/tests/system/dnssec/setup.sh --- bind9-9.16.44/bin/tests/system/dnssec/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -32,21 +32,21 @@ copy_setports ns9/named.conf.in ns9/named.conf ( - cd ns1 - $SHELL sign.sh - { - echo "a.bogus.example. A 10.0.0.22" - echo "b.bogus.example. A 10.0.0.23" - echo "c.bogus.example. A 10.0.0.23" - } >>../ns3/bogus.example.db.signed + cd ns1 + $SHELL sign.sh + { + echo "a.bogus.example. A 10.0.0.22" + echo "b.bogus.example. A 10.0.0.23" + echo "c.bogus.example. A 10.0.0.23" + } >>../ns3/bogus.example.db.signed ) ( - cd ns3 - cp -f siginterval1.conf siginterval.conf + cd ns3 + cp -f siginterval1.conf siginterval.conf ) ( - cd ns5 - $SHELL sign.sh + cd ns5 + $SHELL sign.sh ) diff -Nru bind9-9.16.44/bin/tests/system/dnssec/tests.sh bind9-9.16.48/bin/tests/system/dnssec/tests.sh --- bind9-9.16.44/bin/tests/system/dnssec/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnssec/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -23,41 +23,41 @@ rm -f dig.out.* dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } dig_with_additionalopts() { - "$DIG" +noall +additional +dnssec -p "$PORT" "$@" + "$DIG" +noall +additional +dnssec -p "$PORT" "$@" } dig_with_answeropts() { - "$DIG" +noall +answer +dnssec -p "$PORT" "$@" + "$DIG" +noall +answer +dnssec -p "$PORT" "$@" } delv_with_opts() { - "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" + "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" } rndccmd() { - "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" } # TODO: Move loadkeys_on to conf.sh.common dnssec_loadkeys_on() { - nsidx=$1 - zone=$2 - nextpart ns${nsidx}/named.run > /dev/null - rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run >/dev/null + rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 } # convert private-type records to readable form -showprivate () { - echo "-- $* --" - dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' | - while read -r record; do - # shellcheck disable=SC2016 - $PERL -e 'my $rdata = pack("H*", @ARGV[0]); +showprivate() { + echo "-- $* --" + dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' \ + | while read -r record; do + # shellcheck disable=SC2016 + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); my $action = "signing"; @@ -65,42 +65,42 @@ my $state = " (incomplete)"; $state = " (complete)" if $complete; print ("$action: alg: $alg, key: $key$state\n");' "$record" - done + done } # check that signing records are marked as complete -checkprivate () { - for i in 1 2 3 4 5 6 7 8 9 10; do - showprivate "$@" | grep -q incomplete || return 0 - sleep 1 - done - echo_d "$1 signing incomplete" - return 1 +checkprivate() { + for i in 1 2 3 4 5 6 7 8 9 10; do + showprivate "$@" | grep -q incomplete || return 0 + sleep 1 + done + echo_d "$1 signing incomplete" + return 1 } # check that a zone file is raw format, version 0 -israw0 () { - # shellcheck disable=SC2016 - < "$1" $PERL -e 'binmode STDIN; +israw0() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); exit 1 if ($style != 2 || $version != 0);' - return $? + return $? } # check that a zone file is raw format, version 1 -israw1 () { - # shellcheck disable=SC2016 - < "$1" $PERL -e 'binmode STDIN; +israw1() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); exit 1 if ($style != 2 || $version != 1);' - return $? + return $? } # strip NS and RRSIG NS from input -stripns () { - awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" +stripns() { + awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" } # @@ -109,14 +109,14 @@ # "Negative trust anchors:". # Ensure there is not a blank line before "Secure roots:". # -check_secroots_layout () { - tr -d '\r' < "$1" | \ - awk '$0 == "" { if (empty) exit(1); empty=1; next } +check_secroots_layout() { + tr -d '\r' <"$1" \ + | awk '$0 == "" { if (empty) exit(1); empty=1; next } /Start view/ { if (!empty) exit(1) } /Secure roots:/ { if (empty) exit(1) } /Negative trust anchors:/ { if (!empty) exit(1) } { empty=0 }' - return $? + return $? } # Check that for a query against a validating resolver where the @@ -124,781 +124,803 @@ # in the additional section echo_i "checking that additional glue is returned for unsigned delegation ($n)" ret=0 -$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Check the example. domain echo_i "checking that zone transfer worked ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 - dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 + dig_with_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done -digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +digcomp dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # test AD bit: # - dig +adflag asks for authentication (ad in response) echo_i "checking AD bit asking for validation ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # test AD bit: # - dig +noadflag echo_i "checking that AD is not set without +adflag or +dnssec ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for AD in authoritative answer ($n)" ret=0 -dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" ret=0 -grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1 -grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1 -grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - ret=0 - echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" - "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example > delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1 +grep "fetch: example/DS" ns4/named.run >/dev/null && ret=1 +grep "validating example/DS: starting" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.example >delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + ret=0 + echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" + "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example >delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive validation NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 - grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 + grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive validation OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) SP="[[:space:]]+" -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.optout.example >delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard validation NSEC ($n)" ret=0 -dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +dig_with_opts a.wild.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 -grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1 - grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 - grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n >/dev/null || ret=1 +grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.example >delv.out$n || ret=1 + grep "a.wild.example..*10.0.0.27" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive wildcard validation NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 - grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.nsec3.example >delv.out$n || ret=1 + grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard validation OPTOUT ($n)" ret=0 dig_with_opts a.wild.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts a.wild.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 - grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.optout.example >delv.out$n || ret=1 + grep "a.wild.optout.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 + grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi +echo_i "checking RRSIG covered type in negative cache entry ($n)" +ret=0 +rndc_dumpdb ns4 +grep -F '; example. RRSIG NSEC ...' ns4/named_dump.db.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 dig_with_opts +noauth q.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth q.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation NSEC ($n)" ret=0 -dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation NSEC3 ($n)" ret=0 -dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation OPTOUT ($n)" ret=0 dig_with_opts b.wild.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts b.wild.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.optout.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi # Check the insecure.example domain echo_i "checking 1-server insecurity proof NSEC ($n)" ret=0 -dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 - grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.example >delv.out$n || ret=1 + grep "a.insecure.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server insecurity proof NSEC3 ($n)" ret=0 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 - grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.nsec3.example >delv.out$n || ret=1 + grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server insecurity proof OPTOUT ($n)" ret=0 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 - grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.optout.example >delv.out$n || ret=1 + grep "a.insecure.optout.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 dig_with_opts q.insecure.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" ret=0 dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" ret=0 dig_with_opts q.insecure.optout.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.optout.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" ret=0 dig_with_opts r.insecure.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" ret=0 dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" ret=0 dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the secure.example domain echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking mixed-case positive validation ($n)" +ret=0 +for type in a txt aaaa loc; do + dig_with_opts +noauth mixedcase.secure.example. \ + @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1 + dig_with_opts +noauth mixedcase.secure.example. \ + @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1 + digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1 + grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1 + grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1 +done +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 dig_with_opts +noauth empty.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth empty.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the bogus domain echo_i "checking failed validation ($n)" ret=0 -dig_with_opts a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking failed validation using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +dig_with_opts a.bogus.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking failed validation using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.bogus.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: RRSIG failed to verify" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi # Try validating with a bad trusted key. @@ -906,69 +928,69 @@ echo_i "checking that validation fails with a misconfigured trusted key ($n)" ret=0 -dig_with_opts example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" ret=0 -dig_with_opts example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" ret=0 -dig_with_opts a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation fails when key record is missing ($n)" ret=0 -dig_with_opts a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking that validation fails when key record is missing using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: insecurity proof failed" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking that validation fails when key record is missing using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.b.keyless.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: insecurity proof failed" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking that validation succeeds when a revoked key is encountered ($n)" ret=0 -dig_with_opts revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 - grep "fully validated" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +dig_with_opts revkey.example soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags: .* ad" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 soa revkey.example >delv.out$n 2>&1 || ret=1 + grep "fully validated" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" ret=0 #prime -dig_with_opts +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd bad-cname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="a.example. 10.0.0.1" @@ -976,16 +998,16 @@ test "$ans" = "$expect" || ret=1 test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" ret=0 #prime -dig_with_opts +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd a.bad-dname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="example. a.example. @@ -994,437 +1016,436 @@ test "$ans" = "$expect" || ret=1 test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the insecure.secure.example domain (insecurity proof) echo_i "checking 2-server insecurity proof ($n)" ret=0 dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check a negative response in insecure.secure.example echo_i "checking 2-server insecurity proof with a negative answer ($n)" ret=0 -dig_with_opts q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ - || ret=1 -dig_with_opts q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ - || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ + || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" ret=0 -dig_with_opts r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ - || ret=1 -dig_with_opts r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ - || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.2 soa >dig.out.ns2.test$n \ + || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.4 soa >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the query for a security root is successful and has ad set echo_i "checking security root query ($n)" ret=0 -dig_with_opts . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the setting the cd bit works echo_i "checking cd bit on a positive answer ($n)" ret=0 dig_with_opts +noauth example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a negative answer ($n)" ret=0 -dig_with_opts q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 +dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking insecurity proof works using negative cache ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_opts +cd @10.53.0.4 insecure.example. ds > dig.out.ns4.test$n.1 || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts @10.53.0.4 nonexistent.insecure.example. > dig.out.ns4.test$n.2 || ret=1 - if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then - break - fi - sleep 1 +dig_with_opts +cd @10.53.0.4 insecure.example. ds >dig.out.ns4.test$n.1 || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + dig_with_opts @10.53.0.4 nonexistent.insecure.example. >dig.out.ns4.test$n.2 || ret=1 + if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then + break + fi + sleep 1 done grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" ret=0 -dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a query that should fail ($n)" ret=0 dig_with_opts a.bogus.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on an insecurity proof ($n)" ret=0 dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a negative insecurity proof ($n)" ret=0 dig_with_opts q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query works ($n)" ret=0 -dig_with_opts +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.4 >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # 2 records in the zone, 1 NXT, 3 SIGs -grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 6" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of a query returning a CNAME works ($n)" ret=0 dig_with_opts +noauth cname1.example. txt @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth cname1.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # the CNAME & its sig, the TXT and its SIG -grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of a query returning a DNAME works ($n)" ret=0 dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. # It would be nice to test that the CNAME is being synthesized by the # recursive server and not cached, but I don't know how. -grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 5" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query returning a CNAME works ($n)" ret=0 dig_with_opts +noauth cname2.example. any @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth cname2.example. any @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # The CNAME, NXT, and their SIGs -grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query returning a DNAME works ($n)" ret=0 dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that lookups succeed after disabling an algorithm ($n)" ret=0 dig_with_opts +noauth example. SOA @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth example. SOA @10.53.0.6 \ - > dig.out.ns6.test$n || ret=1 + >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns6.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking a non-cachable NODATA works ($n)" ret=0 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ - > dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 + >dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking a non-cachable NXDOMAIN works ($n)" ret=0 dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \ - > dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 + >dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can load a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can transfer a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "basic dnssec-signzone checks:" echo_ic "two DNSKEYs ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "one non-KSK DNSKEY ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "one KSK DNSKEY ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "three DNSKEY ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "three DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "four DNSKEY ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "two DNSKEY, both private keys missing ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "two DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) get_default_algorithm_key_ids_from_sigs() { - zone=$1 + zone=$1 - tr -d '\r' < signer/$zone.db.signed | \ - awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + tr -d '\r' /dev/null -$SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 > /dev/null -$SETTIME -S $zsk1 -i 1h $zsk2.key > /dev/null -$SETTIME -P now -A now+1d $zsk2.key > /dev/null -# Sign the zone with initial keys and prepublish successor. The zone signatures -# are valid for 30 days and the DNSKEY signature is valid for 60 days. -cp -f $zone.db.in $zone.db -$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null -echo "\$INCLUDE \"$zone.db.signed\"" >> $zone.db + cd signer || exit 1 + # Set times such that the current set of keys are introduced 60 days ago and + # start signing now. The successor key is prepublished now and will be active + # next day. + $SETTIME -P now-60d -A now $ksk >/dev/null + $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null + $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null + $SETTIME -P now -A now+1d $zsk2.key >/dev/null + # Sign the zone with initial keys and prepublish successor. The zone signatures + # are valid for 30 days and the DNSKEY signature is valid for 60 days. + cp -f $zone.db.in $zone.db + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null + echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" ret=0 zone=prepub ( -cd signer || exit 1 -# Roll the ZSK. The predecessor is inactive from now on and the successor is -# activated. The zone signatures are valid for 30 days and the DNSKEY -# signature is valid for 60 days. Because of the predecessor/successor -# relationship, the signatures of the predecessor are retained and no new -# signatures with the successor should be generated. -$SETTIME -A now-30d -I now -D now+30d $zsk1 > /dev/null -$SETTIME -A now $zsk2 > /dev/null -$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null + cd signer || exit 1 + # Roll the ZSK. The predecessor is inactive from now on and the successor is + # activated. The zone signatures are valid for 30 days and the DNSKEY + # signature is valid for 60 days. Because of the predecessor/successor + # relationship, the signatures of the predecessor are retained and no new + # signatures with the successor should be generated. + $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null + $SETTIME -A now $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" ret=0 zone=prepub ( -cd signer || exit 1 -# After some time the signatures should be replaced. When signing, set the -# interval to 30 days plus one second, meaning all predecessor signatures -# are within the refresh interval and should be replaced with successor -# signatures. -$SETTIME -A now-50d -I now-20d -D now+10d $zsk1 > /dev/null -$SETTIME -A now-20d $zsk2 > /dev/null -$SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db > /dev/null + cd signer || exit 1 + # After some time the signatures should be replaced. When signing, set the + # interval to 30 days plus one second, meaning all predecessor signatures + # are within the refresh interval and should be replaced with successor + # signatures. + $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null + $SETTIME -A now-20d $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" ret=0 @@ -1513,40 +1534,40 @@ # If dnssec-keygen fails, the test script will exit immediately. Prevent that # from happening, and also trigger a test failure if dnssec-keygen unexpectedly # succeeds, by using "&& ret=1". -$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1 +$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" ret=0 zone=example # Fake an unsupported algorithm key unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key # If dnssec-dsfromkey fails, the test script will exit immediately. Prevent # that from happening, and also trigger a test failure if dnssec-dsfromkey # unexpectedly succeeds, by using "&& ret=1". -$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" ret=0 ret=0 -cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db +cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db # If dnssec-signzone fails, the test script will exit immediately. Prevent that # from happening, and also trigger a test failure if dnssec-signzone # unexpectedly succeeds, by using "&& ret=1". -$SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can sign a zone with out-of-zone records ($n)" ret=0 @@ -1554,13 +1575,13 @@ key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db example.db > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db example.db >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" ret=0 @@ -1568,10 +1589,10 @@ key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null -awk '/^IQF9LQTLK/ { + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null + awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { if (getline <= 0) @@ -1579,13 +1600,13 @@ printf (" %s", $0); } printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out -grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" ret=0 @@ -1593,11 +1614,11 @@ key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example3.db -echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db -$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null -awk '/^IQF9LQTLK/ { + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example3.db + echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db + $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null + awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { if (getline <= 0) @@ -1605,13 +1626,13 @@ printf (" %s", $0); } printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out -grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" ret=0 @@ -1619,16 +1640,16 @@ key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db.before example.db > /dev/null -sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed -$SIGNER -o example -f example.db.after example.db.changed > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db.before example.db >/dev/null + sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed + $SIGNER -o example -f example.db.after example.db.changed >/dev/null ) -grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after > /dev/null || ret=1 -n=$((n+1)) +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" ret=0 @@ -1639,160 +1660,160 @@ key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) keyid3=$(keyfile_to_key_id "$key3") ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -D -o example example.db > /dev/null - -# now switch out key2 for key3 and resign the zone -cat example.db.in "$key1.key" "$key3.key" > example.db -echo "\$INCLUDE \"example.db.signed\"" >> example.db -$SIGNER -D -o example example.db > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -D -o example example.db >/dev/null + + # now switch out key2 for key3 and resign the zone + cat example.db.in "$key1.key" "$key3.key" >example.db + echo "\$INCLUDE \"example.db.signed\"" >>example.db + $SIGNER -D -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -RD -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -RD -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" ret=0 zone=example ( -cd signer || exit 1 -cp -f example.db.in example.db -$SIGNER -SD -o example example.db > /dev/null -echo "\$INCLUDE \"example.db.signed\"" >> example.db -# now retire key2 and resign the zone -$SETTIME -I now "$key2" > /dev/null 2>&1 -$SIGNER -SD -o example example.db > /dev/null + cd signer || exit 1 + cp -f example.db.in example.db + $SIGNER -SD -o example example.db >/dev/null + echo "\$INCLUDE \"example.db.signed\"" >>example.db + # now retire key2 and resign the zone + $SETTIME -I now "$key2" >/dev/null 2>&1 + $SIGNER -SD -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -SDQ -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -SDQ -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone retains unexpired signatures ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -Sxt -o example example.db > signer.out.1 -$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 + cd signer || exit 1 + $SIGNER -Sxt -o example example.db >signer.out.1 + $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 ) || ret=1 gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) -[ "$retain2" -eq $((gen1+retain1)) ] || ret=1 +[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 [ "$gen2" -eq 0 ] || ret=1 [ "$drop2" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" ret=0 ( -cd signer || exit 1 -# remove NSEC-only keys -rm -f Kexample.+005* -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + # remove NSEC-only keys + rm -f Kexample.