1#!/bin/sh 2# 3# Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 4# Copyright (C) 2000-2002 Internet Software Consortium. 5# 6# Permission to use, copy, modify, and/or distribute this software for any 7# purpose with or without fee is hereby granted, provided that the above 8# copyright notice and this permission notice appear in all copies. 9# 10# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16# PERFORMANCE OF THIS SOFTWARE. 17 18SYSTEMTESTTOP=.. 19. $SYSTEMTESTTOP/conf.sh 20 21status=0 22n=1 23 24rm -f dig.out.* 25 26DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" 27DELVOPTS="-a ns1/trusted.conf -p 5300" 28 29# convert private-type records to readable form 30showprivate () { 31 echo "-- $@ --" 32 $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | 33 while read record; do 34 $PERL -e 'my $rdata = pack("H*", @ARGV[0]); 35 die "invalid record" unless length($rdata) == 5; 36 my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); 37 my $action = "signing"; 38 $action = "removing" if $remove; 39 my $state = " (incomplete)"; 40 $state = " (complete)" if $complete; 41 print ("$action: alg: $alg, key: $key$state\n");' $record 42 done 43} 44 45# check that signing records are marked as complete 46checkprivate () { 47 ret=0 48 x=`showprivate "$@"` 49 echo $x | grep incomplete >&- 2>&- && ret=1 50 [ $ret = 1 ] && { 51 echo "$x" 52 echo "I:failed" 53 } 54 return $ret 55} 56 57# check that a zone file is raw format, version 0 58israw0 () { 59 cat $1 | $PERL -e 'binmode STDIN; 60 read(STDIN, $input, 8); 61 ($style, $version) = unpack("NN", $input); 62 exit 1 if ($style != 2 || $version != 0);' 63 return $? 64} 65 66# check that a zone file is raw format, version 1 67israw1 () { 68 cat $1 | $PERL -e 'binmode STDIN; 69 read(STDIN, $input, 8); 70 ($style, $version) = unpack("NN", $input); 71 exit 1 if ($style != 2 || $version != 1);' 72 return $? 73} 74 75# strip NS and RRSIG NS from input 76stripns () { 77 awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' $1 78} 79 80# Check the example. domain 81 82echo "I:checking that zone transfer worked ($n)" 83for i in 1 2 3 4 5 6 7 8 9 84do 85 ret=0 86 $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 87 $DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 88 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 89 [ $ret = 0 ] && break 90 sleep 1 91done 92$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 93n=`expr $n + 1` 94if [ $ret != 0 ]; then echo "I:failed"; fi 95status=`expr $status + $ret` 96 97# test AD bit: 98# - dig +adflag asks for authentication (ad in response) 99echo "I:checking AD bit asking for validation ($n)" 100ret=0 101$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 102$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 103$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 104grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 105n=`expr $n + 1` 106if [ $ret != 0 ]; then echo "I:failed"; fi 107status=`expr $status + $ret` 108 109# test AD bit: 110# - dig +noadflag 111echo "I:checking that AD is not set without +adflag or +dnssec ($n)" 112ret=0 113$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 114$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 115$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 116grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 117n=`expr $n + 1` 118if [ $ret != 0 ]; then echo "I:failed"; fi 119status=`expr $status + $ret` 120echo "I:checking for AD in authoritative answer ($n)" 121ret=0 122$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 123grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 124n=`expr $n + 1` 125if [ $ret != 0 ]; then echo "I:failed"; fi 126status=`expr $status + $ret` 127 128echo "I:checking positive validation NSEC ($n)" 129ret=0 130$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 131$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 132$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 133grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 134n=`expr $n + 1` 135if [ $ret != 0 ]; then echo "I:failed"; fi 136status=`expr $status + $ret` 137 138if [ -x ${DELV} ] ; then 139 ret=0 140 echo "I:checking postive validation NSEC using dns_client ($n)" 141 $DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1 142 grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 143 grep "a.example..*.RRSIG.A 3 2 300 .*" delv.out$n > /dev/null || ret=1 144 n=`expr $n + 1` 145 if [ $ret != 0 ]; then echo "I:failed"; fi 146 status=`expr $status + $ret` 147fi 148 149echo "I:checking positive validation NSEC3 ($n)" 150ret=0 151$DIG $DIGOPTS +noauth a.nsec3.example. \ 152 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 153$DIG $DIGOPTS +noauth a.nsec3.example. \ 154 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 155$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 156grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 157n=`expr $n + 1` 158if [ $ret != 0 ]; then echo "I:failed"; fi 159status=`expr $status + $ret` 160 161if [ -x ${DELV} ] ; then 162 ret=0 163 echo "I:checking positive validation NSEC3 using dns_client ($n)" 164 $DELV $DELVOPTS @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 165 grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 166 grep "a.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 167 n=`expr $n + 1` 168 if [ $ret != 0 ]; then echo "I:failed"; fi 169 status=`expr $status + $ret` 170fi 171 172echo "I:checking positive validation OPTOUT ($n)" 173ret=0 174$DIG $DIGOPTS +noauth a.optout.example. \ 175 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 176$DIG $DIGOPTS +noauth a.optout.example. \ 177 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 178$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 179grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 180n=`expr $n + 1` 181if [ $ret != 0 ]; then echo "I:failed"; fi 182status=`expr $status + $ret` 183 184if [ -x ${DELV} ] ; then 185 ret=0 186 echo "I:checking positive validation OPTOUT using dns_client ($n)" 187 $DELV $DELVOPTS @10.53.0.4 a a.optout.example > delv.out$n || ret=1 188 grep "a.