1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12# shellcheck source=conf.sh
13. ../conf.sh
14
15set -e
16
17status=0
18n=0
19
20rm -f dig.out.*
21
22dig_with_opts() {
23    "$DIG" +tcp +noadd +nosea +nostat +nocmd -p "$PORT" "$@"
24}
25
26rndc_with_opts() {
27    "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
28}
29
30echo_i "checking DNSSEC SERVFAIL is cached ($n)"
31ret=0
32dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
33rndc_dumpdb ns5 -all
34awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n > sfcache.$n
35grep "^; foo.example/A" sfcache.$n > /dev/null || ret=1
36n=$((n+1))
37if [ $ret != 0 ]; then echo_i "failed"; fi
38status=$((status+ret))
39
40echo_i "checking SERVFAIL is returned from cache ($n)"
41ret=0
42dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
43grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
44n=$((n+1))
45if [ $ret != 0 ]; then echo_i "failed"; fi
46status=$((status+ret))
47
48echo_i "checking that +cd bypasses cache check ($n)"
49ret=0
50dig_with_opts +dnssec +cd foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
51grep "SERVFAIL" dig.out.ns5.test$n > /dev/null && ret=1
52n=$((n+1))
53if [ $ret != 0 ]; then echo_i "failed"; fi
54status=$((status+ret))
55
56echo_i "switching to non-dnssec SERVFAIL tests"
57ret=0
58rndc_with_opts 10.53.0.5 flush 2>&1 | sed 's/^/I:ns5 /'
59rndc_dumpdb ns5 -all
60mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.1
61awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db.test$n.1 > sfcache.$n.1
62[ -s "sfcache.$n.1" ] && ret=1
63echo_i "checking SERVFAIL is cached ($n)"
64dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
65rndc_dumpdb ns5 -all
66mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.2
67awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n.2 > sfcache.$n.2
68grep "^; bar.example2/A" sfcache.$n.2 > /dev/null || ret=1
69n=$((n+1))
70if [ $ret != 0 ]; then echo_i "failed"; fi
71status=$((status+ret))
72
73echo_i "checking SERVFAIL is returned from cache ($n)"
74ret=0
75nextpart ns5/named.run > /dev/null
76dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
77grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
78nextpart ns5/named.run > ns5/named.run.part$n
79grep 'servfail cache hit bar.example2/A (CD=0)' ns5/named.run.part$n > /dev/null || ret=1
80n=$((n+1))
81if [ $ret != 0 ]; then echo_i "failed"; fi
82status=$((status+ret))
83
84echo_i "checking cache is bypassed with +cd query ($n)"
85ret=0
86dig_with_opts +cd bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
87grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
88nextpart ns5/named.run > ns5/named.run.part$n
89grep 'servfail cache hit' ns5/named.run.part$n > /dev/null && ret=1
90n=$((n+1))
91if [ $ret != 0 ]; then echo_i "failed"; fi
92status=$((status+ret))
93
94echo_i "checking cache is used for subsequent +cd query ($n)"
95ret=0
96dig_with_opts +dnssec bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
97grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
98nextpart ns5/named.run > ns5/named.run.part$n
99grep 'servfail cache hit bar.example2/A (CD=1)' ns5/named.run.part$n > /dev/null || ret=1
100n=$((n+1))
101if [ $ret != 0 ]; then echo_i "failed"; fi
102status=$((status+ret))
103
104echo_i "exit status: $status"
105[ $status -eq 0 ] || exit 1
106