+005* + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -touch example2.db.signed -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 ( -cd signer || exit 1 -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN NS sub1.example. sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=$((n+1)) +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" ret=0 ( -cd signer || exit 1 -rm -f example2.db.signed -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + rm -f example2.db.signed + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -touch example2.db.signed -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 ( -cd signer || exit 1 -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + cp -f example.db.in example2.db + cat <>example2.db sub1.example. IN NS sub1.example. sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=$((n+1)) +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone output format ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null -$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null -$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null -$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null -$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null + cd signer || exit 1 + $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null + $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null + $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null + $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null + $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null ) || ret=1 awk 'BEGIN { found = 0; } $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } @@ -1803,46 +1824,46 @@ israw1 signer/signer.out.5 || ret=1 israw0 signer/signer.out.6 || ret=1 israw1 signer/signer.out.7 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null ) || ret=1 awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -N date ($n)" ret=0 ( -cd signer || exit 1 -TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null + cd signer || exit 1 + TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null ) || ret=1 # shellcheck disable=SC2016 now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) [ "$now" -eq "$serial" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validated data are not cached longer than originalttl ($n)" ret=0 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 -grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "3600.IN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "300.IN" dig.out.ns3.test$n >/dev/null && ret=1 +grep "300.IN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "3600.IN" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Test that "rndc secroots" is able to dump trusted keys echo_i "checking rndc secroots ($n)" @@ -1853,27 +1874,27 @@ check_secroots_layout named.secroots.test$n || ret=1 linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) [ "$linecount" -eq 1 ] || ret=1 -linecount=$(< named.secroots.test$n wc -l) +linecount=$(wc /dev/null || ret=1 +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a >/dev/null || ret=1 ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1 -expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ) || ret=1 +expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A') || ret=1 test "$ans" = "$expect" || ret=1 # also check that RA is set -dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check direct query for RRSIG: If it's not cached with other records, # it should result in an empty response. @@ -1882,70 +1903,70 @@ ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1 test -z "$ans" || ret=1 # also check that RA is cleared -dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # RT21868 regression test. # echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" ret=0 -dig_with_opts non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts non-exist.badparam. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # RT22007 regression test. # echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" ret=0 -dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" ret=0 -dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" ret=0 -dig_with_opts +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)" ret=0 -dig_with_opts ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts ns algroll. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validate-except in an insecure local domain ($n)" ret=0 -dig_with_opts ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts ns www.corp @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive and negative validation with negative trust anchors ($n)" ret=0 @@ -1953,16 +1974,16 @@ # # check correct initial behavior # -dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -1972,48 +1993,48 @@ rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i # reconfig should maintain NTAs rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 +lines=$(wc -l &1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i # reload should maintain NTAs rndc_reload ns4 10.53.0.4 -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 -lines=$(wc -l < rndc.out.ns4.test$n.2) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 +lines=$(wc -l dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1 -dig_with_opts a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 >/dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.6 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.6 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 >/dev/null && ret=1 +dig_with_opts a.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.7 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 >/dev/null && ret=1 echo_i "dumping secroots" rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -grep "bogus.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "badds.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "fakenode.secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 +grep "bogus.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "badds.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "fakenode.secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "waiting for NTA rechecks/expirations" @@ -2027,18 +2048,18 @@ # # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -dig_with_opts b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1 -dig_with_opts b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1 +dig_with_opts b.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.8 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.8 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 >/dev/null || ret=1 +dig_with_opts b.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.9 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n.9 >/dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.10 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.10 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 >/dev/null && ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -2049,22 +2070,22 @@ # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check nta table -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n._11 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n._11 lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true) [ "$lines" -le 2 ] || ret=1 -grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1 -dig_with_opts c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null || ret=1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null && ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.11 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.11 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.12 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.12 >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 >/dev/null && ret=1 +dig_with_opts c.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.13 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.13 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -2073,87 +2094,87 @@ # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check correct behavior after bogus.example expiry -dig_with_opts d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1 -dig_with_opts c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1 +dig_with_opts d.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.14 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.14 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 >/dev/null || ret=1 +dig_with_opts c.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.15 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.15 >/dev/null || ret=1 # check nta table has been cleaned up now -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true) [ "$lines" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "testing NTA removals ($n)" rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1 -grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1 -rndccmd 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2 -grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1 -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 >/dev/null || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null && ret=1 +grep "^a.badds.example." dig.out.ns4.test$n.1 >/dev/null || ret=1 +rndccmd 10.53.0.4 nta -remove badds.example >rndc.out.ns4.test$n.2 +grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 >/dev/null || ret=1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "remove non-existent NTA three times" -rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1 -rndccmd 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1 -rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1 -grep "not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.4 2>&1 +rndccmd 10.53.0.4 nta -remove foo >rndc.out.ns4.test$n.5 2>&1 +rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.6 2>&1 +grep "not found" rndc.out.ns4.test$n.6 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing NTA with bogus lifetimes ($n)" echo_i "check with no nta lifetime specified" -rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l "" foo >rndc.out.ns4.test$n.1 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "check with bad nta lifetime" -rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l garbage foo >rndc.out.ns4.test$n.2 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "check with too long nta lifetime" -rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 || true -grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l 7d1h foo >rndc.out.ns4.test$n.3 2>&1 || true +grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check NTA persistence across restarts # -n=$((n+1)) +n=$((n + 1)) echo_i "testing NTA persistence across restarts ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true) [ "$lines" -eq 0 ] || ret=1 rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true) [ "$lines" -eq 2 ] || ret=1 # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "killing ns4 with SIGTERM" @@ -2169,12 +2190,12 @@ $PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2186,37 +2207,37 @@ # startup (as it had already expired), the fact that it's ignored should # be logged. # -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -lines=$(wc -l < rndc.out.ns4.test$n.3) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 +lines=$(wc -l /dev/null || ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1 -grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null || ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null || ret=1 +grep "ignoring expired NTA at badds.example" ns4/named.run >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6 +rndccmd 10.53.0.4 nta -remove bogus.example >rndc.out.ns4.test$n.6 if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check "regular" attribute in NTA file works as expected at named # startup. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading regular attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 echo_i "killing ns4 with SIGTERM" $KILL -TERM "$(cat ns4/named.pid)" @@ -2229,18 +2250,18 @@ # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the regular attribute and some future timestamp. # -future="$(($(date +%Y)+20))0101010000" -echo "secure.example. regular $future" > ns4/_default.nta +future="$(($(date +%Y) + 20))0101010000" +echo "secure.example. regular $future" >ns4/_default.nta # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 9s, so at t=12 the NTAs for @@ -2251,30 +2272,30 @@ # secure.example. should now return an AD=1 answer (still validates) as # the NTA has been lifted. -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check "forced" attribute in NTA file works as expected at named # startup. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading forced attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 echo_i "killing ns4 with SIGTERM" $KILL -TERM "$(cat ns4/named.pid)" @@ -2287,16 +2308,16 @@ # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the forced attribute and some future timestamp. # -echo "secure.example. forced $future" > ns4/_default.nta +echo "secure.example. forced $future" >ns4/_default.nta start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 9s, but even at t=12 the NTAs for @@ -2307,21 +2328,21 @@ # secure.example. should now return an AD=0 answer (non-authenticated) # as the NTA is still there. -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null && ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check that NTA lifetime read from file is clamped to 1 week. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading out of bounds lifetime from NTA file ($n)" echo_i "killing ns4 with SIGTERM" @@ -2335,16 +2356,16 @@ # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with a lifetime well into the future. # -echo "secure.example. forced $future" > ns4/_default.nta +echo "secure.example. forced $future" >ns4/_default.nta added=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2352,83 +2373,81 @@ # dump the NTA to a file (omit validate-except entries) echo_i "testing 'rndc nta'" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be # omitted. only "secure.example" should be in the dump at this point. -lines=$(wc -l < rndc.out.ns4.test$n.1) +lines=$(wc -l /dev/null || ret=1 -ts=$(awk '{print $3" "$4}' < rndc.out.ns4.test$n.1) +grep 'secure.example' rndc.out.ns4.test$n.1 >/dev/null || ret=1 +ts=$(awk '{print $3" "$4}' rndc.out.ns4.test$n.2 -echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2 -echo "added=$added" >> rndc.out.ns4.test$n.2 -if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null -then - # ntadiff.pl computes $ts_with_zone - ($added + 1week) - d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") - echo "d=$d" >> rndc.out.ns4.test$n.2 - # diff from $added(now) + 1week to the clamped NTA lifetime should be - # less than a few seconds (handle daylight saving changes by adding 3600). - [ "$d" -lt 3610 ] || ret=1 +echo "ts=$ts" >rndc.out.ns4.test$n.2 +echo "ts_with_zone=$ts_with_zone" >>rndc.out.ns4.test$n.2 +echo "added=$added" >>rndc.out.ns4.test$n.2 +if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null; then + # ntadiff.pl computes $ts_with_zone - ($added + 1week) + d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") + echo "d=$d" >>rndc.out.ns4.test$n.2 + # diff from $added(now) + 1week to the clamped NTA lifetime should be + # less than a few seconds (handle daylight saving changes by adding 3600). + [ "$d" -lt 3610 ] || ret=1 else - echo_i "skipped ntadiff test; install PERL module Time::Piece" + echo_i "skipped ntadiff test; install PERL module Time::Piece" fi # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.3 2>/dev/null -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" ret=0 # Sanity check behavior without an NTA in place. -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.1 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.1 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.1 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 > /dev/null && ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.1 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.1 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.1 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 >/dev/null && ret=1 # Add an NTA, expecting that to cause resolution to succeed. -rndccmd 10.53.0.9 nta badds.example > rndc.out.ns9.test$n.1 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.2 || ret=1 -grep "NOERROR" dig.out.ns9.test$n.2 > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns9.test$n.2 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 > /dev/null && ret=1 +rndccmd 10.53.0.9 nta badds.example >rndc.out.ns9.test$n.1 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.2 || ret=1 +grep "NOERROR" dig.out.ns9.test$n.2 >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns9.test$n.2 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 >/dev/null && ret=1 # Remove the NTA, expecting that to cause resolution to fail again. -rndccmd 10.53.0.9 nta -remove badds.example > rndc.out.ns9.test$n.2 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.3 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.3 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.3 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 > /dev/null && ret=1 +rndccmd 10.53.0.9 nta -remove badds.example >rndc.out.ns9.test$n.2 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.3 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.3 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.3 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 >/dev/null && ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "completed NTA tests" # Run a minimal update test if possible. This is really just # a regression test for RT #2399; more tests should be added. -if $PERL -e 'use Net::DNS;' 2>/dev/null -then - echo_i "running DNSSEC update test" - ret=0 - output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) - test "$?" -eq 0 || ret=1 - echo "$output" | cat_i - [ $ret -eq 1 ] && status=1 +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + echo_i "running DNSSEC update test" + ret=0 + output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) + test "$?" -eq 0 || ret=1 + echo "$output" | cat_i + [ $ret -eq 1 ] && status=1 else - echo_i "The DNSSEC update test requires the Net::DNS library." >&2 + echo_i "The DNSSEC update test requires the Net::DNS library." >&2 fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking managed key maintenance has not started yet ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Reconfigure caching server to use "dnssec-validation auto", and repeat # some of the DNSSEC validation tests to ensure that it works correctly. @@ -2443,133 +2462,133 @@ echo_i "checking managed key maintenance timer has now started ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking negative validation ($n)" ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that root DS queries validate ($n)" ret=0 -dig_with_opts +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 -dig_with_opts +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.1 ds >dig.out.ns1.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.4 ds >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" ret=0 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 -grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 -grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 +grep "RRSIG.SOA" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking expired signatures do not validate ($n)" ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( -cd ns3 || exit 1 -kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) -( -echo zone update-nsec3.example -echo server 10.53.0.3 "$PORT" -grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' -echo send -) | $NSUPDATE + cd ns3 || exit 1 + kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) + ( + echo zone update-nsec3.example + echo server 10.53.0.3 "$PORT" + grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' + echo send + ) | $NSUPDATE ) -dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 @@ -2578,177 +2597,177 @@ checkprivate auto-nsec3.example 10.53.0.3 || ret=1 checkprivate expiring.example 10.53.0.3 || ret=1 checkprivate auto-nsec.example 10.53.0.3 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing' without arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -list' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -list >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -clear >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -clear all >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param none >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "FFFF" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "FFFF" ]; then + break + fi + echo_i "sleeping ...." + sleep 1 +done [ "$salt" = "FFFF" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "-" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "-" ]; then + break + fi + echo_i "sleeping ...." + sleep 1 +done [ "$salt" = "-" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "-" ] && break - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ -n "$salt" ] && [ "$salt" != "-" ] && break + echo_i "sleeping ...." + sleep 1 +done [ "$salt" != "-" ] || ret=1 [ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" ret=0 oldsalt=$salt -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break + echo_i "sleeping ...." + sleep 1 +done [ "$salt" != "$oldsalt" ] || ret=1 [ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check rndc signing -list output ($n)" ret=0 -{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out; } 2>&1 +{ rndccmd 10.53.0.3 signing -list dynamic.example >signing.out; } 2>&1 grep -q "No signing records found" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i + ret=1 + sed 's/^/ns3 /' signing.out | cat_i } -{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 +{ rndccmd 10.53.0.3 signing -list update-nsec3.example >signing.out; } 2>&1 grep -q "Done signing with key .*/$DEFAULT_ALGORITHM" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i + ret=1 + sed 's/^/ns3 /' signing.out | cat_i } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "clear signing records ($n)" -{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example > /dev/null; } 2>&1 || ret=1 +{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example >/dev/null; } 2>&1 || ret=1 check_no_signing_record_found() { - { rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 + { rndccmd 10.53.0.3 signing -list update-nsec3.example >signing.out; } 2>&1 grep -q "No signing records found" signing.out || { sed 's/^/ns3 /' signing.out | cat_i return 1 @@ -2756,110 +2775,105 @@ return 0 } retry_quiet 5 check_no_signing_record_found || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a insecure zone beneath a cname resolves ($n)" ret=0 -dig_with_opts soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa insecure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a secure zone beneath a cname resolves ($n)" ret=0 -dig_with_opts soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa secure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) my_dig() { - "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" + "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" } echo_i "checking DNSKEY query with no data still gets put in cache ($n)" ret=0 -firstVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') +firstVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') sleep 1 -secondVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') -if [ "${firstVal:-0}" -eq "${secondVal:-0}" ] -then - sleep 1 - thirdVal=$(my_dig insecure.example. dnskey|awk '$1 != ";;" { print $2 }') - if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ] - then - echo_i "cannot confirm query answer still in cache" - ret=1 - fi +secondVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') +if [ "${firstVal:-0}" -eq "${secondVal:-0}" ]; then + sleep 1 + thirdVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') + if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ]; then + echo_i "cannot confirm query answer still in cache" + ret=1 + fi fi -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a split dnssec dnssec-signzone work ($n)" ret=0 -dig_with_opts soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa split-dnssec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a smart split dnssec dnssec-signzone work ($n)" ret=0 -dig_with_opts soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa split-smart.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" ret=0 ( -echo zone nsec3chain-test -echo server 10.53.0.2 "$PORT" -echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 -echo send + echo zone nsec3chain-test + echo server 10.53.0.2 "$PORT" + echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 + echo send ) | $NSUPDATE -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 - if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null - then - break; - fi - echo_i "sleeping ...." - sleep 3 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + dig_with_opts nsec3param nsec3chain-test @10.53.0.2 >dig.out.ns2.test$n || ret=1 + if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null; then + break + fi + echo_i "sleeping ...." + sleep 3 done -grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "nsec3 chain generation not complete"; fi -dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 >dig.out.ns2.test$n || ret=1 s2=$(awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n) -for i in 1 2 3 4 5 6 7 8 9 10 -do - dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 - s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) - test "$s2" = "$s3" && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 >dig.out.ns3.test$n || ret=1 + s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) + test "$s2" = "$s3" && break + sleep 1 done digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-dsfromkey from stdin ($n)" ret=0 -dig_with_opts dnskey algroll. @10.53.0.2 | \ - $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 +dig_with_opts dnskey algroll. @10.53.0.2 \ + | $DSFROMKEY -f - algroll. >dig.out.ns2.test$n || ret=1 NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) [ "${NF}" = 7 ] || ret=1 # make canonical @@ -2867,16 +2881,16 @@ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < dig.out.ns2.test$n > canonical1.$n || ret=1 +}' canonical1.$n || ret=1 awk '{ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < ns1/dsset-algroll$TP > canonical2.$n || ret=1 -$DIFF -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) +}' canonical2.$n || ret=1 +$DIFF -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Intentionally strip ".key" from keyfile name to ensure the error message # includes it anyway to avoid confusion (RT #21731) @@ -2884,157 +2898,157 @@ ret=0 key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1 mv "$key.key" "$key" -$DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1 -grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1 -n=$((n+1)) +$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-dsfromkey with revoked key ($n)" ret=0 -dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK -grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK -grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK +dig_with_opts revkey.example dnskey @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "DNSKEY.256 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # ZSK +grep "DNSKEY.385 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # revoked KSK +grep "DNSKEY.257 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # KSK test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 -$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1 -test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1 -n=$((n+1)) +$DSFROMKEY -f dig.out.ns4.test$n revkey.example. >dsfromkey.out.test$n || ret=1 +test $(wc -l dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG >dig.out.ns3.test$n 2>&1 # there must be a signature here [ -s dig.out.ns3.test$n ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing new records are signed with 'no-resign' ($n)" ret=0 ( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add new.nosign.example 300 in txt "hi there" -echo send + echo zone nosign.example + echo server 10.53.0.3 "$PORT" + echo update add new.nosign.example 300 in txt "hi there" + echo send ) | $NSUPDATE sleep 1 dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 -grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) + >dig.out.ns3.test$n 2>&1 +grep RRSIG dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" ret=0 -dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \ - grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 \ + | grep RRSIG | sed 's/[ ][ ]*/ /g' >dig.out.ns3.test$n 2>&1 # the NS RRSIG should not be changed -$DIFF nosign.before dig.out.ns3.test$n > /dev/null|| ret=1 -n=$((n+1)) +$DIFF nosign.before dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates fail with no private key ($n)" ret=0 rm -f ns3/Knosign.example.*.private ( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add fail.nosign.example 300 in txt "reject me" -echo send -) | $NSUPDATE > /dev/null 2>&1 && ret=1 + echo zone nosign.example + echo server 10.53.0.3 "$PORT" + echo update add fail.nosign.example 300 in txt "reject me" + echo send +) | $NSUPDATE >/dev/null 2>&1 && ret=1 dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 + >dig.out.ns3.test$n 2>&1 [ -s dig.out.ns3.test$n ] && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing legacy upper case signer name validation ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 -grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 -grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n 2>&1 +grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing that we lower case signer name ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 -grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 -grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n 2>&1 +grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time ($n)" ret=0 rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i ( -cd ns3 || exit 1 -for file in K*.moved; do - mv "$file" "$(basename "$file" .moved)" -done -$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null + cd ns3 || exit 1 + for file in K*.moved; do + mv "$file" "$(basename "$file" .moved)" + done + $SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db >/dev/null ) || ret=1 rndc_reload ns3 10.53.0.3 expiring.example rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "${ttl}" -eq 300 ] || ret=1 + [ "${ttl}" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "${ttl}" -le 60 ] || ret=1 + [ "${ttl}" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -dig_with_additionalopts +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example ns @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example ns @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) copy_setports ns4/named3.conf.in ns4/named.conf rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i @@ -3043,205 +3057,202 @@ echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" ret=0 -dig_with_answeropts +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expired.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expired.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expired.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 + [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing DNSKEY lookup via CNAME ($n)" ret=0 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 + @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 + @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup at CNAME (present) ($n)" ret=0 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup at CNAME (not present) ($n)" ret=0 dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing DNSKEY lookup via DNAME ($n)" ret=0 dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 + @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 + @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup via DNAME ($n)" ret=0 dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that named doesn't loop when all private keys are not available ($n)" ret=0 lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true) test "${lines:-1000}" -lt 15 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check against against missing nearest provable proof ($n)" dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1 + @10.53.0.6 ds >dig.out.ds.ns6.test$n || ret=1 nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true) [ "$nsec3" -eq 2 ] || ret=1 dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 A > dig.out.ns6.test$n || ret=1 + @10.53.0.6 A >dig.out.ns6.test$n || ret=1 nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true) [ "$nsec3" -eq 1 ] || ret=1 dig_with_opts optout-tld. \ - @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1 + @10.53.0.4 SOA >dig.out.soa.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n >/dev/null || ret=1 dig_with_opts b.c.d.optout-tld. \ - @10.53.0.4 A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) + @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that key id are logged when dumping the cache ($n)" ret=0 rndc_dumpdb ns4 -grep "; key id = " ns4/named_dump.db.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "; key id = " ns4/named_dump.db.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" # force the managed-keys zone to be written out rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - if test -f ns4/managed-keys.bind - then - grep KEYDATA ns4/managed-keys.bind > /dev/null && - grep "next refresh:" ns4/managed-keys.bind > /dev/null && - break - fi - ret=1 - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + if test -f ns4/managed-keys.bind; then + grep KEYDATA ns4/managed-keys.bind >/dev/null \ + && grep "next refresh:" ns4/managed-keys.bind >/dev/null \ + && break + fi + ret=1 + sleep 1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dig's +nocrypto flag ($n)" ret=0 dig_with_opts +norec +nocrypto DNSKEY . \ - @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 -grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 -grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + @10.53.0.1 >dig.out.dnskey.ns1.test$n || ret=1 +grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 +grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 dig_with_opts +norec +nocrypto DS example \ - @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 -grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n > /dev/null || ret=1 -n=$((n+1)) + @10.53.0.1 >dig.out.ds.ns1.test$n || ret=1 +grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" ret=0 cnt=0 -while : -do -dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n -keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) -test "$keys" -gt 2 && break -cnt=$((cnt+1)) -test "$cnt" -gt 120 && break -sleep 1 +while :; do + dig_with_opts publish-inactive.example @10.53.0.3 dnskey >dig.out.ns3.test$n + keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) + test "$keys" -gt 2 && break + cnt=$((cnt + 1)) + test "$cnt" -gt 120 && break + sleep 1 done test "$keys" -gt 2 || ret=1 sigs=$(grep -c RRSIG dig.out.ns3.test$n || true) -n=$((n+1)) +n=$((n + 1)) test "$sigs" -eq 2 || ret=1 -if test "$ret" -ne 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test "$ret" -ne 0; then echo_i "failed"; fi +status=$((status + ret)) echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" ret=0 @@ -3250,41 +3261,44 @@ rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i i=10 while [ "$i" -ge 0 ]; do -after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) -test "$before" != "$after" && break -sleep 1 -i=$((i-1)) + after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) + test "$before" != "$after" && break + sleep 1 + i=$((i - 1)) done -n=$((n+1)) -if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi -status=$((status+ret)) +n=$((n + 1)) +if test "$before" = "$after"; then + echo_i "failed" + ret=1 +fi +status=$((status + ret)) if [ -x "$PYTHON" ]; then - echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" - ret=0 - rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i - # convert expiry date to a comma-separated list of integers python can - # use as input to date(). strip leading 0s in months and days so - # python3 will recognize them as integers. - $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n - soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n | - sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g') - $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n - dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n | - sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g') - $PYTHON > python.out.$n <&1 | sed 's/^/ns3 /' | cat_i + # convert expiry date to a comma-separated list of integers python can + # use as input to date(). strip leading 0s in months and days so + # python3 will recognize them as integers. + $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example >dig.out.soa.test$n + soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n \ + | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ + | sed 's/ 0/ /g') + $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example >dig.out.dnskey.test$n + dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n \ + | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ + | sed 's/ 0/ /g') + $PYTHON >python.out.$n < dig.out.ns4.1.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1 + @10.53.0.4 >dig.out.ns4.1.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.1.test$n >/dev/null && ret=1 dig_with_opts ns secure.example \ - @10.53.0.4 > dig.out.ns4.2.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1 -n=$((n+1)) + @10.53.0.4 >dig.out.ns4.2.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.2.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check the acceptance of seconds as inception and expiration times ($n)" ret=0 @@ -3311,14 +3325,14 @@ out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') [ "$out" = "$exp" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check the correct resigning time is reported in zonestatus ($n)" ret=0 rndccmd 10.53.0.3 \ - zonestatus secure.example > rndc.out.ns3.test$n + zonestatus secure.example >rndc.out.ns3.test$n # next resign node: secure.example/DNSKEY qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,') qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,') @@ -3328,327 +3342,327 @@ m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g') -dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 > dig.out.test$n +dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 >dig.out.test$n expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n) inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n) $PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that split rrsigs are handled ($n)" ret=0 -dig_with_opts split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig soa @10.53.0.7 >dig.out.test$n || ret=1 awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)" ret=0 -dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig AXFR @10.53.0.7 >dig.out.test$n || ret=1 grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" ret=0 alg=1 -until test $alg -eq 256 -do - zone="keygen-$alg." - case $alg in - 2) # Diffie Helman - alg=$((alg+1)) - continue;; - 157|160|161|162|163|164|165) # private - non standard - alg=$((alg+1)) - continue;; - 1|5|7|8|10) # RSA algorithms - key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2> "keygen-$alg.err" || true) - ;; - 15|16) - key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - # Soft-fail in case HSM doesn't support Edwards curves - if grep "not found" "keygen-$alg.err" > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then - echo_i "Algorithm $alg not supported by HSM: skipping" - alg=$((alg+1)) - continue - fi - ;; - *) - key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - esac - if grep "unsupported algorithm" "keygen-$alg.err" > /dev/null - then - alg=$((alg+1)) - continue - fi - if test -z "$key1" - then - echo_i "'$KEYGEN -a $alg': failed" - cat "keygen-$alg.err" - ret=1 - alg=$((alg+1)) - continue - fi - $SETTIME -I now+4d "$key1.private" > /dev/null - key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2> /dev/null) - test -f "$key2.key" -a -f "$key2.private" || { - ret=1 - echo_i "'dnssec-keygen -S' failed for algorithm: $alg" - } - alg=$((alg+1)) +until test $alg -eq 256; do + zone="keygen-$alg." + case $alg in + 2) # Diffie Helman + alg=$((alg + 1)) + continue + ;; + 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard + alg=$((alg + 1)) + continue + ;; + 1 | 5 | 7 | 8 | 10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + 15 | 16) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true) + # Soft-fail in case HSM doesn't support Edwards curves + if grep "not found" "keygen-$alg.err" >/dev/null && [ "$CRYPTO" = "pkcs11" ]; then + echo_i "Algorithm $alg not supported by HSM: skipping" + alg=$((alg + 1)) + continue + fi + ;; + *) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + esac + if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if test -z "$key1"; then + echo_i "'$KEYGEN -a $alg': failed" + cat "keygen-$alg.err" + ret=1 + alg=$((alg + 1)) + continue + fi + $SETTIME -I now+4d "$key1.private" >/dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg + 1)) done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a CDS deletion record is accepted ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo update add cds-update.secure 0 CDS 0 0 0 00 -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo update add cds-update.secure 0 CDS 0 0 0 00 + echo send +) | $NSUPDATE >nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l) +lines=$(tr -d '\r' dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cds-kskonly.secure.id) ( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure | -sed "s/^/update add /" -echo send + echo zone cds-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-kskonly.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS deletion records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cds-kskonly.secure.id) ( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo update add cds-kskonly.secure 0 CDS 0 0 0 00 -echo send + echo zone cds-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-kskonly.secure CDS + echo update add cds-kskonly.secure 0 CDS 0 0 0 00 + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l) +lines=$(tr -d '\r' dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | -sed "s/^/update add /" -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | -$DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' \ + | $DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 4 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY >dig.out.test$n +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # TODO: test case for GL #1689. # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) @@ -3660,272 +3674,276 @@ echo_i "check that a CDNSKEY deletion record is accepted ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== + echo send +) | $NSUPDATE >nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l) +lines=$(tr -d '\r' dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send + echo zone cdnskey-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-kskonly.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY deletion records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== -echo send + echo zone cdnskey-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-kskonly.secure CDNSKEY + echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l) +lines=$(tr -d '\r' &1 | sed 's/^/ns5 /' | cat_i sleep 3 -dig_with_opts +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n -grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n +grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' -echo send + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer || exit 1 -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove > /dev/null -$KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove > /dev/null -echo > remove.db.signed -$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n + cd signer || exit 1 + $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null + $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null + echo >remove.db.signed + $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null || { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer || exit 1 -$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n + cd signer || exit 1 + $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null && { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer || exit 1 -echo > remove.db.signed -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n + cd signer || exit 1 + echo >remove.db.signed + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null || { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer || exit 1 -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n + cd signer || exit 1 + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null && { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" ret=0 -dig_with_opts managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1 -n=$((n+1)) +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run >/dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run >/dev/null && ret=1 stop_server ns1 || ret=1 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns1 || ret=1 -n=$(($n+1)) +n=$(($n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "waiting for root server to finish reloading ($n)" ret=0 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -n=$(($n+1)) +n=$(($n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 -grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "view rec: *validat" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" ret=0 -dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)" ret=0 -dig_with_opts axfr occluded.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts axfr occluded.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)" ret=0 -dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1 -dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1 +dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1 +dig_with_opts any zz.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1 # DNSKEY+RRSIG, NSEC+RRSIG -grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # DNSSEC tests related to unsupported, disabled and revoked trust anchors. @@ -3945,9 +3963,9 @@ grep -q "ignoring initial-key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1 grep -q "ignoring initial-key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1 grep -q "ignoring initial-key for 'revoked\.managed\.': bad key type" ns8/named.run || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two tests are fairly normal DNSSEC queries to signed zones with a # default algorithm. First, a query is made against the server that is @@ -3956,25 +3974,25 @@ # return an authentic data positive response. echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.secure.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using a supported algorithm validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.secure.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY with an unsupported # algorithm will yield insecure positive responses. These trust anchors in ns8 are @@ -3982,25 +4000,25 @@ # in the response. echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.unsupported.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.unsupported.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY that the nameserver # has a disabled algorithm match for will yield insecure positive responses. @@ -4008,25 +4026,25 @@ # The AD bit should not be set in the response. echo_i "checking that a trusted key using a disabled algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.disabled.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.disabled.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using a disabled algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.disabled.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.disabled.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY that the # nameserver has a disabled algorithm for, but for a different domain, will @@ -4036,50 +4054,50 @@ # bit set. echo_i "checking that a trusted key using an algorithm disabled for another domain validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.enabled.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.enabled.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using an algorithm disabled for another domain validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.enabled.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.enabled.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # A configured revoked trust anchor is ignored and thus the two queries below # should result in insecure responses, since no trust points for the # "revoked.trusted." and "revoked.managed." zones are created. echo_i "checking that a trusted key that is revoked validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.revoked.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.revoked.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key that is revoked validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.revoked.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.revoked.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ### ### Additional checks for when the KSK is offline. @@ -4097,59 +4115,58 @@ # Print IDs of keys used for generating RRSIG records for RRsets of type $1 # found in dig output file $2. get_keys_which_signed() { - qtype=$1 - output=$2 - # The key ID is the 11th column of the RRSIG record line. - awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$output" + qtype=$1 + output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$output" } # Basic checks to make sure everything is fine before the KSK is made offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 -dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n +dig_with_opts $SECTIONS @10.53.0.2 soa $zone >dig.out.test$n lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1 -n=$((n+1)) +get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 +get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Roll the ZSK. zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 +keyfile_to_key_id "$zsk2" >ns2/$zone.zsk.id2 ZSK_ID2=$(cat ns2/$zone.zsk.id2) echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" ret=0 dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Make new ZSK active. echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" ret=0 -$SETTIME -I now -K ns2 $ZSK > /dev/null -$SETTIME -A now -K ns2 $zsk2 > /dev/null +$SETTIME -I now -K ns2 $ZSK >/dev/null +$SETTIME -A now -K ns2 $zsk2 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" @@ -4159,41 +4176,39 @@ # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me" + echo send ) | $NSUPDATE # Redo the tests now that the zone is updated and the KSK is offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done # Put back the KSK. @@ -4203,18 +4218,18 @@ # Roll the ZSK again. zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3 +keyfile_to_key_id "$zsk3" >ns2/$zone.zsk.id3 ZSK_ID3=$(cat ns2/$zone.zsk.id3) # Schedule the new ZSK (ZSK3) to become active. echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -D now -K ns2 $ZSK > /dev/null -$SETTIME -I +3600 -K ns2 $zsk2 > /dev/null -$SETTIME -A +3600 -K ns2 $zsk3 > /dev/null +$SETTIME -D now -K ns2 $ZSK >/dev/null +$SETTIME -I +3600 -K ns2 $zsk2 >/dev/null +$SETTIME -A +3600 -K ns2 $zsk3 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" @@ -4224,110 +4239,106 @@ # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me again" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me again" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me again" + echo send ) | $NSUPDATE # Redo the tests now that the ZSK roll has deleted the old key. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -I +1 -K ns2 $zsk2 > /dev/null -$SETTIME -A +1 -K ns2 $zsk3 > /dev/null +$SETTIME -I +1 -K ns2 $zsk2 >/dev/null +$SETTIME -A +1 -K ns2 $zsk3 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Wait for newest ZSK to become active. echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive" for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run > /dev/null || ret=1 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run > /dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me one more time" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me one more time" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me one more time" + echo send ) | $NSUPDATE -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Redo the tests one more time. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null || ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null || ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done echo_i "checking secroots output with multiple views ($n)" @@ -4335,89 +4346,89 @@ rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking sig-validity-interval second field hours vs days ($n)" ret=0 # zone configured with 'sig-validity-interval 500 499;' # 499 days in the future w/ a 20 minute runtime to now allowance min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') -dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n +dig_with_opts @10.53.0.2 hours-vs-days AXFR >dig.out.ns2.test$n awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validation succeeds during transition to signed ($n)" ret=0 -dig_with_opts @10.53.0.4 inprogress A > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.4 inprogress A >dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)" ret=0 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the validating resolver will fallback to insecure if the answer # contains NSEC3 records with high iteration count. echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)" ret=0 -dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)" ret=0 -dig_with_opts @10.53.0.2 a.too-many-iterations txt > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 a.too-many-iterations txt > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 a.too-many-iterations txt >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 a.too-many-iterations txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)" ret=0 -dig_with_opts @10.53.0.2 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)" ret=0 -dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that a query against a validating resolver succeeds when there is # a negative cache entry with trust level "pending" for the DS. Prime @@ -4425,17 +4436,17 @@ # query that uses that entry as part of the validation process. [GL #3279] echo_i "check that pending negative DS cache entry validates ($n)" ret=0 -dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds >dig.out.prime.ns4.test$n || ret=1 grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1 -dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n >/dev/null || ret=1 +dig_with_opts @10.53.0.4 a.insecure2.example. a >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n >/dev/null || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/dnstap/prereq.sh bind9-9.16.48/bin/tests/system/dnstap/prereq.sh --- bind9-9.16.44/bin/tests/system/dnstap/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnstap/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --enable-dnstap || { - echo_i "This test requires dnstap support." >&2 - exit 255 + echo_i "This test requires dnstap support." >&2 + exit 255 } exit 0 diff -Nru bind9-9.16.44/bin/tests/system/dnstap/tests.sh bind9-9.16.48/bin/tests/system/dnstap/tests.sh --- bind9-9.16.44/bin/tests/system/dnstap/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dnstap/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -22,37 +22,40 @@ # dnstap_data_ready # Flushes capture_file and checks wheter its size is >= min_file_size. dnstap_data_ready() { - # Process id of running fstrm_capture. - fstrm_capture_pid=$1 - # Output file provided to fstrm_capture via -w switch. - capture_file=$2 - # Minimum expected file size. - min_size_expected=$3 - - kill -HUP $fstrm_capture_pid - file_size=`wc -c < "$capture_file" | tr -d ' '` - if [ $file_size -lt $min_size_expected ]; then - return 1 - fi -} - - -for bad in bad-*.conf -do - ret=0 - echo_i "checking that named-checkconf detects error in $bad" - $CHECKCONF $bad > /dev/null 2>&1 - if [ $? != 1 ]; then echo_i "failed"; ret=1; fi - status=`expr $status + $ret` + # Process id of running fstrm_capture. + fstrm_capture_pid=$1 + # Output file provided to fstrm_capture via -w switch. + capture_file=$2 + # Minimum expected file size. + min_size_expected=$3 + + kill -HUP $fstrm_capture_pid + file_size=$(wc -c <"$capture_file" | tr -d ' ') + if [ $file_size -lt $min_size_expected ]; then + return 1 + fi +} + +for bad in bad-*.conf; do + ret=0 + echo_i "checking that named-checkconf detects error in $bad" + $CHECKCONF $bad >/dev/null 2>&1 + if [ $? != 1 ]; then + echo_i "failed" + ret=1 + fi + status=$(expr $status + $ret) done -for good in good-*.conf -do - ret=0 - echo_i "checking that named-checkconf detects no error in $good" - $CHECKCONF $good > /dev/null 2>&1 - if [ $? != 0 ]; then echo_i "failed"; ret=1; fi - status=`expr $status + $ret` +for good in good-*.conf; do + ret=0 + echo_i "checking that named-checkconf detects no error in $good" + $CHECKCONF $good >/dev/null 2>&1 + if [ $? != 0 ]; then + echo_i "failed" + ret=1 + fi + status=$(expr $status + $ret) done echo_i "wait for servers to finish loading" @@ -62,13 +65,13 @@ wait_for_log 20 "all zones loaded" ns3/named.run || ret=1 wait_for_log 20 "all zones loaded" ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # both the 'a.example/A' lookup and the './NS' lookup to ns1 # need tocomplete before reopening/rolling for the counts to # be correct. -$DIG $DIGOPTS @10.53.0.3 a.example > dig.out +$DIG $DIGOPTS @10.53.0.3 a.example >dig.out wait_for_log 20 "(./NS): query_reset" ns1/named.run || true # check three different dnstap reopen/roll methods: @@ -76,15 +79,15 @@ mv ns1/dnstap.out ns1/dnstap.out.save mv ns2/dnstap.out ns2/dnstap.out.save -if [ -n "$FSTRM_CAPTURE" ] ; then - ret=0 - echo_i "starting fstrm_capture" - $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ - -w dnstap.out > fstrm_capture.out.1 2>&1 & - fstrm_capture_pid=$! - wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +if [ -n "$FSTRM_CAPTURE" ]; then + ret=0 + echo_i "starting fstrm_capture" + $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ + -w dnstap.out >fstrm_capture.out.1 2>&1 & + fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi $RNDCCMD -s 10.53.0.1 dnstap-reopen | sed 's/^/ns1 /' | cat_i @@ -92,10 +95,10 @@ $RNDCCMD -s 10.53.0.3 dnstap -roll | sed 's/^/ns3 /' | cat_i $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i -$DIG $DIGOPTS @10.53.0.3 a.example > dig.out +$DIG $DIGOPTS @10.53.0.3 a.example >dig.out # send an UPDATE to ns2 -$NSUPDATE <<- EOF +$NSUPDATE <<-EOF server 10.53.0.2 ${PORT} zone example update add b.example 3600 in a 10.10.10.10 @@ -115,705 +118,705 @@ echo_i "checking initial message counts" -udp1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UDP " | wc -l` -tcp1=`$DNSTAPREAD ns1/dnstap.out.save | grep "TCP " | wc -l` -aq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "AQ " | wc -l` -ar1=`$DNSTAPREAD ns1/dnstap.out.save | grep "AR " | wc -l` -cq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CQ " | wc -l` -cr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CR " | wc -l` -rq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RQ " | wc -l` -rr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RR " | wc -l` -uq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UQ " | wc -l` -ur1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UR " | wc -l` - -udp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UDP " | wc -l` -tcp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "TCP " | wc -l` -aq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "AQ " | wc -l` -ar2=`$DNSTAPREAD ns2/dnstap.out.save | grep "AR " | wc -l` -cq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CQ " | wc -l` -cr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CR " | wc -l` -rq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RQ " | wc -l` -rr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RR " | wc -l` -uq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UQ " | wc -l` -ur2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UR " | wc -l` +udp1=$($DNSTAPREAD ns1/dnstap.out.save | grep "UDP " | wc -l) +tcp1=$($DNSTAPREAD ns1/dnstap.out.save | grep "TCP " | wc -l) +aq1=$($DNSTAPREAD ns1/dnstap.out.save | grep "AQ " | wc -l) +ar1=$($DNSTAPREAD ns1/dnstap.out.save | grep "AR " | wc -l) +cq1=$($DNSTAPREAD ns1/dnstap.out.save | grep "CQ " | wc -l) +cr1=$($DNSTAPREAD ns1/dnstap.out.save | grep "CR " | wc -l) +rq1=$($DNSTAPREAD ns1/dnstap.out.save | grep "RQ " | wc -l) +rr1=$($DNSTAPREAD ns1/dnstap.out.save | grep "RR " | wc -l) +uq1=$($DNSTAPREAD ns1/dnstap.out.save | grep "UQ " | wc -l) +ur1=$($DNSTAPREAD ns1/dnstap.out.save | grep "UR " | wc -l) + +udp2=$($DNSTAPREAD ns2/dnstap.out.save | grep "UDP " | wc -l) +tcp2=$($DNSTAPREAD ns2/dnstap.out.save | grep "TCP " | wc -l) +aq2=$($DNSTAPREAD ns2/dnstap.out.save | grep "AQ " | wc -l) +ar2=$($DNSTAPREAD ns2/dnstap.out.save | grep "AR " | wc -l) +cq2=$($DNSTAPREAD ns2/dnstap.out.save | grep "CQ " | wc -l) +cr2=$($DNSTAPREAD ns2/dnstap.out.save | grep "CR " | wc -l) +rq2=$($DNSTAPREAD ns2/dnstap.out.save | grep "RQ " | wc -l) +rr2=$($DNSTAPREAD ns2/dnstap.out.save | grep "RR " | wc -l) +uq2=$($DNSTAPREAD ns2/dnstap.out.save | grep "UQ " | wc -l) +ur2=$($DNSTAPREAD ns2/dnstap.out.save | grep "UR " | wc -l) mv ns3/dnstap.out.0 ns3/dnstap.out.save -udp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UDP " | wc -l` -tcp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "TCP " | wc -l` -aq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "AQ " | wc -l` -ar3=`$DNSTAPREAD ns3/dnstap.out.save | grep "AR " | wc -l` -cq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CQ " | wc -l` -cr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CR " | wc -l` -rq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RQ " | wc -l` -rr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RR " | wc -l` -uq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UQ " | wc -l` -ur3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l` +udp3=$($DNSTAPREAD ns3/dnstap.out.save | grep "UDP " | wc -l) +tcp3=$($DNSTAPREAD ns3/dnstap.out.save | grep "TCP " | wc -l) +aq3=$($DNSTAPREAD ns3/dnstap.out.save | grep "AQ " | wc -l) +ar3=$($DNSTAPREAD ns3/dnstap.out.save | grep "AR " | wc -l) +cq3=$($DNSTAPREAD ns3/dnstap.out.save | grep "CQ " | wc -l) +cr3=$($DNSTAPREAD ns3/dnstap.out.save | grep "CR " | wc -l) +rq3=$($DNSTAPREAD ns3/dnstap.out.save | grep "RQ " | wc -l) +rr3=$($DNSTAPREAD ns3/dnstap.out.save | grep "RR " | wc -l) +uq3=$($DNSTAPREAD ns3/dnstap.out.save | grep "UQ " | wc -l) +ur3=$($DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 [ $udp1 -eq 0 ] || { - echo_i "ns1 $udp1 expected 0" - ret=1 + echo_i "ns1 $udp1 expected 0" + ret=1 } [ $udp2 -eq 2 ] || { - echo_i "ns2 $udp2 expected 2" - ret=1 + echo_i "ns2 $udp2 expected 2" + ret=1 } [ $udp3 -eq 4 ] || { - echo_i "ns3 $udp3 expected 4" - ret=1 + echo_i "ns3 $udp3 expected 4" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TCP message counts" ret=0 [ $tcp1 -eq 6 ] || { - echo_i "ns1 $tcp1 expected 6" - ret=1 + echo_i "ns1 $tcp1 expected 6" + ret=1 } [ $tcp2 -eq 2 ] || { - echo_i "ns2 $tcp2 expected 2" - ret=1 + echo_i "ns2 $tcp2 expected 2" + ret=1 } [ $tcp3 -eq 6 ] || { - echo_i "ns3 $tcp3 expected 6" - ret=1 + echo_i "ns3 $tcp3 expected 6" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AUTH_QUERY message counts" ret=0 [ $aq1 -eq 3 ] || { - echo_i "ns1 $aq1 exepcted 3" - ret=1 + echo_i "ns1 $aq1 exepcted 3" + ret=1 } [ $aq2 -eq 2 ] || { - echo_i "ns2 $aq2 expected 2" - ret=1 + echo_i "ns2 $aq2 expected 2" + ret=1 } [ $aq3 -eq 1 ] || { - echo_i "ns3 $aq3 expected 1" - ret=1 + echo_i "ns3 $aq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AUTH_RESPONSE message counts" ret=0 [ $ar1 -eq 2 ] || { - echo_i "ns1 $ar1 expected 2" - ret=1 + echo_i "ns1 $ar1 expected 2" + ret=1 } [ $ar2 -eq 1 ] || { - echo_i "ns2 $ar2 expected 1" - ret=1 + echo_i "ns2 $ar2 expected 1" + ret=1 } [ $ar3 -eq 0 ] || { - echo_i "ns3 $ar3 expected 0" - ret=1 + echo_i "ns3 $ar3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking CLIENT_QUERY message counts" ret=0 [ $cq1 -eq 0 ] || { - echo_i "ns1 $cq1 expected 0" - ret=1 + echo_i "ns1 $cq1 expected 0" + ret=1 } [ $cq2 -eq 0 ] || { - echo_i "ns2 $cq2 expected 0" - ret=1 + echo_i "ns2 $cq2 expected 0" + ret=1 } [ $cq3 -eq 1 ] || { - echo_i "ns3 $cq3 expected 1" - ret=1 + echo_i "ns3 $cq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking CLIENT_RESPONSE message counts" ret=0 [ $cr1 -eq 1 ] || { - echo_i "ns1 $cr1 expected 1" - ret=1 + echo_i "ns1 $cr1 expected 1" + ret=1 } [ $cr2 -eq 1 ] || { - echo_i "ns2 $cr2 expected 1" - ret=1 + echo_i "ns2 $cr2 expected 1" + ret=1 } [ $cr3 -eq 2 ] || { - echo_i "ns3 $cr3 expected 2" - ret=1 + echo_i "ns3 $cr3 expected 2" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking RESOLVER_QUERY message counts" ret=0 [ $rq1 -eq 0 ] || { - echo_i "ns1 $rq1 expected 0" - ret=1 + echo_i "ns1 $rq1 expected 0" + ret=1 } [ $rq2 -eq 0 ] || { - echo_i "ns2 $rq2 expected 0" - ret=1 + echo_i "ns2 $rq2 expected 0" + ret=1 } [ $rq3 -eq 3 ] || { - echo_i "ns3 $rq3 expected 3" - ret=1 + echo_i "ns3 $rq3 expected 3" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 [ $rr1 -eq 0 ] || { - echo_i "ns1 $rr1 expected 0" - ret=1 + echo_i "ns1 $rr1 expected 0" + ret=1 } [ $rr2 -eq 0 ] || { - echo_i "ns2 $rr2 expected 0" - ret=1 + echo_i "ns2 $rr2 expected 0" + ret=1 } [ $rr3 -eq 3 ] || { - echo_i "ns3 $rr3 expected 3" - ret=1 + echo_i "ns3 $rr3 expected 3" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking UPDATE_QUERY message counts" ret=0 [ $uq1 -eq 0 ] || { - echo_i "ns1 $uq1 expected 0" - ret=1 + echo_i "ns1 $uq1 expected 0" + ret=1 } [ $uq2 -eq 0 ] || { - echo_i "ns2 $uq2 expected 0" - ret=1 + echo_i "ns2 $uq2 expected 0" + ret=1 } [ $uq3 -eq 0 ] || { - echo_i "ns3 $uq3 expected 0" - ret=1 + echo_i "ns3 $uq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking UPDATE_RESPONSE message counts" ret=0 [ $ur1 -eq 0 ] || { - echo_i "ns1 $ur1 expected 0" - ret=1 + echo_i "ns1 $ur1 expected 0" + ret=1 } [ $ur2 -eq 0 ] || { - echo_i "ns2 $ur2 expected 0" - ret=1 + echo_i "ns2 $ur2 expected 0" + ret=1 } [ $ur3 -eq 0 ] || { - echo_i "ns3 $ur3 expected 0" - ret=1 + echo_i "ns3 $ur3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking reopened message counts" -udp1=`$DNSTAPREAD ns1/dnstap.out | grep "UDP " | wc -l` -tcp1=`$DNSTAPREAD ns1/dnstap.out | grep "TCP " | wc -l` -aq1=`$DNSTAPREAD ns1/dnstap.out | grep "AQ " | wc -l` -ar1=`$DNSTAPREAD ns1/dnstap.out | grep "AR " | wc -l` -cq1=`$DNSTAPREAD ns1/dnstap.out | grep "CQ " | wc -l` -cr1=`$DNSTAPREAD ns1/dnstap.out | grep "CR " | wc -l` -rq1=`$DNSTAPREAD ns1/dnstap.out | grep "RQ " | wc -l` -rr1=`$DNSTAPREAD ns1/dnstap.out | grep "RR " | wc -l` -uq1=`$DNSTAPREAD ns1/dnstap.out | grep "UQ " | wc -l` -ur1=`$DNSTAPREAD ns1/dnstap.out | grep "UR " | wc -l` - -udp2=`$DNSTAPREAD ns2/dnstap.out | grep "UDP " | wc -l` -tcp2=`$DNSTAPREAD ns2/dnstap.out | grep "TCP " | wc -l` -aq2=`$DNSTAPREAD ns2/dnstap.out | grep "AQ " | wc -l` -ar2=`$DNSTAPREAD ns2/dnstap.out | grep "AR " | wc -l` -cq2=`$DNSTAPREAD ns2/dnstap.out | grep "CQ " | wc -l` -cr2=`$DNSTAPREAD ns2/dnstap.out | grep "CR " | wc -l` -rq2=`$DNSTAPREAD ns2/dnstap.out | grep "RQ " | wc -l` -rr2=`$DNSTAPREAD ns2/dnstap.out | grep "RR " | wc -l` -uq2=`$DNSTAPREAD ns2/dnstap.out | grep "UQ " | wc -l` -ur2=`$DNSTAPREAD ns2/dnstap.out | grep "UR " | wc -l` - -udp3=`$DNSTAPREAD ns3/dnstap.out | grep "UDP " | wc -l` -tcp3=`$DNSTAPREAD ns3/dnstap.out | grep "TCP " | wc -l` -aq3=`$DNSTAPREAD ns3/dnstap.out | grep "AQ " | wc -l` -ar3=`$DNSTAPREAD ns3/dnstap.out | grep "AR " | wc -l` -cq3=`$DNSTAPREAD ns3/dnstap.out | grep "CQ " | wc -l` -cr3=`$DNSTAPREAD ns3/dnstap.out | grep "CR " | wc -l` -rq3=`$DNSTAPREAD ns3/dnstap.out | grep "RQ " | wc -l` -rr3=`$DNSTAPREAD ns3/dnstap.out | grep "RR " | wc -l` -uq3=`$DNSTAPREAD ns3/dnstap.out | grep "UQ " | wc -l` -ur3=`$DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l` +udp1=$($DNSTAPREAD ns1/dnstap.out | grep "UDP " | wc -l) +tcp1=$($DNSTAPREAD ns1/dnstap.out | grep "TCP " | wc -l) +aq1=$($DNSTAPREAD ns1/dnstap.out | grep "AQ " | wc -l) +ar1=$($DNSTAPREAD ns1/dnstap.out | grep "AR " | wc -l) +cq1=$($DNSTAPREAD ns1/dnstap.out | grep "CQ " | wc -l) +cr1=$($DNSTAPREAD ns1/dnstap.out | grep "CR " | wc -l) +rq1=$($DNSTAPREAD ns1/dnstap.out | grep "RQ " | wc -l) +rr1=$($DNSTAPREAD ns1/dnstap.out | grep "RR " | wc -l) +uq1=$($DNSTAPREAD ns1/dnstap.out | grep "UQ " | wc -l) +ur1=$($DNSTAPREAD ns1/dnstap.out | grep "UR " | wc -l) + +udp2=$($DNSTAPREAD ns2/dnstap.out | grep "UDP " | wc -l) +tcp2=$($DNSTAPREAD ns2/dnstap.out | grep "TCP " | wc -l) +aq2=$($DNSTAPREAD ns2/dnstap.out | grep "AQ " | wc -l) +ar2=$($DNSTAPREAD ns2/dnstap.out | grep "AR " | wc -l) +cq2=$($DNSTAPREAD ns2/dnstap.out | grep "CQ " | wc -l) +cr2=$($DNSTAPREAD ns2/dnstap.out | grep "CR " | wc -l) +rq2=$($DNSTAPREAD ns2/dnstap.out | grep "RQ " | wc -l) +rr2=$($DNSTAPREAD ns2/dnstap.out | grep "RR " | wc -l) +uq2=$($DNSTAPREAD ns2/dnstap.out | grep "UQ " | wc -l) +ur2=$($DNSTAPREAD ns2/dnstap.out | grep "UR " | wc -l) + +udp3=$($DNSTAPREAD ns3/dnstap.out | grep "UDP " | wc -l) +tcp3=$($DNSTAPREAD ns3/dnstap.out | grep "TCP " | wc -l) +aq3=$($DNSTAPREAD ns3/dnstap.out | grep "AQ " | wc -l) +ar3=$($DNSTAPREAD ns3/dnstap.out | grep "AR " | wc -l) +cq3=$($DNSTAPREAD ns3/dnstap.out | grep "CQ " | wc -l) +cr3=$($DNSTAPREAD ns3/dnstap.out | grep "CR " | wc -l) +rq3=$($DNSTAPREAD ns3/dnstap.out | grep "RQ " | wc -l) +rr3=$($DNSTAPREAD ns3/dnstap.out | grep "RR " | wc -l) +uq3=$($DNSTAPREAD ns3/dnstap.out | grep "UQ " | wc -l) +ur3=$($DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 [ $udp1 -eq 0 ] || { - echo_i "ns1 $udp1 expected 0" - ret=1 + echo_i "ns1 $udp1 expected 0" + ret=1 } [ $udp2 -eq 2 ] || { - echo_i "ns2 $udp2 expected 2" - ret=1 + echo_i "ns2 $udp2 expected 2" + ret=1 } [ $udp3 -eq 2 ] || { - echo_i "ns3 $udp3 expected 2" - ret=1 + echo_i "ns3 $udp3 expected 2" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking TCP message counts" ret=0 [ $tcp1 -eq 0 ] || { - echo_i "ns1 $tcp1 expected 0" - ret=1 + echo_i "ns1 $tcp1 expected 0" + ret=1 } [ $tcp2 -eq 0 ] || { - echo_i "ns2 $tcp2 expected 0" - ret=1 + echo_i "ns2 $tcp2 expected 0" + ret=1 } [ $tcp3 -eq 0 ] || { - echo_i "ns3 $tcp3 expected 0" - ret=1 + echo_i "ns3 $tcp3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AUTH_QUERY message counts" ret=0 [ $aq1 -eq 0 ] || { - echo_i "ns1 $aq1 exepcted 0" - ret=1 + echo_i "ns1 $aq1 exepcted 0" + ret=1 } [ $aq2 -eq 0 ] || { - echo_i "ns2 $aq2 expected 0" - ret=1 + echo_i "ns2 $aq2 expected 0" + ret=1 } [ $aq3 -eq 0 ] || { - echo_i "ns3 $aq3 expected 0" - ret=1 + echo_i "ns3 $aq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking AUTH_RESPONSE message counts" ret=0 [ $ar1 -eq 0 ] || { - echo_i "ns1 $ar1 expected 0" - ret=1 + echo_i "ns1 $ar1 expected 0" + ret=1 } [ $ar2 -eq 0 ] || { - echo_i "ns2 $ar2 expected 0" - ret=1 + echo_i "ns2 $ar2 expected 0" + ret=1 } [ $ar3 -eq 0 ] || { - echo_i "ns3 $ar3 expected 0" - ret=1 + echo_i "ns3 $ar3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking CLIENT_QUERY message counts" ret=0 [ $cq1 -eq 0 ] || { - echo_i "ns1 $cq1 expected 0" - ret=1 + echo_i "ns1 $cq1 expected 0" + ret=1 } [ $cq2 -eq 0 ] || { - echo_i "ns2 $cq2 expected 0" - ret=1 + echo_i "ns2 $cq2 expected 0" + ret=1 } [ $cq3 -eq 1 ] || { - echo_i "ns3 $cq3 expected 1" - ret=1 + echo_i "ns3 $cq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking CLIENT_RESPONSE message counts" ret=0 [ $cr1 -eq 0 ] || { - echo_i "ns1 $cr1 expected 0" - ret=1 + echo_i "ns1 $cr1 expected 0" + ret=1 } [ $cr2 -eq 0 ] || { - echo_i "ns2 $cr2 expected 0" - ret=1 + echo_i "ns2 $cr2 expected 0" + ret=1 } [ $cr3 -eq 1 ] || { - echo_i "ns3 $cr3 expected 1" - ret=1 + echo_i "ns3 $cr3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking RESOLVER_QUERY message counts" ret=0 [ $rq1 -eq 0 ] || { - echo_i "ns1 $rq1 expected 0" - ret=1 + echo_i "ns1 $rq1 expected 0" + ret=1 } [ $rq2 -eq 0 ] || { - echo_i "ns2 $rq2 expected 0" - ret=1 + echo_i "ns2 $rq2 expected 0" + ret=1 } [ $rq3 -eq 0 ] || { - echo_i "ns3 $rq3 expected 0" - ret=1 + echo_i "ns3 $rq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 [ $rr1 -eq 0 ] || { - echo_i "ns1 $rr1 expected 0" - ret=1 + echo_i "ns1 $rr1 expected 0" + ret=1 } [ $rr2 -eq 0 ] || { - echo_i "ns2 $rr2 expected 0" - ret=1 + echo_i "ns2 $rr2 expected 0" + ret=1 } [ $rr3 -eq 0 ] || { - echo_i "ns3 $rr3 expected 0" - ret=1 + echo_i "ns3 $rr3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking UPDATE_QUERY message counts" ret=0 [ $uq1 -eq 0 ] || { - echo_i "ns1 $uq1 expected 0" - ret=1 + echo_i "ns1 $uq1 expected 0" + ret=1 } [ $uq2 -eq 1 ] || { - echo_i "ns2 $uq2 expected 1" - ret=1 + echo_i "ns2 $uq2 expected 1" + ret=1 } [ $uq3 -eq 0 ] || { - echo_i "ns3 $uq3 expected 0" - ret=1 + echo_i "ns3 $uq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking UPDATE_RESPONSE message counts" ret=0 [ $ur1 -eq 0 ] || { - echo_i "ns1 $ur1 expected 0" - ret=1 + echo_i "ns1 $ur1 expected 0" + ret=1 } [ $ur2 -eq 1 ] || { - echo_i "ns2 $ur2 expected 1" - ret=1 + echo_i "ns2 $ur2 expected 1" + ret=1 } [ $ur3 -eq 0 ] || { - echo_i "ns3 $ur3 expected 0" - ret=1 + echo_i "ns3 $ur3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking whether destination UDP port is logged for client queries" ret=0 $DNSTAPREAD ns3/dnstap.out.save | grep -Eq "CQ [0-9:.]+ -> 10.53.0.3:${PORT} UDP" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) HAS_PYYAML=0 -if [ -n "$PYTHON" ] ; then - $PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1 +if [ -n "$PYTHON" ]; then + $PYTHON -c "import yaml" 2>/dev/null && HAS_PYYAML=1 fi -if [ $HAS_PYYAML -ne 0 ] ; then - echo_i "checking dnstap-read YAML output" - ret=0 - { - $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" > ydump.out || ret=1 - } | cat_i - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +if [ $HAS_PYYAML -ne 0 ]; then + echo_i "checking dnstap-read YAML output" + ret=0 + { + $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" >ydump.out || ret=1 + } | cat_i + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi echo_i "checking dnstap-read hex output" ret=0 -hex=`$DNSTAPREAD -x ns3/dnstap.out | tail -1` -echo $hex | $WIRETEST > dnstap.hex -grep 'status: NOERROR' dnstap.hex > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex > /dev/null 2>&1 || ret=1 +hex=$($DNSTAPREAD -x ns3/dnstap.out | tail -1) +echo $hex | $WIRETEST >dnstap.hex +grep 'status: NOERROR' dnstap.hex >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -if [ -n "$FSTRM_CAPTURE" ] ; then - $DIG $DIGOPTS @10.53.0.4 a.example > dig.out +if [ -n "$FSTRM_CAPTURE" ]; then + $DIG $DIGOPTS @10.53.0.4 a.example >dig.out - # send an UPDATE to ns4 - $NSUPDATE <<- EOF > nsupdate.out 2>&1 + # send an UPDATE to ns4 + $NSUPDATE <<-EOF >nsupdate.out 2>&1 server 10.53.0.4 ${PORT} zone example update add b.example 3600 in a 10.10.10.10 send EOF - grep "update failed: NOTAUTH" nsupdate.out > /dev/null || ret=1 + grep "update failed: NOTAUTH" nsupdate.out >/dev/null || ret=1 - echo_i "checking unix socket message counts" - sleep 2 - retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || { - echo_i "dnstap output file smaller than expected" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - kill $fstrm_capture_pid - wait - udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l` - tcp4=`$DNSTAPREAD dnstap.out | grep "TCP " | wc -l` - aq4=`$DNSTAPREAD dnstap.out | grep "AQ " | wc -l` - ar4=`$DNSTAPREAD dnstap.out | grep "AR " | wc -l` - cq4=`$DNSTAPREAD dnstap.out | grep "CQ " | wc -l` - cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l` - rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l` - rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l` - uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l` - ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l` - - echo_i "checking UDP message counts" - ret=0 - [ $udp4 -eq 4 ] || { - echo_i "ns4 $udp4 expected 4" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking TCP message counts" - ret=0 - [ $tcp4 -eq 0 ] || { - echo_i "ns4 $tcp4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking AUTH_QUERY message counts" - ret=0 - [ $aq4 -eq 0 ] || { - echo_i "ns4 $aq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking AUTH_RESPONSE message counts" - ret=0 - [ $ar4 -eq 0 ] || { - echo_i "ns4 $ar4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking CLIENT_QUERY message counts" - ret=0 - [ $cq4 -eq 1 ] || { - echo_i "ns4 $cq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking CLIENT_RESPONSE message counts" - ret=0 - [ $cr4 -eq 1 ] || { - echo_i "ns4 $cr4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking RESOLVER_QUERY message counts" - ret=0 - [ $rq4 -eq 0 ] || { - echo_i "ns4 $rq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking RESOLVER_RESPONSE message counts" - ret=0 - [ $rr4 -eq 0 ] || { - echo_i "ns4 $rr4 expected 0" - ret=1 - } - - echo_i "checking UPDATE_QUERY message counts" - ret=0 - [ $uq4 -eq 1 ] || { - echo_i "ns4 $uq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking UPDATE_RESPONSE message counts" - ret=0 - [ $ur4 -eq 1 ] || { - echo_i "ns4 $ur4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - mv dnstap.out dnstap.out.save - - echo_i "restarting fstrm_capture" - $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ - -w dnstap.out > fstrm_capture.out.2 2>&1 & - fstrm_capture_pid=$! - wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || { - echo_i "failed" - ret=1 - } - $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i - $DIG $DIGOPTS @10.53.0.4 a.example > dig.out - - echo_i "checking reopened unix socket message counts" - sleep 2 - retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || { - echo_i "dnstap output file smaller than expected" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - kill $fstrm_capture_pid - wait - udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l` - tcp4=`$DNSTAPREAD dnstap.out | grep "TCP " | wc -l` - aq4=`$DNSTAPREAD dnstap.out | grep "AQ " | wc -l` - ar4=`$DNSTAPREAD dnstap.out | grep "AR " | wc -l` - cq4=`$DNSTAPREAD dnstap.out | grep "CQ " | wc -l` - cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l` - rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l` - rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l` - uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l` - ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l` - - echo_i "checking UDP message counts" - ret=0 - [ $udp4 -eq 2 ] || { - echo_i "ns4 $udp4 expected 2" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking TCP message counts" - ret=0 - [ $tcp4 -eq 0 ] || { - echo_i "ns4 $tcp4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking AUTH_QUERY message counts" - ret=0 - [ $aq4 -eq 0 ] || { - echo_i "ns4 $aq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking AUTH_RESPONSE message counts" - ret=0 - [ $ar4 -eq 0 ] || { - echo_i "ns4 $ar4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking CLIENT_QUERY message counts" - ret=0 - [ $cq4 -eq 1 ] || { - echo_i "ns4 $cq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking CLIENT_RESPONSE message counts" - ret=0 - [ $cr4 -eq 1 ] || { - echo_i "ns4 $cr4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking RESOLVER_QUERY message counts" - ret=0 - [ $rq4 -eq 0 ] || { - echo_i "ns4 $rq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking RESOLVER_RESPONSE message counts" - ret=0 - [ $rr4 -eq 0 ] || { - echo_i "ns4 $rr4 expected 0" - ret=1 - } - - echo_i "checking UPDATE_QUERY message counts" - ret=0 - [ $uq4 -eq 0 ] || { - echo_i "ns4 $uq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - echo_i "checking UPDATE_RESPONSE message counts" - ret=0 - [ $ur4 -eq 0 ] || { - echo_i "ns4 $ur4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + echo_i "checking unix socket message counts" + sleep 2 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + kill $fstrm_capture_pid + wait + udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) + tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) + aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) + ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) + cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) + cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) + rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) + rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) + uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) + ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) + + echo_i "checking UDP message counts" + ret=0 + [ $udp4 -eq 4 ] || { + echo_i "ns4 $udp4 expected 4" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking TCP message counts" + ret=0 + [ $tcp4 -eq 0 ] || { + echo_i "ns4 $tcp4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking AUTH_QUERY message counts" + ret=0 + [ $aq4 -eq 0 ] || { + echo_i "ns4 $aq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking AUTH_RESPONSE message counts" + ret=0 + [ $ar4 -eq 0 ] || { + echo_i "ns4 $ar4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking CLIENT_QUERY message counts" + ret=0 + [ $cq4 -eq 1 ] || { + echo_i "ns4 $cq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking CLIENT_RESPONSE message counts" + ret=0 + [ $cr4 -eq 1 ] || { + echo_i "ns4 $cr4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking RESOLVER_QUERY message counts" + ret=0 + [ $rq4 -eq 0 ] || { + echo_i "ns4 $rq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking RESOLVER_RESPONSE message counts" + ret=0 + [ $rr4 -eq 0 ] || { + echo_i "ns4 $rr4 expected 0" + ret=1 + } + + echo_i "checking UPDATE_QUERY message counts" + ret=0 + [ $uq4 -eq 1 ] || { + echo_i "ns4 $uq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking UPDATE_RESPONSE message counts" + ret=0 + [ $ur4 -eq 1 ] || { + echo_i "ns4 $ur4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + mv dnstap.out dnstap.out.save + + echo_i "restarting fstrm_capture" + $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ + -w dnstap.out >fstrm_capture.out.2 2>&1 & + fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || { + echo_i "failed" + ret=1 + } + $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i + $DIG $DIGOPTS @10.53.0.4 a.example >dig.out + + echo_i "checking reopened unix socket message counts" + sleep 2 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + kill $fstrm_capture_pid + wait + udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) + tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) + aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) + ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) + cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) + cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) + rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) + rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) + uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) + ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) + + echo_i "checking UDP message counts" + ret=0 + [ $udp4 -eq 2 ] || { + echo_i "ns4 $udp4 expected 2" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking TCP message counts" + ret=0 + [ $tcp4 -eq 0 ] || { + echo_i "ns4 $tcp4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking AUTH_QUERY message counts" + ret=0 + [ $aq4 -eq 0 ] || { + echo_i "ns4 $aq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking AUTH_RESPONSE message counts" + ret=0 + [ $ar4 -eq 0 ] || { + echo_i "ns4 $ar4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking CLIENT_QUERY message counts" + ret=0 + [ $cq4 -eq 1 ] || { + echo_i "ns4 $cq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking CLIENT_RESPONSE message counts" + ret=0 + [ $cr4 -eq 1 ] || { + echo_i "ns4 $cr4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking RESOLVER_QUERY message counts" + ret=0 + [ $rq4 -eq 0 ] || { + echo_i "ns4 $rq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking RESOLVER_RESPONSE message counts" + ret=0 + [ $rr4 -eq 0 ] || { + echo_i "ns4 $rr4 expected 0" + ret=1 + } + + echo_i "checking UPDATE_QUERY message counts" + ret=0 + [ $uq4 -eq 0 ] || { + echo_i "ns4 $uq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) + + echo_i "checking UPDATE_RESPONSE message counts" + ret=0 + [ $ur4 -eq 0 ] || { + echo_i "ns4 $ur4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) fi echo_i "checking large packet printing" ret=0 # Expect one occurrence of "opcode: QUERY" below "reponse_message_data" and # another one below "response_message". -lines=`$DNSTAPREAD -y large-answer.fstrm | grep -c "opcode: QUERY"` +lines=$($DNSTAPREAD -y large-answer.fstrm | grep -c "opcode: QUERY") [ $lines -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) test_dnstap_roll() ( - ip="$1" - ns="$2" - n="$3" - $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i && - files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) && - test "$files" -le "${n}" && test "$files" -ge "1" + ip="$1" + ns="$2" + n="$3" + $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i \ + && files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) \ + && test "$files" -le "${n}" && test "$files" -ge "1" ) echo_i "checking 'rndc -roll ' (no versions)" @@ -821,14 +824,14 @@ start_server --noclean --restart --port "${PORT}" ns3 _repeat 5 test_dnstap_roll 10.53.0.3 ns3 3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 'rndc -roll ' (versions)" ret=0 start_server --noclean --restart --port "${PORT}" ns2 _repeat 5 test_dnstap_roll 10.53.0.2 ns2 3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ "$status" -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/dscp/tests.sh bind9-9.16.48/bin/tests/system/dscp/tests.sh --- bind9-9.16.44/bin/tests/system/dscp/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dscp/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -24,18 +24,19 @@ # 10.53.0.7 has dscp set in zone *-source clauses; # for server in 10.53.0.1 10.53.0.2 10.53.0.3 10.53.0.4 10.53.0.5 \ - 10.53.0.6 10.53.0.7 -do - echo_i "testing root SOA lookup at $server" - for i in 0 1 2 3 4 5 6 7 8 9 - do - ret=0 - $DIG $DIGOPTS @$server soa . > dig.out.$server - grep "status: NOERROR" dig.out.$server > /dev/null || ret=1 - test $ret = 0 && break - sleep 1 - done - test $ret = 0 || { echo_i "failed"; status=`expr $status + $ret`; } + 10.53.0.6 10.53.0.7; do + echo_i "testing root SOA lookup at $server" + for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @$server soa . >dig.out.$server + grep "status: NOERROR" dig.out.$server >/dev/null || ret=1 + test $ret = 0 && break + sleep 1 + done + test $ret = 0 || { + echo_i "failed" + status=$(expr $status + $ret) + } done echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/dsdigest/ns1/sign.sh bind9-9.16.48/bin/tests/system/dsdigest/ns1/sign.sh --- bind9-9.16.44/bin/tests/system/dsdigest/ns1/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dsdigest/ns1/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -26,12 +26,12 @@ key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $key2 > trusted.conf +keyfile_to_static_ds $key2 >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff -Nru bind9-9.16.44/bin/tests/system/dsdigest/ns2/sign.sh bind9-9.16.48/bin/tests/system/dsdigest/ns2/sign.sh --- bind9-9.16.44/bin/tests/system/dsdigest/ns2/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dsdigest/ns2/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -29,16 +29,15 @@ cat $infile1 $keyname11.key $keyname12.key >$zonefile1 cat $infile2 $keyname21.key $keyname22.key >$zonefile2 -$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null -$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null +$SIGNER -P -g -o $zone1 $zonefile1 >/dev/null +$SIGNER -P -g -o $zone2 $zonefile2 >/dev/null DSFILENAME1=dsset-${zone1}${TP} DSFILENAME2=dsset-${zone2}${TP} -$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1 -$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2 +$DSFROMKEY -a SHA-256 $keyname12 >$DSFILENAME1 +$DSFROMKEY -a SHA-256 $keyname22 >$DSFILENAME2 algo=SHA-384 -$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1 -$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2 - +$DSFROMKEY -a $algo $keyname12 >>$DSFILENAME1 +$DSFROMKEY -a $algo $keyname22 >$DSFILENAME2 diff -Nru bind9-9.16.44/bin/tests/system/dsdigest/tests.sh bind9-9.16.48/bin/tests/system/dsdigest/tests.sh --- bind9-9.16.44/bin/tests/system/dsdigest/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dsdigest/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -24,31 +24,31 @@ echo_i "checking that validation with enabled digest types works" ret=0 -$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1 -grep "status: NOERROR" dig.out.good > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1 +$DIG $DIGOPTS a.good. @10.53.0.3 a >dig.out.good || ret=1 +grep "status: NOERROR" dig.out.good >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.good >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # Check the bad. domain echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL" ret=0 -$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1 -grep "SERVFAIL" dig.out.bad > /dev/null || ret=1 +$DIG $DIGOPTS a.bad. @10.53.0.3 a >dig.out.bad || ret=1 +grep "SERVFAIL" dig.out.bad >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking that validation with no supported digest algorithms results in insecure" ret=0 -$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1 -grep "NOERROR" dig.out.ds > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1 -$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1 -grep "NOERROR" dig.out.insecure > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1 +$DIG $DIGOPTS bad. @10.53.0.4 ds >dig.out.ds || ret=1 +grep "NOERROR" dig.out.ds >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.ds >/dev/null || ret=1 +$DIG $DIGOPTS a.bad. @10.53.0.4 a >dig.out.insecure || ret=1 +grep "NOERROR" dig.out.insecure >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.insecure >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/dupsigs/ns1/reset_keys.sh bind9-9.16.48/bin/tests/system/dupsigs/ns1/reset_keys.sh --- bind9-9.16.44/bin/tests/system/dupsigs/ns1/reset_keys.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dupsigs/ns1/reset_keys.sh 2024-02-11 11:31:39.000000000 +0000 @@ -19,32 +19,31 @@ mkdir -p keys/signing.test timetodnssec() { - $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]); + $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]); printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1} } KEYDIR=keys/signing.test -KSK=`$KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone` +KSK=$($KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone) -ZSK0=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK1=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK2=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK3=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK4=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK5=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK6=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK7=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK8=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` -ZSK9=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK0=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK1=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK2=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK3=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK4=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK5=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK6=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK7=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK8=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) +ZSK9=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) # clear all times on all keys -for FILEN in keys/signing.test/*.key -do - $SETTIME -P none -A none -R none -I none -D none $FILEN +for FILEN in keys/signing.test/*.key; do + $SETTIME -P none -A none -R none -I none -D none $FILEN done -BASE=`date +%s` -BASET=`timetodnssec $BASE` +BASE=$(date +%s) +BASET=$(timetodnssec $BASE) # reset the publish and activation time on the KSK $SETTIME -P $BASET -A $BASET $KEYDIR/$KSK @@ -53,25 +52,25 @@ $SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0 # schedule the first roll -R1=`expr $BASE + 50` -R1T=`timetodnssec $R1` +R1=$(expr $BASE + 50) +R1T=$(timetodnssec $R1) $SETTIME -I $R1T $KEYDIR/$ZSK0 $SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1 # schedule the second roll (which includes the delete of the first key) -R2=`expr $R1 + 50` -R2T=`timetodnssec $R2` +R2=$(expr $R1 + 50) +R2T=$(timetodnssec $R2) DT=$R2 -DTT=`timetodnssec $DT` +DTT=$(timetodnssec $DT) $SETTIME -D $DTT $KEYDIR/$ZSK0 $SETTIME -I $R2T $KEYDIR/$ZSK1 $SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2 # schedule the third roll -R3=`expr $R2 + 25` -R3T=`timetodnssec $R3` +R3=$(expr $R2 + 25) +R3T=$(timetodnssec $R3) $SETTIME -D $R3T $KEYDIR/$ZSK1 $SETTIME -I $R3T $KEYDIR/$ZSK2 @@ -92,8 +91,8 @@ # this isn't long enough for the signing to complete and would result in # duplicate signatures, see # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597 -R4=`expr $R3 + 10` -R4T=`timetodnssec $R4` +R4=$(expr $R3 + 10) +R4T=$(timetodnssec $R4) $SETTIME -D $R4T $KEYDIR/$ZSK2 $SETTIME -I $R4T $KEYDIR/$ZSK3 diff -Nru bind9-9.16.44/bin/tests/system/dupsigs/setup.sh bind9-9.16.48/bin/tests/system/dupsigs/setup.sh --- bind9-9.16.44/bin/tests/system/dupsigs/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dupsigs/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,4 +21,7 @@ copy_setports ns1/named.conf.in ns1/named.conf cp -f ns1/signing.test.db.in ns1/signing.test.db -(cd ns1; $SHELL ./reset_keys.sh) +( + cd ns1 + $SHELL ./reset_keys.sh +) diff -Nru bind9-9.16.44/bin/tests/system/dupsigs/tests.sh bind9-9.16.48/bin/tests/system/dupsigs/tests.sh --- bind9-9.16.44/bin/tests/system/dupsigs/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dupsigs/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -25,20 +25,20 @@ # - 2 x 500 signatures for a{0000-0499}.signing.test. # # for a total of 1009. -fully_signed () { - $DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr" - awk 'BEGIN { lines = 0 } +fully_signed() { + $DIG axfr signing.test -p ${PORT} @10.53.0.1 >"dig.out.ns1.axfr" + awk 'BEGIN { lines = 0 } $4 == "RRSIG" {lines++} - END { if (lines != 1009) exit(1) }' < "dig.out.ns1.axfr" + END { if (lines != 1009) exit(1) }' <"dig.out.ns1.axfr" } # Wait for the last NSEC record in the zone to be signed. This is a lightweight # alternative to avoid many AXFR requests while waiting for the zone to be # fully signed. _wait_for_last_nsec_signed() { - $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1 - grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1 - return 0 + $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec >"dig.out.ns1.wait" || return 1 + grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" >/dev/null || return 1 + return 0 } echo_i "wait for the zone to be fully signed" @@ -46,24 +46,23 @@ retry_quiet 10 fully_signed || status=1 if [ $status != 0 ]; then echo_i "failed"; fi -start=`date +%s` +start=$(date +%s) now=$start end=$((start + 140)) while [ $now -lt $end ] && [ $status -eq 0 ]; do - et=$((now - start)) - echo_i "............... $et ............" - $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i - $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et - awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i - lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l` - if [ ${et} -ne 0 -a ${lines} -ne 1009 ] - then - echo_i "failed" - status=$((status + 1)) - fi - sleep 5 - now=`date +%s` + et=$((now - start)) + echo_i "............... $et ............" + $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i + $DIG axfr signing.test -p ${PORT} @10.53.0.1 >dig.out.at$et + awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i + lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l) + if [ ${et} -ne 0 -a ${lines} -ne 1009 ]; then + echo_i "failed" + status=$((status + 1)) + fi + sleep 5 + now=$(date +%s) done echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/dyndb/prereq.sh bind9-9.16.48/bin/tests/system/dyndb/prereq.sh --- bind9-9.16.44/bin/tests/system/dyndb/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dyndb/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,14 +14,14 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -$FEATURETEST --have-dlopen || { - echo_i "dlopen() not supported - skipping dyndb test" - exit 255 +$FEATURETEST --have-dlopen || { + echo_i "dlopen() not supported - skipping dyndb test" + exit 255 } -$FEATURETEST --tsan && { - echo_i "TSAN - skipping dyndb test" - exit 255 +$FEATURETEST --tsan && { + echo_i "TSAN - skipping dyndb test" + exit 255 } exit 0 diff -Nru bind9-9.16.44/bin/tests/system/dyndb/tests.sh bind9-9.16.48/bin/tests/system/dyndb/tests.sh --- bind9-9.16.44/bin/tests/system/dyndb/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/dyndb/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,145 +21,143 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" newtest() { - n=`expr $n + 1` - echo_i "${1} (${n})" - ret=0 + n=$(expr $n + 1) + echo_i "${1} (${n})" + ret=0 } test_add() { - host="$1" - type="$2" - ip="$3" + host="$1" + type="$2" + ip="$3" - cat < ns1/update.txt + cat <ns1/update.txt server 10.53.0.1 ${PORT} ttl 86400 update add $host $type $ip send EOF - newtest "adding $host $type $ip" - $NSUPDATE ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed for $host $type $ip" - return 1 - } - - out=`$DIG $DIGOPTS +noall +answer -t $type -q $host` - echo $out > added.a.out.$n - lines=`echo "$out" | grep "$ip" | wc -l` - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - - for i in 1 2 3 4 5 6 7 8 9 10 - do - out=`$DIG $DIGOPTS +noall +answer -x $ip` - echo $out > added.ptr.out.$n - lines=`echo "$out" | grep "$host" | wc -l` - [ $lines -eq 1 ] && break; - $PERL -e 'select(undef, undef, undef, 0.1);' - done - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig reverse output incorrect for $host $type $cmd: $out" - return 1 - } + newtest "adding $host $type $ip" + $NSUPDATE ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed for $host $type $ip" + return 1 + } + + out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) + echo $out >added.a.out.$n + lines=$(echo "$out" | grep "$ip" | wc -l) + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + + for i in 1 2 3 4 5 6 7 8 9 10; do + out=$($DIG $DIGOPTS +noall +answer -x $ip) + echo $out >added.ptr.out.$n + lines=$(echo "$out" | grep "$host" | wc -l) + [ $lines -eq 1 ] && break + $PERL -e 'select(undef, undef, undef, 0.1);' + done + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig reverse output incorrect for $host $type $cmd: $out" + return 1 + } - return 0 + return 0 } test_del() { - host="$1" - type="$2" + host="$1" + type="$2" - ip=`$DIG $DIGOPTS +short $host $type` + ip=$($DIG $DIGOPTS +short $host $type) - cat < ns1/update.txt + cat <ns1/update.txt server 10.53.0.1 ${PORT} update del $host $type send EOF - newtest "deleting $host $type (was $ip)" - $NSUPDATE ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed deleting $host $type" - return 1 - } - - out=`$DIG $DIGOPTS +noall +answer -t $type -q $host` - echo $out > deleted.a.out.$n - lines=`echo "$out" | grep "$ip" | wc -l` - [ $lines -eq 0 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - - for i in 1 2 3 4 5 6 7 8 9 10 - do - out=`$DIG $DIGOPTS +noall +answer -x $ip` - echo $out > deleted.ptr.out.$n - lines=`echo "$out" | grep "$host" | wc -l` - [ $lines -eq 0 ] && break - $PERL -e 'select(undef, undef, undef, 0.1);' - done - [ $lines -eq 0 ] || { - [ "$should_fail" ] || \ - echo_i "dig reverse output incorrect for $host $type $cmd: $out" - return 1 - } + newtest "deleting $host $type (was $ip)" + $NSUPDATE ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed deleting $host $type" + return 1 + } + + out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) + echo $out >deleted.a.out.$n + lines=$(echo "$out" | grep "$ip" | wc -l) + [ $lines -eq 0 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + + for i in 1 2 3 4 5 6 7 8 9 10; do + out=$($DIG $DIGOPTS +noall +answer -x $ip) + echo $out >deleted.ptr.out.$n + lines=$(echo "$out" | grep "$host" | wc -l) + [ $lines -eq 0 ] && break + $PERL -e 'select(undef, undef, undef, 0.1);' + done + [ $lines -eq 0 ] || { + [ "$should_fail" ] \ + || echo_i "dig reverse output incorrect for $host $type $cmd: $out" + return 1 + } - return 0 + return 0 } test_add test1.ipv4.example.nil. A "10.53.0.10" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_add test2.ipv4.example.nil. A "10.53.0.11" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_add test3.ipv4.example.nil. A "10.53.0.12" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_add test4.ipv6.example.nil. AAAA "2001:db8::1" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_del test1.ipv4.example.nil. A || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_del test2.ipv4.example.nil. A || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_del test3.ipv4.example.nil. A || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_del test4.ipv6.example.nil. AAAA || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) newtest "checking parameter logging" -grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run > /dev/null || ret=1 -grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run > /dev/null || ret=1 +grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run >/dev/null || ret=1 +grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run >/dev/null || ret=1 [ $ret -eq 1 ] && echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "checking dyndb still works after reload" rndc_reload ns1 10.53.0.1 test_add test5.ipv4.example.nil. A "10.53.0.10" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_add test6.ipv6.example.nil. AAAA "2001:db8::1" || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_del test5.ipv4.example.nil. A || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) test_del test6.ipv6.example.nil. AAAA || ret=1 -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/ecdsa/ns1/sign.sh bind9-9.16.48/bin/tests/system/ecdsa/ns1/sign.sh --- bind9-9.16.44/bin/tests/system/ecdsa/ns1/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/ecdsa/ns1/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -23,34 +23,34 @@ cp $infile $zonefile if [ -f ../ecdsa256-supported.file ]; then - zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") - ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") - cat "$ksk256.key" "$zsk256.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256 + zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") + ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") + cat "$ksk256.key" "$zsk256.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256 fi if [ -f ../ecdsa384-supported.file ]; then - zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") - ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") - cat "$ksk384.key" "$zsk384.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256 + zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") + ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") + cat "$ksk384.key" "$zsk384.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk384.key" >>dsset-256 fi # Configure the resolving server with a static key. if [ -f ../ecdsa256-supported.file ]; then - keyfile_to_static_ds $ksk256 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk256 >trusted.conf + cp trusted.conf ../ns2/trusted.conf else - keyfile_to_static_ds $ksk384 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk384 >trusted.conf + cp trusted.conf ../ns2/trusted.conf fi if [ -f ../ecdsa384-supported.file ]; then - keyfile_to_static_ds $ksk384 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk384 >trusted.conf + cp trusted.conf ../ns3/trusted.conf else - keyfile_to_static_ds $ksk256 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk256 >trusted.conf + cp trusted.conf ../ns3/trusted.conf fi -$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff -Nru bind9-9.16.44/bin/tests/system/ecdsa/setup.sh bind9-9.16.48/bin/tests/system/ecdsa/setup.sh --- bind9-9.16.44/bin/tests/system/ecdsa/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/ecdsa/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,17 +17,17 @@ set -e if $SHELL ../testcrypto.sh ecdsap256sha256; then - echo "yes" > ecdsa256-supported.file + echo "yes" >ecdsa256-supported.file fi if $SHELL ../testcrypto.sh ecdsap384sha384; then - echo "yes" > ecdsa384-supported.file + echo "yes" >ecdsa384-supported.file fi copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) diff -Nru bind9-9.16.44/bin/tests/system/ecdsa/tests.sh bind9-9.16.48/bin/tests/system/ecdsa/tests.sh --- bind9-9.16.44/bin/tests/system/ecdsa/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/ecdsa/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -18,35 +18,35 @@ n=0 dig_with_opts() { - "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } if [ -f ecdsa256-supported.file ]; then - n=$((n+1)) - echo_i "checking that ECDSA256 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + echo_i "checking that ECDSA256 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm ECDSA256 not supported, skipping test" + echo_i "algorithm ECDSA256 not supported, skipping test" fi if [ -f ecdsa384-supported.file ]; then - n=$((n+1)) - echo_i "checking that ECDSA384 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + echo_i "checking that ECDSA384 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm ECDSA384 not supported, skipping test" + echo_i "algorithm ECDSA384 not supported, skipping test" fi echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/eddsa/ns1/sign.sh bind9-9.16.48/bin/tests/system/eddsa/ns1/sign.sh --- bind9-9.16.44/bin/tests/system/eddsa/ns1/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/eddsa/ns1/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -23,34 +23,34 @@ cp $infile $zonefile if [ -f ../ed25519-supported.file ]; then - zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") - ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") - cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256 + zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") + ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") + cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256 fi if [ -f ../ed448-supported.file ]; then - zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") - ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") - cat "$ksk448.key" "$zsk448.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256 + zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") + ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") + cat "$ksk448.key" "$zsk448.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk448.key" >>dsset-256 fi # Configure the resolving server with a static key. if [ -f ../ed25519-supported.file ]; then - keyfile_to_static_ds $ksk25519 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk25519 >trusted.conf + cp trusted.conf ../ns2/trusted.conf else - keyfile_to_static_ds $ksk448 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk448 >trusted.conf + cp trusted.conf ../ns2/trusted.conf fi if [ -f ../ed448-supported.file ]; then - keyfile_to_static_ds $ksk448 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk448 >trusted.conf + cp trusted.conf ../ns3/trusted.conf else - keyfile_to_static_ds $ksk25519 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk25519 >trusted.conf + cp trusted.conf ../ns3/trusted.conf fi -$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff -Nru bind9-9.16.44/bin/tests/system/eddsa/ns2/sign.sh bind9-9.16.48/bin/tests/system/eddsa/ns2/sign.sh --- bind9-9.16.44/bin/tests/system/eddsa/ns2/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/eddsa/ns2/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -26,12 +26,11 @@ if [ -f ../ed25519-supported.file ]; then - for i in Xexample.com.+015+03613 Xexample.com.+015+35217 - do - cp "$i.key" "$(echo $i.key | sed s/X/K/)" - cp "$i.private" "$(echo $i.private | sed s/X/K/)" - cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" - done + for i in Xexample.com.+015+03613 Xexample.com.+015+35217; do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile" + done fi -$SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile >/dev/null 2>signer.err || cat signer.err diff -Nru bind9-9.16.44/bin/tests/system/eddsa/ns3/sign.sh bind9-9.16.48/bin/tests/system/eddsa/ns3/sign.sh --- bind9-9.16.44/bin/tests/system/eddsa/ns3/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/eddsa/ns3/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -25,12 +25,11 @@ cp $infile $zonefile if [ -f ../ed448-supported.file ]; then - for i in Xexample.com.+016+09713 Xexample.com.+016+38353 - do - cp "$i.key" "$(echo $i.key | sed s/X/K/)" - cp "$i.private" "$(echo $i.private | sed s/X/K/)" - cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" - done + for i in Xexample.com.+016+09713 Xexample.com.+016+38353; do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile" + done fi -$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff -Nru bind9-9.16.44/bin/tests/system/eddsa/prereq.sh bind9-9.16.48/bin/tests/system/eddsa/prereq.sh --- bind9-9.16.44/bin/tests/system/eddsa/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/eddsa/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -16,10 +16,10 @@ supported=0 if $SHELL ../testcrypto.sh ed25519; then - supported=1 + supported=1 fi if $SHELL ../testcrypto.sh ed448; then - supported=1 + supported=1 fi [ "$supported" -eq 1 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/eddsa/setup.sh bind9-9.16.48/bin/tests/system/eddsa/setup.sh --- bind9-9.16.44/bin/tests/system/eddsa/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/eddsa/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -15,11 +15,11 @@ . $SYSTEMTESTTOP/conf.sh if $SHELL ../testcrypto.sh ed25519; then - echo "yes" > ed25519-supported.file + echo "yes" >ed25519-supported.file fi if $SHELL ../testcrypto.sh ed448; then - echo "yes" > ed448-supported.file + echo "yes" >ed448-supported.file fi copy_setports ns1/named.conf.in ns1/named.conf @@ -27,14 +27,14 @@ copy_setports ns3/named.conf.in ns3/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) ( - cd ns2 - $SHELL sign.sh + cd ns2 + $SHELL sign.sh ) ( - cd ns3 - $SHELL sign.sh + cd ns3 + $SHELL sign.sh ) diff -Nru bind9-9.16.44/bin/tests/system/eddsa/tests.sh bind9-9.16.48/bin/tests/system/eddsa/tests.sh --- bind9-9.16.44/bin/tests/system/eddsa/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/eddsa/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -18,66 +18,66 @@ n=0 dig_with_opts() { - "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } if [ -f ed25519-supported.file ]; then - # Check the example. domain - n=$((n+1)) - echo_i "checking that Ed25519 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - # Check test vectors (RFC 8080 + errata) - n=$((n+1)) - echo_i "checking that Ed25519 test vectors match ($n)" - ret=0 - grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + # Check the example. domain + n=$((n + 1)) + echo_i "checking that Ed25519 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + # Check test vectors (RFC 8080 + errata) + n=$((n + 1)) + echo_i "checking that Ed25519 test vectors match ($n)" + ret=0 + grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm Ed25519 not supported, skipping vectors match test" + echo_i "algorithm Ed25519 not supported, skipping vectors match test" fi if [ -f ed448-supported.file ]; then - # Check the example. domain - n=$((n+1)) - echo_i "checking that Ed448 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - # Check test vectors (RFC 8080 + errata) - n=$((n+1)) - echo_i "checking that Ed448 test vectors match ($n)" - ret=0 - grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1 - - grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1 - grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + # Check the example. domain + n=$((n + 1)) + echo_i "checking that Ed448 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + # Check test vectors (RFC 8080 + errata) + n=$((n + 1)) + echo_i "checking that Ed448 test vectors match ($n)" + ret=0 + grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'WKsJlwEA' ns3/example.com.db.signed >/dev/null || ret=1 + + grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed >/dev/null || ret=1 + grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'ZmQ0YQUA' ns3/example.com.db.signed >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm Ed448 not supported, skipping vectors match test" + echo_i "algorithm Ed448 not supported, skipping vectors match test" fi echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/ednscompliance/tests.sh bind9-9.16.48/bin/tests/system/ednscompliance/tests.sh --- bind9-9.16.44/bin/tests/system/ednscompliance/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/ednscompliance/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -20,94 +20,169 @@ n=0 zone=. -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check +edns=100 sets version 100 ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone > dig.out$n -grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; } +$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone >dig.out$n +grep "EDNS: version: 100," dig.out$n >/dev/null || { + ret=1 + reason="version" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) ret=0 reason= echo_i "check +ednsopt=100 adds option 100 ($n)" -$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone > dig.out$n -grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; } +$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone >dig.out$n +grep "; OPT=100" dig.out$n >/dev/null || { + ret=1 + reason="option" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check +ednsflags=0x80 sets flags to 0x0080 ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone > dig.out$n -grep "MBZ: 0x0080," dig.out$n > /dev/null || { ret=1; reason="flags"; } +$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone >dig.out$n +grep "MBZ: 0x0080," dig.out$n >/dev/null || { + ret=1 + reason="flags" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "Unknown EDNS version ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone >dig.out$n +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "Unknown EDNS option ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone > dig.out$n -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } -grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone >dig.out$n +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "; OPT=100" dig.out$n >/dev/null && { + ret=1 + reason="option" +} +grep "IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="nosoa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "Unknown EDNS version + option ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone > dig.out$n -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone >dig.out$n +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "; OPT=100" dig.out$n >/dev/null && { + ret=1 + reason="option" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed: $reason"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "Unknown EDNS flag ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone > dig.out$n -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } -grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone >dig.out$n +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && { + ret=1 + reason="mbz" +} +grep ".IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="nosoa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "Unknown EDNS version + flag ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone > dig.out$n -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone >dig.out$n +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && { + ret=1 + reason="mbz" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "DiG's EDNS negotiation ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone > dig.out$n -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone >dig.out$n +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi -status=`expr $status + $ret` -n=`expr $n + 1` +status=$(expr $status + $ret) +n=$(expr $n + 1) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/emptyzones/tests.sh bind9-9.16.48/bin/tests/system/emptyzones/tests.sh --- bind9-9.16.44/bin/tests/system/emptyzones/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/emptyzones/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -20,26 +20,26 @@ status=0 n=0 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that switching to automatic empty zones works ($n)" ret=0 rndc_reload ns1 10.53.0.1 copy_setports ns1/named2.conf.in ns1/named.conf -$RNDCCMD 10.53.0.1 reload > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 reload >/dev/null || ret=1 sleep 5 -$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 > /dev/null || ret=1 +$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that allow-transfer { none; } works ($n)" ret=0 -$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all > dig.out.test$n || ret=1 -grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all >dig.out.test$n || ret=1 +grep "status: REFUSED" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/fetchlimit/prereq.sh bind9-9.16.48/bin/tests/system/fetchlimit/prereq.sh --- bind9-9.16.44/bin/tests/system/fetchlimit/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/fetchlimit/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,10 +14,9 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -if $PERL -e 'use Net::DNS;' 2>/dev/null -then - : +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + : else - echo_i "This test requires the Net::DNS library." >&2 - exit 1 + echo_i "This test requires the Net::DNS library." >&2 + exit 1 fi diff -Nru bind9-9.16.44/bin/tests/system/fetchlimit/tests.sh bind9-9.16.48/bin/tests/system/fetchlimit/tests.sh --- bind9-9.16.44/bin/tests/system/fetchlimit/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/fetchlimit/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -18,24 +18,24 @@ RNDCCMD="$RNDC -p ${CONTROLPORT} -s 10.53.0.3 -c ../common/rndc.conf" burst() { - num=${3:-20} - rm -f burst.input.$$ - while [ $num -gt 0 ]; do - num=$((num-1)) - echo "${num}${1}${2}.lamesub.example A" >> burst.input.$$ - done - $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ - rm -f burst.input.$$ + num=${3:-20} + rm -f burst.input.$$ + while [ $num -gt 0 ]; do + num=$((num - 1)) + echo "${num}${1}${2}.lamesub.example A" >>burst.input.$$ + done + $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ + rm -f burst.input.$$ } stat() { - clients=`$RNDCCMD status | grep "recursive clients" | - sed 's;.*: \([^/][^/]*\)/.*;\1;'` - echo_i "clients: $clients" - [ "$clients" = "" ] && return 1 - [ "$clients" -ge $1 ] || return 1 - [ "$clients" -le $2 ] || return 1 - return 0 + clients=$($RNDCCMD status | grep "recursive clients" \ + | sed 's;.*: \([^/][^/]*\)/.*;\1;') + echo_i "clients: $clients" + [ "$clients" = "" ] && return 1 + [ "$clients" -ge $1 ] || return 1 + [ "$clients" -le $2 ] || return 1 + return 0 } status=0 @@ -46,21 +46,21 @@ $RNDCCMD flush touch ans4/norespond for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - burst a $try - # fetches-per-server is at 400, but at 20qps against a lame server, - # we'll reach 200 at the tenth second, and the quota should have been - # tuned to less than that by then. - [ $try -le 5 ] && low=$((try*10)) - stat 20 200 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst a $try + # fetches-per-server is at 400, but at 20qps against a lame server, + # we'll reach 200 at the tenth second, and the quota should have been + # tuned to less than that by then. + [ $try -le 5 ] && low=$((try * 10)) + stat 20 200 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "dumping ADB data" $RNDCCMD dumpdb -adb -info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'` +info=$(grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/') echo_i $info set -- $info quota=$5 @@ -71,51 +71,51 @@ rm -f ns3/named.stats $RNDCCMD stats for try in 1 2 3 4 5; do - [ -f ns3/named.stats ] && break - sleep 1 + [ -f ns3/named.stats ] && break + sleep 1 done -sspill=`grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'` +sspill=$(grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/') [ -z "$sspill" ] && sspill=0 -fails=`grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'` +fails=$(grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/') [ -z "$fails" ] && fails=0 [ "$fails" -ge "$sspill" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking lame server recovery" ret=0 rm -f ans4/norespond for try in 1 2 3 4 5; do - burst b $try - stat 0 200 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst b $try + stat 0 200 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done echo_i "dumping ADB data" $RNDCCMD dumpdb -adb -info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'` +info=$(grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/') echo_i $info set -- $info [ ${5:-${quota}} -lt $quota ] || ret=1 quota=$5 for try in 1 2 3 4 5 6 7 8 9 10; do - burst c $try - stat 0 20 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst c $try + stat 0 20 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done echo_i "dumping ADB data" $RNDCCMD dumpdb -adb -info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'` +info=$(grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/') echo_i $info set -- $info [ ${5:-${quota}} -gt $quota ] || ret=1 quota=$5 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -126,35 +126,35 @@ success=0 touch ans4/norespond for try in 1 2 3 4 5; do - burst b $try 300 - $DIGCMD a ${try}.example > dig.out.ns3.$try - grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \ - success=$((success+1)) - grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \ - fail=$(($fail+1)) - stat 30 50 || ret=1 - [ $ret -eq 1 ] && break - $RNDCCMD recursing 2>&1 | sed 's/^/ns3 /' | cat_i - sleep 1 + burst b $try 300 + $DIGCMD a ${try}.example >dig.out.ns3.$try + grep "status: NOERROR" dig.out.ns3.$try >/dev/null 2>&1 \ + && success=$((success + 1)) + grep "status: SERVFAIL" dig.out.ns3.$try >/dev/null 2>&1 \ + && fail=$(($fail + 1)) + stat 30 50 || ret=1 + [ $ret -eq 1 ] && break + $RNDCCMD recursing 2>&1 | sed 's/^/ns3 /' | cat_i + sleep 1 done echo_i "$success successful valid queries, $fail SERVFAIL" if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking drop statistics" rm -f ns3/named.stats $RNDCCMD stats for try in 1 2 3 4 5; do - [ -f ns3/named.stats ] && break - sleep 1 + [ -f ns3/named.stats ] && break + sleep 1 done -zspill=`grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'` +zspill=$(grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/') [ -z "$zspill" ] && zspill=0 -drops=`grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'` +drops=$(grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/') [ -z "$drops" ] && drops=0 [ "$drops" -ge "$zspill" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) copy_setports ns3/named3.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -166,35 +166,44 @@ success=0 touch ans4/norespond for try in 1 2 3 4 5; do - burst b $try 400 - $DIGCMD +time=2 a ${try}.example > dig.out.ns3.$try - stat 100 400 || exceeded=$((exceeded + 1)) - grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \ - success=$((success+1)) - grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \ - fail=$(($fail+1)) - sleep 1 + burst b $try 400 + $DIGCMD +time=2 a ${try}.example >dig.out.ns3.$try + stat 100 400 || exceeded=$((exceeded + 1)) + grep "status: NOERROR" dig.out.ns3.$try >/dev/null 2>&1 \ + && success=$((success + 1)) + grep "status: SERVFAIL" dig.out.ns3.$try >/dev/null 2>&1 \ + && fail=$(($fail + 1)) + sleep 1 done echo_i "$success successful valid queries (expected 5)" -[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; } +[ "$success" -eq 5 ] || { + echo_i "failed" + ret=1 +} echo_i "$fail SERVFAIL responses (expected 0)" -[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; } +[ "$fail" -eq 0 ] || { + echo_i "failed" + ret=1 +} echo_i "clients count exceeded 400 on $exceeded trials (expected 0)" -[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; } +[ "$exceeded" -eq 0 ] || { + echo_i "failed" + ret=1 +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking drop statistics" rm -f ns3/named.stats $RNDCCMD stats for try in 1 2 3 4 5; do - [ -f ns3/named.stats ] && break - sleep 1 + [ -f ns3/named.stats ] && break + sleep 1 done -drops=`grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'` +drops=$(grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/') [ "${drops:-0}" -ne 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/filter-aaaa/ns1/sign.sh bind9-9.16.48/bin/tests/system/filter-aaaa/ns1/sign.sh --- bind9-9.16.44/bin/tests/system/filter-aaaa/ns1/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/filter-aaaa/ns1/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,15 +21,15 @@ zonefile=signed.db.signed outfile=signed.db.signed -$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i -$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i -keyname=`cat keygen.out` +$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i +$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >keygen.out | cat_i +keyname=$(cat keygen.out) rm -f keygen.out -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns5/trusted.conf -$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err +$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err echo_i "signed zone '$zone'" diff -Nru bind9-9.16.44/bin/tests/system/filter-aaaa/ns4/sign.sh bind9-9.16.48/bin/tests/system/filter-aaaa/ns4/sign.sh --- bind9-9.16.44/bin/tests/system/filter-aaaa/ns4/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/filter-aaaa/ns4/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -21,8 +21,8 @@ zonefile=signed.db.signed outfile=signed.db.signed -$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i -$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i +$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i +$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i -$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err +$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err echo_i "signed zone '$zone'" diff -Nru bind9-9.16.44/bin/tests/system/filter-aaaa/prereq.sh bind9-9.16.48/bin/tests/system/filter-aaaa/prereq.sh --- bind9-9.16.44/bin/tests/system/filter-aaaa/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/filter-aaaa/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,14 +14,14 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -$FEATURETEST --have-dlopen || { - echo_i "dlopen() not supported - skipping filter-aaaa test" - exit 255 +$FEATURETEST --have-dlopen || { + echo_i "dlopen() not supported - skipping filter-aaaa test" + exit 255 } $FEATURETEST --tsan && { - echo_i "TSAN - skipping dlzexternal test" - exit 255 + echo_i "TSAN - skipping dlzexternal test" + exit 255 } exit 0 diff -Nru bind9-9.16.44/bin/tests/system/filter-aaaa/tests.sh bind9-9.16.48/bin/tests/system/filter-aaaa/tests.sh --- bind9-9.16.44/bin/tests/system/filter-aaaa/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/filter-aaaa/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -22,24 +22,22 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" -for conf in conf/good*.conf -do - n=`expr $n + 1` - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +for conf in conf/good*.conf; do + n=$(expr $n + 1) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done -for conf in conf/bad*.conf -do - n=`expr $n + 1` - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +for conf in conf/bad*.conf; do + n=$(expr $n + 1) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done # @@ -47,178 +45,176 @@ # filter-aaaa-on-v4 yes; # filter-aaaa { 10.53.0.1; }; # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::5 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::5 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0," dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0," dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::1 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if testsock6 fd92:7065:b8e:ffff::1; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 + grep 2001:db8::6 dig.out.ns1.test$n >/dev/null || ret=1 + grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) else -echo_i "skipped." + echo_i "skipped." fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::1 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if testsock6 fd92:7065:b8e:ffff::1; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 + grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) else -echo_i "skipped." + echo_i "skipped." fi # @@ -226,348 +222,343 @@ # filter-aaaa-on-v4 break-dnssec; # filter-aaaa { 10.53.0.4; }; # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep ::5 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep ::5 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0," dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::4 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if testsock6 fd92:7065:b8e:ffff::4; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 + grep 2001:db8::6 dig.out.ns4.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) else -echo_i "skipped." + echo_i "skipped." fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::4 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if testsock6 fd92:7065:b8e:ffff::4; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) else -echo_i "skipped." + echo_i "skipped." fi - # # Recursive tests against: # filter-aaaa-on-v4 yes; # filter-aaaa { 10.53.0.2; }; # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep ::5 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep ::5 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive ($n)" -if testsock6 fd92:7065:b8e:ffff::2 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if testsock6 fd92:7065:b8e:ffff::2; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 + grep 2001:db8::6 dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) else -echo_i "skipped." + echo_i "skipped." fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, signed, recursive ($n)" ret=0 # we need to prime the cache with addresses for the MX, since additional # section data won't be included unless it's validated, and that doesn't # necessarily happen otherwise. -$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 > /dev/null -$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 > /dev/null -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 >/dev/null +$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 >/dev/null +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, recursive, over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::2 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if testsock6 fd92:7065:b8e:ffff::2; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) else -echo_i "skipped." + echo_i "skipped." fi # @@ -575,178 +566,175 @@ # filter-aaaa-on-v4 break-dnssec; # filter-aaaa { 10.53.0.3; }; # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep ::5 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep ::5 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::3 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if testsock6 fd92:7065:b8e:ffff::3; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 + grep 2001:db8::6 dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) else -echo_i "skipped." + echo_i "skipped." fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, recursive with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::3 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +if testsock6 fd92:7065:b8e:ffff::3; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) else -echo_i "skipped." + echo_i "skipped." fi -if ! testsock6 fd92:7065:b8e:ffff::1 -then - echo_i "IPv6 address not configured; skipping IPv6 query tests" - echo_i "exit status: $status" - exit $status +if ! testsock6 fd92:7065:b8e:ffff::1; then + echo_i "IPv6 address not configured; skipping IPv6 query tests" + echo_i "exit status: $status" + exit $status fi # Reconfiguring for IPv6 tests @@ -767,653 +755,650 @@ # filter-aaaa-on-v6 yes; # filter-aaaa { fd92:7065:b8e:ffff::1; }; # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::2 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::2 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::5 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::5 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 2001:db8::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - +status=$(expr $status + $ret) # # Authoritative tests against: # filter-aaaa-on-v6 break-dnssec; # filter-aaaa { fd92:7065:b8e:ffff::4; }; # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep ::2 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep ::2 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep ::5 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep ::5 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep 2001:db8::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - +status=$(expr $status + $ret) # # Recursive tests against: # filter-aaaa-on-v6 yes; # filter-aaaa { fd92:7065:b8e:ffff::2; }; # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep ::5 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep ::5 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep 2001:db8::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - +status=$(expr $status + $ret) # # Recursive tests against: # filter-aaaa-on-v6 yes; # filter-aaaa { fd92:7065:b8e:ffff::3; }; # -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep ::5 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep ::5 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep 2001:db8::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # We don't check for the AAAA record here as configuration in ns5 does # not make sense. The AAAA record is wanted by filter-aaaa but discarded # by the dns64 configuration. We just want to ensure the server stays # running. -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking filter-aaaa with dns64 ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/formerr/clean.sh bind9-9.16.48/bin/tests/system/formerr/clean.sh --- bind9-9.16.44/bin/tests/system/formerr/clean.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/formerr/clean.sh 2024-02-11 11:31:39.000000000 +0000 @@ -11,9 +11,9 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f nametoolong.out -rm -f twoquestions.out -rm -f noquestions.out +rm -f nametoolong.out +rm -f twoquestions.out +rm -f noquestions.out rm -f ns*/named.conf rm -f ns*/named.lock rm -f ns*/named.run diff -Nru bind9-9.16.44/bin/tests/system/formerr/tests.sh bind9-9.16.48/bin/tests/system/formerr/tests.sh --- bind9-9.16.44/bin/tests/system/formerr/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/formerr/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,29 +17,29 @@ status=0 echo_i "test name too long" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong > nametoolong.out -ans=`grep got: nametoolong.out` -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=`expr $status + 1`; +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong >nametoolong.out +ans=$(grep got: nametoolong.out) +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$(expr $status + 1) fi echo_i "two questions" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions > twoquestions.out -ans=`grep got: twoquestions.out` -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=`expr $status + 1`; +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions >twoquestions.out +ans=$(grep got: twoquestions.out) +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$(expr $status + 1) fi # this would be NOERROR if it included a COOKIE option, # but is a FORMERR without one. echo_i "empty question section (and no COOKIE option)" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions > noquestions.out -ans=`grep got: noquestions.out` -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=`expr $status + 1`; +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions >noquestions.out +ans=$(grep got: noquestions.out) +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$(expr $status + 1) fi echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/forward/ns1/sign.sh bind9-9.16.48/bin/tests/system/forward/ns1/sign.sh --- bind9-9.16.44/bin/tests/system/forward/ns1/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/forward/ns1/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -25,10 +25,10 @@ ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 # Configure the resolving server with a static key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns3/trusted.conf diff -Nru bind9-9.16.44/bin/tests/system/forward/prereq.sh bind9-9.16.48/bin/tests/system/forward/prereq.sh --- bind9-9.16.44/bin/tests/system/forward/prereq.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/forward/prereq.sh 2024-02-11 11:31:39.000000000 +0000 @@ -14,24 +14,21 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -if $PERL -e 'use Net::DNS;' 2>/dev/null -then - : +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + : else - echo_i "This test requires the Net::DNS library." >&2 - exit 1 + echo_i "This test requires the Net::DNS library." >&2 + exit 1 fi -if test -n "$PYTHON" -then - if $PYTHON -c "import dns" 2> /dev/null - then - : - else - echo_i "This test requires the dnspython module." >&2 - exit 1 - fi -else - echo_i "This test requires Python and the dnspython module." >&2 +if test -n "$PYTHON"; then + if $PYTHON -c "import dns" 2>/dev/null; then + : + else + echo_i "This test requires the dnspython module." >&2 exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 fi diff -Nru bind9-9.16.44/bin/tests/system/forward/setup.sh bind9-9.16.48/bin/tests/system/forward/setup.sh --- bind9-9.16.44/bin/tests/system/forward/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/forward/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -25,6 +25,6 @@ copy_setports ns10/named.conf.in ns10/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) diff -Nru bind9-9.16.44/bin/tests/system/forward/tests.sh bind9-9.16.48/bin/tests/system/forward/tests.sh --- bind9-9.16.44/bin/tests/system/forward/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/forward/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -16,15 +16,15 @@ . "$SYSTEMTESTTOP/conf.sh" dig_with_opts() ( - "$DIG" -p "$PORT" "$@" + "$DIG" -p "$PORT" "$@" ) sendcmd() ( - "$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1" + "$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1" ) rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" } root=10.53.0.1 @@ -35,156 +35,156 @@ status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone overrides global forwarders ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward first zone no forwarders recurses ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward only zone no forwarders fails ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that global forwarders work ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example4. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone works ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that forwarding doesn't spontaneously happen ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.root dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone with no specified policy works ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example3. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example3. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward only doesn't recurse ($n)" ret=0 -dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1 -grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts txt.example5. txt @$f2 >dig.out.$n.f2 || ret=1 +grep "SERVFAIL" dig.out.$n.f2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking for negative caching of forwarder response ($n)" # prime the cache, shutdown the forwarder then check that we can # get the answer from the cache. restart forwarder. ret=0 -dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 -grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1 +grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1 stop_server ns4 || ret=1 -dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 -grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1 +grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1 start_server --restart --noclean --port "${PORT}" ns4 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) check_override() ( - dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && - grep "status: NOERROR" dig.out.$n.f2 > /dev/null && - dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && - grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null + dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \ + && grep "status: NOERROR" dig.out.$n.f2 >/dev/null \ + && dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \ + && grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null ) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that forward only zone overrides empty zone ($n)" ret=0 # retry loop in case the server restart above causes transient failure retry_quiet 10 check_override || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that DS lookups for grafting forward zones are isolated ($n)" ret=0 -dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1 -dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1 -dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1 -dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1 -grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1 -grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1 -grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1 +dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q1 || ret=1 +dig_with_opts grafted DS @10.53.0.4 >dig.out.$n.q2 || ret=1 +dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q3 || ret=1 +dig_with_opts grafted AAAA @10.53.0.4 >dig.out.$n.q4 || ret=1 +grep "status: NOERROR" dig.out.$n.q1 >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.$n.q2 >/dev/null || ret=1 +grep "status: NOERROR" dig.out.$n.q3 >/dev/null || ret=1 +grep "status: NOERROR" dig.out.$n.q4 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)" ret=0 $CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1 $CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)" ret=0 $CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1 $CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) count_sent() ( - logfile="$1" - start_pattern="$2" - pattern="$3" - nextpartpeek "$logfile" | tr -d '\r' | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" + logfile="$1" + start_pattern="$2" + pattern="$3" + nextpartpeek "$logfile" | tr -d '\r' | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" ) check_sent() ( - expected="$1" - shift - count=$(count_sent "$@") - [ "$expected" = "$count" ] + expected="$1" + shift + count=$(count_sent "$@") + [ "$expected" = "$count" ] ) wait_for_log() ( - nextpartpeek "$1" | grep "$2" >/dev/null + nextpartpeek "$1" | grep "$2" >/dev/null ) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)" ret=0 # Make ans6 receive queries without responding to them. @@ -194,19 +194,19 @@ # when a delegation is encountered after falling back to full recursive # resolution. nextpart ns3/named.run >/dev/null -dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts txt.example7. txt @$f1 >dig.out.$n.f1 || ret=1 # The forwarder for the "example7" zone should only be queried once. start_pattern="sending packet to 10\.53\.0\.6" retry_quiet 5 wait_for_log ns3/named.run "$start_pattern" check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that priming queries are not forwarded ($n)" ret=0 nextpart ns7/named.run >/dev/null -dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 >dig.out.$n.f7 || ret=1 received_pattern="received packet from 10\.53\.0\.1" start_pattern="sending packet to 10\.53\.0\.1" retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1 @@ -216,35 +216,35 @@ sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run) [ "$sent" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking recovery from forwarding to a non-recursive server ($n)" ret=0 -dig_with_opts xxx.sld.tld txt @10.53.0.8 > dig.out.$n.f8 || ret=1 -grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1 +dig_with_opts xxx.sld.tld txt @10.53.0.8 >dig.out.$n.f8 || ret=1 +grep "status: NOERROR" dig.out.$n.f8 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that rebinding protection works in forward only mode ($n)" ret=0 # 10.53.0.5 will forward target.malicious. query to 10.53.0.4 # which in turn will return a CNAME for subdomain.rebind. # to honor the option deny-answer-aliases { "rebind"; }; # ns5 should return a SERVFAIL to avoid potential rebinding attacks -dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1 -grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 +dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. >dig.out.$n || ret=1 +grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)" ret=0 copy_setports ns3/named2.conf.in ns3/named.conf rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 -sendcmd << EOF +sendcmd </dev/null -dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1 -grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 +dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1 +grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Check various spoofed response scenarios. The same tests will be # run twice, with "forward first" and "forward only" configurations. # -run_spooftests () { - n=$((n+1)) - echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 - # check 'net' is not poisoned. - dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 - grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 - # check 'sub.local.net' is not poisoned. - dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 - grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 - # check that net2/DNAME is not cached - dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 - grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 - grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking spoofed response scenario 3 - extra answer ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 - # check extra net3 records are not cached - rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i - for try in 1 2 3 4 5; do - lines=$(grep "net3" ns9/named_dump.db | wc -l) - if [ ${lines} -eq 0 ]; then - sleep 1 - continue - fi - [ ${lines} -eq 1 ] || ret=1 - grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 - grep -q '^local.net3' ns9/named_dump.db && ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +run_spooftests() { + n=$((n + 1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net >/dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 >/dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 >dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } echo_i "checking spoofed response scenarios with forward first zones" @@ -330,31 +330,31 @@ rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1 # check 'net' is poisoned. -dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net >/dev/null || ret=1 # check 'sub.local.net' is poisoned. -dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1 # check that net2/DNAME is cached -dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 -grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 >/dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # This test doesn't use any forwarder clauses but is here because it @@ -367,17 +367,17 @@ rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "checking sibling glue below zone ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 sibling.tld >dig.out.$n.prime || ret=1 # check for glue A record for sub.local.tld is not used -dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 -grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 -grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +dig_with_opts @10.53.0.9 sub.local.tld TXT >dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub >/dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/genzone.sh bind9-9.16.48/bin/tests/system/genzone.sh --- bind9-9.16.44/bin/tests/system/genzone.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/genzone.sh 2024-02-11 11:31:39.000000000 +0000 @@ -33,9 +33,8 @@ 3600 ) EOF -for n -do - cat <&2 - exit 255 + echo_i "This test requires GeoIP support." >&2 + exit 255 } exit 0 diff -Nru bind9-9.16.44/bin/tests/system/geoip2/setup.sh bind9-9.16.48/bin/tests/system/geoip2/setup.sh --- bind9-9.16.44/bin/tests/system/geoip2/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/geoip2/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -19,6 +19,6 @@ copy_setports ns2/named1.conf.in ns2/named.conf for i in 1 2 3 4 5 6 7 other bogus; do - cp ns2/example.db.in ns2/example${i}.db - echo "@ IN TXT \"$i\"" >> ns2/example$i.db + cp ns2/example.db.in ns2/example${i}.db + echo "@ IN TXT \"$i\"" >>ns2/example$i.db done diff -Nru bind9-9.16.44/bin/tests/system/geoip2/tests.sh bind9-9.16.48/bin/tests/system/geoip2/tests.sh --- bind9-9.16.44/bin/tests/system/geoip2/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/geoip2/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -23,55 +23,52 @@ DIGOPTS6="+tcp +short -p ${PORT} @fd92:7065:b8e:ffff::2 -6" RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" -for conf in conf/good*.conf -do - n=`expr $n + 1` - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` -done - -for conf in conf/bad*.conf -do - n=`expr $n + 1` - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +for conf in conf/good*.conf; do + n=$(expr $n + 1) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done -n=`expr $n + 1` +for conf in conf/bad*.conf; do + n=$(expr $n + 1) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) +done + +n=$(expr $n + 1) echo_i "checking Country database by code using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking Country database by code using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 country code test" fi @@ -82,35 +79,34 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking Country database with nested ACLs using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking Country database with nested ACLs using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 country nested ACL test" fi @@ -121,35 +117,34 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking Country database by name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking Country database by name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 country name test" fi @@ -160,37 +155,36 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking Country database by continent code using IPv4 ($n)" ret=0 lret=0 # deliberately skipping 4 and 6 as they have duplicate continents for i in 1 2 3 5 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking Country database by continent code using IPv6 ($n)" ret=0 lret=0 # deliberately skipping 4 and 6 as they have duplicate continents for i in 1 2 3 5 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 continent code test" fi @@ -201,77 +195,75 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking City database by region code using IPv4 ($n)" ret=0 lret=0 # skipping 2 on purpose here; it has the same region code as 1 for i in 1 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking City database by region code using IPv6 ($n)" ret=0 lret=0 -# skipping 2 on purpose here; it has the same region code as 1 + # skipping 2 on purpose here; it has the same region code as 1 for i in 1 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 region code test" fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "reloading server" copy_setports ns2/named6.conf.in ns2/named.conf $CHECKCONF ns2/named.conf | cat_i rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking City database by city name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking City database by city name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 city test" fi @@ -282,35 +274,34 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking ISP database using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking ISP database using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 ISP test" fi @@ -321,35 +312,34 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking ASN database by org name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking ASN database by org name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 ASN test" fi @@ -360,35 +350,34 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking GeoIP6 ASN database, ASNNNN only, using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking ASN database, ASNNNN only, using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 ASN test" fi @@ -399,35 +388,34 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking GeoIP6 ASN database, NNNN only, using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking ASN database, NNNN only, using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 ASN test" fi @@ -438,35 +426,34 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking Domain database using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) -if testsock6 fd92:7065:b8e:ffff::3 -then - n=`expr $n + 1` +if testsock6 fd92:7065:b8e:ffff::3; then + n=$(expr $n + 1) echo_i "checking Domain database using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" - status=`expr $status + $ret` + status=$(expr $status + $ret) else echo_i "IPv6 unavailable; skipping IPv6 Domain test" fi @@ -477,13 +464,13 @@ rndc_reload ns2 10.53.0.2 sleep 3 -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking geoip blackhole ACL ($n)" ret=0 -$DIG $DIGOPTS txt example -b 10.53.0.7 > dig.out.ns2.test$n || ret=1 -$RNDCCMD 10.53.0.2 status 2>&1 > rndc.out.ns2.test$n || ret=1 +$DIG $DIGOPTS txt example -b 10.53.0.7 >dig.out.ns2.test$n || ret=1 +$RNDCCMD 10.53.0.2 status 2>&1 >rndc.out.ns2.test$n || ret=1 [ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` +status=$(expr $status + $ret) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.44/bin/tests/system/glue/tests.sh bind9-9.16.48/bin/tests/system/glue/tests.sh --- bind9-9.16.44/bin/tests/system/glue/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/glue/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -27,7 +27,7 @@ digcomp --lc fi.good dig.out || status=1 echo_i "testing that we don't find out-of-zone glue" -$DIG $DIGOPTS @10.53.0.1 example.net. a > dig.out || status=1 +$DIG $DIGOPTS @10.53.0.1 example.net. a >dig.out || status=1 digcomp noglue.good dig.out || status=1 echo_i "exit status: $status" diff -Nru bind9-9.16.44/bin/tests/system/idna/tests.sh bind9-9.16.48/bin/tests/system/idna/tests.sh --- bind9-9.16.44/bin/tests/system/idna/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/idna/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -17,9 +17,9 @@ # Set known locale for the tests if locale -a | grep -qE "^C\\.(UTF-8|utf8)"; then - LC_ALL="C.UTF-8" + LC_ALL="C.UTF-8" elif locale -a | grep -qE "^en_US\\.(UTF-8|utf8)"; then - LC_ALL="en_US.UTF-8" + LC_ALL="en_US.UTF-8" fi export LC_ALL @@ -70,7 +70,6 @@ n=0 status=0 - # Function for extracting the qname from the response # # This is the first field in the line after the line starting @@ -79,10 +78,10 @@ # The string returned includes the trailing period. qname() { - awk 'BEGIN { qs = 0; } \ + awk 'BEGIN { qs = 0; } \ /;; QUESTION SECTION:/ { qs = 1; next; } \ qs == 1 {sub(";", "", $1) ; print $1; exit 0; }' \ - $1 + $1 } # Function for performing a test where "dig" is expected to succeed. @@ -95,26 +94,26 @@ # parameter should have that period as well. idna_test() { - n=`expr $n + 1` - description=$1 - if [ "$2" != "" ]; then - description="${description}: $2" - fi - echo_i "$description ($n)" - - ret=0 - $DIGCMD $2 $3 > dig.out.$n 2>&1 - if [ $? -ne 0 ]; then - echo_i "failed: dig command returned non-zero status" - ret=1 - else - actual=`qname dig.out.$n` - if [ "$4" != "$actual" ]; then - echo_i "failed: expected answer $4, actual result $actual" - ret=1 - fi + n=$(expr $n + 1) + description=$1 + if [ "$2" != "" ]; then + description="${description}: $2" + fi + echo_i "$description ($n)" + + ret=0 + $DIGCMD $2 $3 >dig.out.$n 2>&1 + if [ $? -ne 0 ]; then + echo_i "failed: dig command returned non-zero status" + ret=1 + else + actual=$(qname dig.out.$n) + if [ "$4" != "$actual" ]; then + echo_i "failed: expected answer $4, actual result $actual" + ret=1 fi - status=`expr $status + $ret` + fi + status=$(expr $status + $ret) } # Function for performing a test where "dig" is expected to fail @@ -124,20 +123,20 @@ # $3 - Name being queried idna_fail() { - n=`expr $n + 1` - description=$1 - if [ "$2" != "" ]; then - description="${description}: $2" - fi - echo_i "$description ($n)" - - ret=0 - $DIGCMD $2 $3 > dig.out.$n 2>&1 - if [ $? -eq 0 ]; then - echo_i "failed: dig command unexpectedly succeeded" - ret=1 - fi - status=`expr $status + $ret` + n=$(expr $n + 1) + description=$1 + if [ "$2" != "" ]; then + description="${description}: $2" + fi + echo_i "$description ($n)" + + ret=0 + $DIGCMD $2 $3 >dig.out.$n 2>&1 + if [ $? -eq 0 ]; then + echo_i "failed: dig command unexpectedly succeeded" + ret=1 + fi + status=$(expr $status + $ret) } # Function to check that case is preserved for an all-ASCII label. @@ -158,221 +157,210 @@ # as the qname. ascii_case_preservation_test() { - text="Checking valid ASCII label" - idna_test "$text" "" LocalhosT LocalhosT. - idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT. - idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT. - idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT. - idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT. + text="Checking valid ASCII label" + idna_test "$text" "" LocalhosT LocalhosT. + idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT. + idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT. + idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT. + idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT. } # Function to perform the tests if IDNA is enabled. idna_enabled_test() { - echo_i "IDNA is enabled, all IDNA tests will be performed" - # Check that case is preserved on an ASCII label. - - ascii_case_preservation_test + echo_i "IDNA is enabled, all IDNA tests will be performed" + # Check that case is preserved on an ASCII label. + ascii_case_preservation_test - # Test of a valid U-label - # - # +noidnin +noidnout: The label is sent as a unicode octet stream and dig - # will display the string in the \nnn format. - # +noidnin +idnout: As for the previous case. - # +idnin +noidnout: The label is converted to the xn-- format. "dig" - # displays the returned xn-- text. - # +idnin +idnout: The label is converted to the xn-- format. "dig" - # converts the returned xn-- string back to the original - # unicode text. - # - # Note that ASCII characters are converted to lower-case. - - text="Checking valid non-ASCII label" - idna_test "$text" "" "München" "M\195\188nchen." - idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen." - idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen." - idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya." - idna_test "$text" "+idnin +idnout" "München" "münchen." - - - # Tests of transitional processing of a valid U-label - # - # IDNA2003 introduced national character sets but, unfortunately, didn't - # support several characters properly. One of those was the German - # character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss". - # So the domain “faß.de” domain (for example) was processed as “fass.de”. - # - # This was corrected in IDNA2008, although some vendors that adopted this - # standard chose to keep the existing IDNA2003 translation for this - # character to prevent problems (e.g. people visiting www.faß.example would, - # under IDNA2003, go to www.fass.example but under IDNA2008 would end up at - # www.fa\195\159.example - a different web site). - # - # BIND has adopted a hard transition, so this test checks that these - # transitional mapping is not used. The tests are essentially the same as - # for the valid U-label. - - text="Checking that non-transitional IDNA processing is used" - idna_test "$text" "" "faß.de" "fa\195\159.de." - idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de." - idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de." - idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de." - idna_test "$text" "+idnin +idnout" "faß.de" "faß.de." - - # Another problem character. The final character in the first label mapped - # onto the Greek sigma character ("σ") in IDNA2003. - - text="Second check that non-transitional IDNA processing is used" - idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com." - idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com." - - - - # Tests of a valid A-label (i.e. starting xn--) - # - # +noidnout: The string is sent as-is to the server and the returned qname - # is displayed in the same form. - # +idnout: The string is sent as-is to the server and the returned qname - # is displayed as the corresponding U-label. - # - # The "+[no]idnin" flag has no effect in these cases. - - text="Checking valid A-label" - idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." - idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." - - # Test of valid A-label in locale that cannot display it - # - # +noidnout: The string is sent as-is to the server and the returned qname - # is displayed in the same form. - # +idnout: The string is sent as-is to the server and the returned qname - # is displayed as the corresponding A-label. - # - # The "+[no]idnout" flag has no effect in these cases. - saved_LC_ALL="${LC_ALL}" - LC_ALL="C" - text="Checking valid A-label in C locale" - label="xn--nxasmq6b.com" - if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then - idna_test "$text" "" "$label" "$label." - idna_test "$text" "+noidnin +noidnout" "$label" "$label." - idna_test "$text" "+noidnin +idnout" "$label" "$label." - idna_test "$text" "+idnin +noidnout" "$label" "$label." - idna_test "$text" "+idnin +idnout" "$label" "$label." - idna_test "$text" "+noidnin +idnout" "$label" "$label." - fi - LC_ALL="${saved_LC_ALL}" - - - - # Tests of invalid A-labels - # - # +noidnin: The label is sent as-is to the server and dig will display the - # returned fake A-label in the same form. - # +idnin: "dig" should report that the label is not correct. - # - # +[no]idnout: If the label makes it to the server (via +noidnin), "dig" - # should report an error if +idnout is specified. - - # The minimum length of a punycode A-label is 7 characters. Check that - # a shorter label is detected and rejected. - - text="Checking punycode label shorter than minimum valid length" - idna_test "$text" "" "xn--xx" "xn--xx." - idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx." - idna_fail "$text" "+noidnin +idnout" "xn--xx" - idna_fail "$text" "+idnin +noidnout" "xn--xx" - idna_fail "$text" "+idnin +idnout" "xn--xx" - - # Fake A-label - the string does not translate to anything. - - text="Checking fake A-label" - idna_test "$text" "" "xn--ahahah" "xn--ahahah." - idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." - idna_fail "$text" "+noidnin +idnout" "xn--ahahah" - idna_fail "$text" "+idnin +noidnout" "xn--ahahah" - idna_fail "$text" "+idnin +idnout" "xn--ahahah" - - # Too long a label. The punycode string is too long (at 64 characters). - # BIND rejects such labels: with +idnin - - label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" - text="Checking punycode label longer than maximum valid length" - idna_fail "$text" "" "$label" - idna_fail "$text" "+noidnin +noidnout" "$label" - idna_fail "$text" "+noidnin +idnout" "$label" - idna_fail "$text" "+idnin +noidnout" "$label" - idna_fail "$text" "+idnin +idnout" "$label" - - - - - # Tests of a valid unicode string but an invalid U-label (input) - # - # Symbols are not valid IDNA2008 names. Check whether dig rejects them - # when they are supplied on the command line to ensure no IDNA2003 - # fallbacks are in place. - # - # +noidnin: "dig" should send unicode octets to the server and display the - # returned qname in the same form. - # +idnin: "dig" should generate an error. - # - # The +[no]idnout options should not have any effect on the test. - - text="Checking invalid input U-label" - idna_test "$text" "" "√.com" "\226\136\154.com." - idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com." - idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com." - idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com." - idna_test "$text" "+idnin +idnout" "√.com" "√.com." - - # Tests of a valid unicode string but an invalid U-label (output) - # - # Symbols are not valid IDNA2008 names. Check whether dig rejects them - # when they are received in DNS responses to ensure no IDNA2003 fallbacks - # are in place. - # - # Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses - # Punycode more strictly than older versions and thus dig fails with that - # combination of options with libidn2 2.2.0+ but succeeds with older - # versions. - # - # +noidnout: "dig" should send the ACE string to the server and display the - # returned qname. - # +idnout: "dig" should generate an error. - # - # The +[no]idnin options should not have any effect on the test. - - text="Checking invalid output U-label" - idna_test "$text" "" "xn--19g" "xn--19g." - idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." - idna_test "$text" "+noidnin +idnout" "xn--19g" "√." - idna_test "$text" "+idnin +idnout" "xn--19g" "√." + # Test of a valid U-label + # + # +noidnin +noidnout: The label is sent as a unicode octet stream and dig + # will display the string in the \nnn format. + # +noidnin +idnout: As for the previous case. + # +idnin +noidnout: The label is converted to the xn-- format. "dig" + # displays the returned xn-- text. + # +idnin +idnout: The label is converted to the xn-- format. "dig" + # converts the returned xn-- string back to the original + # unicode text. + # + # Note that ASCII characters are converted to lower-case. + + text="Checking valid non-ASCII label" + idna_test "$text" "" "München" "M\195\188nchen." + idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen." + idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen." + idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya." + idna_test "$text" "+idnin +idnout" "München" "münchen." + + # Tests of transitional processing of a valid U-label + # + # IDNA2003 introduced national character sets but, unfortunately, didn't + # support several characters properly. One of those was the German + # character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss". + # So the domain “faß.de” domain (for example) was processed as “fass.de”. + # + # This was corrected in IDNA2008, although some vendors that adopted this + # standard chose to keep the existing IDNA2003 translation for this + # character to prevent problems (e.g. people visiting www.faß.example would, + # under IDNA2003, go to www.fass.example but under IDNA2008 would end up at + # www.fa\195\159.example - a different web site). + # + # BIND has adopted a hard transition, so this test checks that these + # transitional mapping is not used. The tests are essentially the same as + # for the valid U-label. + + text="Checking that non-transitional IDNA processing is used" + idna_test "$text" "" "faß.de" "fa\195\159.de." + idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de." + idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de." + idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de." + idna_test "$text" "+idnin +idnout" "faß.de" "faß.de." + + # Another problem character. The final character in the first label mapped + # onto the Greek sigma character ("σ") in IDNA2003. + + text="Second check that non-transitional IDNA processing is used" + idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com." + idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com." + + # Tests of a valid A-label (i.e. starting xn--) + # + # +noidnout: The string is sent as-is to the server and the returned qname + # is displayed in the same form. + # +idnout: The string is sent as-is to the server and the returned qname + # is displayed as the corresponding U-label. + # + # The "+[no]idnin" flag has no effect in these cases. + + text="Checking valid A-label" + idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." + + # Test of valid A-label in locale that cannot display it + # + # +noidnout: The string is sent as-is to the server and the returned qname + # is displayed in the same form. + # +idnout: The string is sent as-is to the server and the returned qname + # is displayed as the corresponding A-label. + # + # The "+[no]idnout" flag has no effect in these cases. + saved_LC_ALL="${LC_ALL}" + LC_ALL="C" + text="Checking valid A-label in C locale" + label="xn--nxasmq6b.com" + if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then + idna_test "$text" "" "$label" "$label." + idna_test "$text" "+noidnin +noidnout" "$label" "$label." + idna_test "$text" "+noidnin +idnout" "$label" "$label." + idna_test "$text" "+idnin +noidnout" "$label" "$label." + idna_test "$text" "+idnin +idnout" "$label" "$label." + idna_test "$text" "+noidnin +idnout" "$label" "$label." + fi + LC_ALL="${saved_LC_ALL}" + + # Tests of invalid A-labels + # + # +noidnin: The label is sent as-is to the server and dig will display the + # returned fake A-label in the same form. + # +idnin: "dig" should report that the label is not correct. + # + # +[no]idnout: If the label makes it to the server (via +noidnin), "dig" + # should report an error if +idnout is specified. + + # The minimum length of a punycode A-label is 7 characters. Check that + # a shorter label is detected and rejected. + + text="Checking punycode label shorter than minimum valid length" + idna_test "$text" "" "xn--xx" "xn--xx." + idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx." + idna_fail "$text" "+noidnin +idnout" "xn--xx" + idna_fail "$text" "+idnin +noidnout" "xn--xx" + idna_fail "$text" "+idnin +idnout" "xn--xx" + + # Fake A-label - the string does not translate to anything. + + text="Checking fake A-label" + idna_test "$text" "" "xn--ahahah" "xn--ahahah." + idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." + idna_fail "$text" "+noidnin +idnout" "xn--ahahah" + idna_fail "$text" "+idnin +noidnout" "xn--ahahah" + idna_fail "$text" "+idnin +idnout" "xn--ahahah" + + # Too long a label. The punycode string is too long (at 64 characters). + # BIND rejects such labels: with +idnin + + label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" + text="Checking punycode label longer than maximum valid length" + idna_fail "$text" "" "$label" + idna_fail "$text" "+noidnin +noidnout" "$label" + idna_fail "$text" "+noidnin +idnout" "$label" + idna_fail "$text" "+idnin +noidnout" "$label" + idna_fail "$text" "+idnin +idnout" "$label" + + # Tests of a valid unicode string but an invalid U-label (input) + # + # Symbols are not valid IDNA2008 names. Check whether dig rejects them + # when they are supplied on the command line to ensure no IDNA2003 + # fallbacks are in place. + # + # +noidnin: "dig" should send unicode octets to the server and display the + # returned qname in the same form. + # +idnin: "dig" should generate an error. + # + # The +[no]idnout options should not have any effect on the test. + + text="Checking invalid input U-label" + idna_test "$text" "" "√.com" "\226\136\154.com." + idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com." + idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com." + idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com." + idna_test "$text" "+idnin +idnout" "√.com" "√.com." + + # Tests of a valid unicode string but an invalid U-label (output) + # + # Symbols are not valid IDNA2008 names. Check whether dig rejects them + # when they are received in DNS responses to ensure no IDNA2003 fallbacks + # are in place. + # + # Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses + # Punycode more strictly than older versions and thus dig fails with that + # combination of options with libidn2 2.2.0+ but succeeds with older + # versions. + # + # +noidnout: "dig" should send the ACE string to the server and display the + # returned qname. + # +idnout: "dig" should generate an error. + # + # The +[no]idnin options should not have any effect on the test. + + text="Checking invalid output U-label" + idna_test "$text" "" "xn--19g" "xn--19g." + idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." + idna_test "$text" "+noidnin +idnout" "xn--19g" "√." + idna_test "$text" "+idnin +idnout" "xn--19g" "√." } - # Function to perform tests if IDNA is not enabled. idna_disabled_test() { - echo_i "IDNA is disabled, only case mapping tests will be performed" - ascii_case_preservation_test + echo_i "IDNA is disabled, only case mapping tests will be performed" + ascii_case_preservation_test } - # Main test begins here $FEATURETEST --with-idn if [ $? -eq 0 ]; then - idna_enabled_test + idna_enabled_test else - idna_disabled_test + idna_disabled_test fi exit $status diff -Nru bind9-9.16.44/bin/tests/system/ifconfig.sh bind9-9.16.48/bin/tests/system/ifconfig.sh --- bind9-9.16.44/bin/tests/system/ifconfig.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/ifconfig.sh 2024-02-11 11:31:39.000000000 +0000 @@ -34,195 +34,195 @@ use_ip= case "$sys" in - *-*-linux*) - if type ip > /dev/null; then - use_ip=yes - elif type ifconfig > /dev/null; then - : - else - echo "$0: can't find ip or ifconfig" >&2 - exit 1 - fi - ;; + *-*-linux*) + if type ip >/dev/null; then + use_ip=yes + elif type ifconfig >/dev/null; then + : + else + echo "$0: can't find ip or ifconfig" >&2 + exit 1 + fi + ;; esac up() { - case "$sys" in - *-pc-solaris2.5.1) - [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up - ;; - *-sun-solaris2.[6-7]) - [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up - ;; - *-*-solaris2.[8-9]|*-*-solaris2.10) - [ "$a" ] && { - /sbin/ifconfig lo0:$int plumb - /sbin/ifconfig lo0:$int $a up - /sbin/ifconfig lo0:$int mtu 1500 - } - [ "$aaaa" ] && { - /sbin/ifconfig lo0:$int inet6 plumb - /sbin/ifconfig lo0:$int inet6 $aaaa up - } - ;; - *-*-solaris2.1[1-9]) - [ "$a" ] && { - /sbin/ipadm create-addr -t -T static \ - -a $a lo0/bind9v4$int || - echo failed lo0/bind9v4$int - } - [ "$aaaa" ] && { - /sbin/ipadm create-addr -t -T static \ - -a $aaaa lo0/bind9v6$int || - echo failed lo0/bind9v6$int - } - ;; - *-*-linux*) - if [ "$use_ip" ]; then - ip address add $a/24 dev lo:$int - ip link set dev lo:$int mtu 1500 - [ "$aaaa" ] && ip address add $aaaa/64 dev lo - else - ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500 - [ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64 - fi - ;; - *-unknown-freebsd*) - [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500 - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*) - [ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500 - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *-*-bsdi[3-5].*) - [ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0 - ;; - *-dec-osf[4-5].*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-sgi-irix6.*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) - [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff - ;; - *-ibm-aix4.*|*-ibm-aix5.*) - [ "$a" ] && ifconfig lo0 alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64 - ;; - hpux) - [ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up - [ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up - ;; - *-sco3.2v*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-darwin*) - [ "$a" ] && ifconfig lo0 alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *-cygwin*) - echo "Please run ifconfig.bat as Administrator." - exit 1 - ;; - *) - echo "Don't know how to set up interface. Giving up." - exit 1 - ;; - esac + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-*-solaris2.[8-9] | *-*-solaris2.10) + [ "$a" ] && { + /sbin/ifconfig lo0:$int plumb + /sbin/ifconfig lo0:$int $a up + /sbin/ifconfig lo0:$int mtu 1500 + } + [ "$aaaa" ] && { + /sbin/ifconfig lo0:$int inet6 plumb + /sbin/ifconfig lo0:$int inet6 $aaaa up + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $a lo0/bind9v4$int \ + || echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $aaaa lo0/bind9v6$int \ + || echo failed lo0/bind9v6$int + } + ;; + *-*-linux*) + if [ "$use_ip" ]; then + ip address add $a/24 dev lo:$int + ip link set dev lo:$int mtu 1500 + [ "$aaaa" ] && ip address add $aaaa/64 dev lo + else + ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-unknown-dragonfly* | *-unknown-netbsd* | *-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0 + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-*-sysv5uw7* | *-*-sysv*UnixWare* | *-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff + ;; + *-ibm-aix4.* | *-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up + [ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-darwin*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-cygwin*) + echo "Please run ifconfig.bat as Administrator." + exit 1 + ;; + *) + echo "Don't know how to set up interface. Giving up." + exit 1 + ;; + esac } down() { - case "$sys" in - *-pc-solaris2.5.1) - [ "$a" ] && ifconfig lo0:$int 0.0.0.0 down - ;; - *-sun-solaris2.[6-7]) - [ "$a" ] && ifconfig lo0:$int $a down - ;; - *-*-solaris2.[8-9]|*-*-solaris2.10) - [ "$a" ] && { - ifconfig lo0:$int $a down - ifconfig lo0:$int $a unplumb - } - [ "$aaaa" ] && { - ifconfig lo0:$int inet6 down - ifconfig lo0:$int inet6 unplumb - } - ;; - *-*-solaris2.1[1-9]) - [ "$a" ] && { - ipadm delete-addr lo0/bind9v4$int || - echo failed lo0/bind9v4$int - } - [ "$aaaa" ] && { - ipadm delete-addr lo0/bind9v6$int || - echo failed lo0/bind9v6$int - } - ;; - - *-*-linux*) - if [ "$use_ip" ]; then - [ "$a" ] && ip address del $a/24 dev lo:$int - [ "$aaaa" ] && ip address del $aaaa/64 dev lo - else - [ "$a" ] && ifconfig lo:$int $a down - [ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64 - fi - ;; - *-unknown-freebsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-unknown-netbsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-unknown-openbsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-*-bsdi[3-5].*) - [ "$a" ] && ifconfig lo0 remove $a - ;; - *-dec-osf[4-5].*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-sgi-irix6.*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-ibm-aix4.*|*-ibm-aix5.*) - [ "$a" ] && ifconfig lo0 delete $a - [ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64 - ;; - hpux) - [ "$a" ] && ifconfig lo0:$int 0.0.0.0 - [ "$aaaa" ] && ifconfig lo0:$int inet6 :: - ;; - *-sco3.2v*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *darwin*) - [ "$a" ] && ifconfig lo0 -alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-cygwin*) - echo "Please run ifconfig.bat as Administrator." - exit 1 - ;; - *) - echo "Don't know how to destroy interface. Giving up." - exit 1 - ;; - esac + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 down + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a down + ;; + *-*-solaris2.[8-9] | *-*-solaris2.10) + [ "$a" ] && { + ifconfig lo0:$int $a down + ifconfig lo0:$int $a unplumb + } + [ "$aaaa" ] && { + ifconfig lo0:$int inet6 down + ifconfig lo0:$int inet6 unplumb + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + ipadm delete-addr lo0/bind9v4$int \ + || echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + ipadm delete-addr lo0/bind9v6$int \ + || echo failed lo0/bind9v6$int + } + ;; + + *-*-linux*) + if [ "$use_ip" ]; then + [ "$a" ] && ip address del $a/24 dev lo:$int + [ "$aaaa" ] && ip address del $aaaa/64 dev lo + else + [ "$a" ] && ifconfig lo:$int $a down + [ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-netbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 remove $a + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-*-sysv5uw7* | *-*-sysv*UnixWare* | *-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-ibm-aix4.* | *-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 delete $a + [ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 + [ "$aaaa" ] && ifconfig lo0:$int inet6 :: + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *darwin*) + [ "$a" ] && ifconfig lo0 -alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-cygwin*) + echo "Please run ifconfig.bat as Administrator." + exit 1 + ;; + *) + echo "Don't know how to destroy interface. Giving up." + exit 1 + ;; + esac } sequence() ( - awk -v s=$1 -v e=$2 ' + awk -v s=$1 -v e=$2 ' BEGIN { for (i = s ; i <= e; i++) { print i; } exit; @@ -242,30 +242,28 @@ # max=11 case $1 in - start|up|stop|down) - for i in $(sequence 0 2) - do - case $i in - 0) ipv6="ff" ;; - 1) ipv6="99" ;; - 2) ipv6="00" ;; - *) ipv6="" ;; - esac - for ns in $(sequence 1 $max) - do - [ $i -gt 0 -a $ns -gt 2 ] && break - int=$((i * max + ns)) - a=10.53.$i.$ns - aaaa=fd92:7065:b8e:${ipv6}ff::$ns - case "$1" in - start|up) up;; - stop|down) down;; - esac - done - done - ;; - *) - echo "Usage: $0 { up | down }" - exit 1 - ;; + start | up | stop | down) + for i in $(sequence 0 2); do + case $i in + 0) ipv6="ff" ;; + 1) ipv6="99" ;; + 2) ipv6="00" ;; + *) ipv6="" ;; + esac + for ns in $(sequence 1 $max); do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=$((i * max + ns)) + a=10.53.$i.$ns + aaaa=fd92:7065:b8e:${ipv6}ff::$ns + case "$1" in + start | up) up ;; + stop | down) down ;; + esac + done + done + ;; + *) + echo "Usage: $0 { up | down }" + exit 1 + ;; esac diff -Nru bind9-9.16.44/bin/tests/system/inline/clean.sh bind9-9.16.48/bin/tests/system/inline/clean.sh --- bind9-9.16.44/bin/tests/system/inline/clean.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/inline/clean.sh 2024-02-11 11:31:39.000000000 +0000 @@ -12,16 +12,16 @@ # information regarding copyright ownership. rm -rf ./*/*.jbk \ - ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \ - ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \ - ./*/trusted.conf \ - ./K* ./*/K* \ - ./checkecdsa \ - ./freeze.test* thaw.test* \ - ./import.key \ - ././ns*/managed-keys.bind* ./ns*/*.mkeys* \ - ./*/dsset-* ./*/nzf-* \ - ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ - ./*.out ./*.out* ./*/*.out ./*/*.out* \ - ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ - ns3/a-file ns3/removedkeys + ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \ + ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \ + ./*/trusted.conf \ + ./K* ./*/K* \ + ./checkecdsa \ + ./freeze.test* thaw.test* \ + ./import.key \ + ././ns*/managed-keys.bind* ./ns*/*.mkeys* \ + ./*/dsset-* ./*/nzf-* \ + ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ + ./*.out ./*.out* ./*/*.out ./*/*.out* \ + ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ + ns3/a-file ns3/removedkeys diff -Nru bind9-9.16.44/bin/tests/system/inline/ns1/sign.sh bind9-9.16.48/bin/tests/system/inline/ns1/sign.sh --- bind9-9.16.44/bin/tests/system/inline/ns1/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/inline/ns1/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -19,8 +19,8 @@ rm -f K.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out +$SIGNER -S -x -T 1200 -o ${zone} root.db >signer.out [ $? = 0 ] || cat signer.out -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns6/trusted.conf diff -Nru bind9-9.16.44/bin/tests/system/inline/ns3/sign.sh bind9-9.16.48/bin/tests/system/inline/ns3/sign.sh --- bind9-9.16.44/bin/tests/system/inline/ns3/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/inline/ns3/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -16,7 +16,7 @@ # Fake an unsupported key unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported) -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key zone=bits @@ -24,36 +24,36 @@ rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=noixfr rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=master rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=dynamic rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=updated rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db +$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null cp master2.db.in updated.db # signatures are expired and should be regenerated on startup @@ -62,28 +62,28 @@ rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db +$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null zone=retransfer rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=nsec3 rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=retransfer3 rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=inactiveksk rm -f K${zone}.+*+*.key @@ -92,7 +92,7 @@ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=inactivezsk rm -f K${zone}.+*+*.key @@ -101,7 +101,7 @@ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=delayedkeys rm -f K${zone}.+*+*.key @@ -123,38 +123,35 @@ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -for s in a c d h k l m q z -do - zone=test-$s - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +for s in a c d h k l m q z; do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) done -for s in b f i o p t v -do - zone=test-$s - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +for s in b f i o p t v; do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) done zone=externalkey rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM} -do - k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) - k2=$($KEYGEN -q -a $alg -n zone $zone) - k3=$($KEYGEN -q -a $alg -n zone $zone) - k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) - $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db - - # Convert k1 and k2 in to External Keys. - rm -f $k1.private - mv $k1.key a-file - $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) - rm -f $k2.private - mv $k2.key a-file - $IMPORTKEY -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) +for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM}; do + k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + k2=$($KEYGEN -q -a $alg -n zone $zone) + k3=$($KEYGEN -q -a $alg -n zone $zone) + k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + $DSFROMKEY -T 1200 $k4 >>../ns1/root.db + + # Convert k1 and k2 in to External Keys. + rm -f $k1.private + mv $k1.key a-file + $IMPORTKEY -P now -D now+3600 -f a-file $zone >/dev/null 2>&1 \ + || (echo_i "importkey failed: $alg") + rm -f $k2.private + mv $k2.key a-file + $IMPORTKEY -f a-file $zone >/dev/null 2>&1 \ + || (echo_i "importkey failed: $alg") done diff -Nru bind9-9.16.44/bin/tests/system/inline/ns8/sign.sh bind9-9.16.48/bin/tests/system/inline/ns8/sign.sh --- bind9-9.16.44/bin/tests/system/inline/ns8/sign.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/inline/ns8/sign.sh 2024-02-11 11:31:39.000000000 +0000 @@ -15,16 +15,15 @@ . $SYSTEMTESTTOP/conf.sh for zone in example01.com example02.com example03.com example04.com \ - example05.com example06.com example07.com example08.com \ - example09.com example10.com example11.com example12.com \ - example13.com example14.com example15.com example16.com -do + example05.com example06.com example07.com example08.com \ + example09.com example10.com example11.com example12.com \ + example13.com example14.com example15.com example16.com; do rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) cp example.com.db.in ${zone}.db - $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 + $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null 2>&1 done for zone in example unsigned-serial-test; do diff -Nru bind9-9.16.44/bin/tests/system/inline/setup.sh bind9-9.16.48/bin/tests/system/inline/setup.sh --- bind9-9.16.44/bin/tests/system/inline/setup.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/inline/setup.sh 2024-02-11 11:31:39.000000000 +0000 @@ -51,7 +51,19 @@ copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf -(cd ns3; $SHELL -e sign.sh) -(cd ns1; $SHELL -e sign.sh) -(cd ns7; $SHELL -e sign.sh) -(cd ns8; $SHELL -e sign.sh) +( + cd ns3 + $SHELL -e sign.sh +) +( + cd ns1 + $SHELL -e sign.sh +) +( + cd ns7 + $SHELL -e sign.sh +) +( + cd ns8 + $SHELL -e sign.sh +) diff -Nru bind9-9.16.44/bin/tests/system/inline/tests.sh bind9-9.16.48/bin/tests/system/inline/tests.sh --- bind9-9.16.44/bin/tests/system/inline/tests.sh 2023-09-08 12:40:48.000000000 +0000 +++ bind9-9.16.48/bin/tests/system/inline/tests.sh 2024-02-11 11:31:39.000000000 +0000 @@ -18,29 +18,28 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" dig_with_opts() { - $DIG $DIGOPTS "$@" + $DIG $DIGOPTS "$@" } rndccmd() { - $RNDCCMD "$@" + $RNDCCMD "$@" } wait_for_serial() ( - $DIG $DIGOPTS "@$1" "$2" SOA > "$4" - serial=$(awk '$4 == "SOA" { print $7 }' "$4") - [ "$3" -eq "${serial:--1}" ] + $DIG $DIGOPTS "@$1" "$2" SOA >"$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] ) status=0 n=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 >/dev/null 2>&1 -for i in 1 2 3 4 5 6 7 8 9 0 -do - nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) - test "$nsec3param" = "1 0 0 -" && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) + test "$nsec3param" = "1 0 0 -" && break + sleep 1 done n=$((n + 1)) @@ -53,22 +52,21 @@ n=$((n + 1)) echo_i "checking that rrsigs are replaced with ksk only ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr nsec3. | - awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr nsec3. \ + | awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -76,7 +74,7 @@ n=$((n + 1)) echo_i "checking expired signatures are updated on load ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA >dig.out.ns3.test$n expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n) [ "$expiry" = "20110101000000" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -85,20 +83,19 @@ n=$((n + 1)) echo_i "checking removal of private type record via 'rndc signing -clear' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 +$RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do - $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1 - break; # We only want to remove 1 record for now. -done 2>&1 |sed 's/^/ns3 /' | cat_i - -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 - num=$(grep "Done signing with" signing.out.test$n | wc -l) - [ $num = 1 ] && break - sleep 1 + $RNDCCMD 10.53.0.3 signing -clear ${key} bits >/dev/null || ret=1 + break # We only want to remove 1 record for now. +done 2>&1 | sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -108,9 +105,9 @@ n=$((n + 1)) echo_i "checking private type was properly signed ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n -grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 >dig.out.ns6.test$n +grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -118,15 +115,14 @@ n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 signing -clear all bits >/dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 - grep "No signing records found" signing.out.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 + grep "No signing records found" signing.out.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -137,15 +133,15 @@ echo_i "checking negative private type response was properly signed ($n)" ret=0 sleep 1 -$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n -grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 >dig.out.ns6.test$n +grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns6.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -$NSUPDATE << EOF +$NSUPDATE <