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 189 grep "a.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 190 n=`expr $n + 1` 191 if [ $ret != 0 ]; then echo "I:failed"; fi 192 status=`expr $status + $ret` 193fi 194 195echo "I:checking positive wildcard validation NSEC ($n)" 196ret=0 197$DIG $DIGOPTS a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 198$DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 199stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n 200stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n 201$PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 202grep "\*\.wild\.example\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 203grep "\*\.wild\.example\..*NSEC z\.example" dig.out.ns4.test$n > /dev/null || ret=1 204grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 205grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 206n=`expr $n + 1` 207if [ $ret != 0 ]; then echo "I:failed"; fi 208status=`expr $status + $ret` 209 210if [ -x ${DELV} ] ; then 211 ret=0 212 echo "I:checking positive wildcard validation NSEC using dns_client ($n)" 213 $DELV $DELVOPTS @10.53.0.4 a a.wild.example > delv.out$n || ret=1 214 grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 215 grep "a.wild.example..*RRSIG.A 3 2 300.*" delv.out$n > /dev/null || ret=1 216 n=`expr $n + 1` 217 if [ $ret != 0 ]; then echo "I:failed"; fi 218 status=`expr $status + $ret` 219fi 220 221echo "I:checking positive wildcard answer NSEC3 ($n)" 222ret=0 223$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 224grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 225grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 226n=`expr $n + 1` 227if [ $ret != 0 ]; then echo "I:failed"; fi 228status=`expr $status + $ret` 229 230echo "I:checking positive wildcard answer NSEC3 ($n)" 231ret=0 232$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 233grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 234grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 235n=`expr $n + 1` 236if [ $ret != 0 ]; then echo "I:failed"; fi 237status=`expr $status + $ret` 238 239echo "I:checking positive wildcard validation NSEC3 ($n)" 240ret=0 241$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 242$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 243stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n 244stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n 245$PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 246grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 247grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 248n=`expr $n + 1` 249if [ $ret != 0 ]; then echo "I:failed"; fi 250status=`expr $status + $ret` 251 252if [ -x ${DELV} ] ; then 253 ret=0 254 echo "I:checking positive wildcard validation NSEC3 using dns_client ($n)" 255 $DELV $DELVOPTS @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 256 grep "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 257 grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 258 n=`expr $n + 1` 259 if [ $ret != 0 ]; then echo "I:failed"; fi 260 status=`expr $status + $ret` 261fi 262 263echo "I:checking positive wildcard validation OPTOUT ($n)" 264ret=0 265$DIG $DIGOPTS a.wild.optout.example. \ 266 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 267$DIG $DIGOPTS a.wild.optout.example. \ 268 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 269stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n 270stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n 271$PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 272grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 273grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 274n=`expr $n + 1` 275if [ $ret != 0 ]; then echo "I:failed"; fi 276status=`expr $status + $ret` 277 278if [ -x ${DELV} ] ; then 279 ret=0 280 echo "I:checking positive wildcard validation OPTOUT using dns_client ($n)" 281 $DELV $DELVOPTS @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 282 grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 283 grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 284 n=`expr $n + 1` 285 if [ $ret != 0 ]; then echo "I:failed"; fi 286 status=`expr $status + $ret` 287fi 288 289echo "I:checking negative validation NXDOMAIN NSEC ($n)" 290ret=0 291$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 292$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 293$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 294grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 295grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 296n=`expr $n + 1` 297if [ $ret != 0 ]; then echo "I:failed"; fi 298status=`expr $status + $ret` 299 300if [ -x ${DELV} ] ; then 301 ret=0 302 echo "I:checking negative validation NXDOMAIN NSEC using dns_client ($n)" 303 $DELV $DELVOPTS @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 304 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 305 n=`expr $n + 1` 306 if [ $ret != 0 ]; then echo "I:failed"; fi 307 status=`expr $status + $ret` 308fi 309 310echo "I:checking negative validation NXDOMAIN NSEC3 ($n)" 311ret=0 312$DIG $DIGOPTS +noauth q.nsec3.example. \ 313 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 314$DIG $DIGOPTS +noauth q.nsec3.example. \ 315 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 316$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 317grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 318grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 319n=`expr $n + 1` 320if [ $ret != 0 ]; then echo "I:failed"; fi 321status=`expr $status + $ret` 322 323if [ -x ${DELV} ] ; then 324 ret=0 325 echo "I:checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" 326 $DELV $DELVOPTS @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 327 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 328 n=`expr $n + 1` 329 if [ $ret != 0 ]; then echo "I:failed"; fi 330 status=`expr $status + $ret` 331fi 332 333echo "I:checking negative validation NXDOMAIN OPTOUT ($n)" 334ret=0 335$DIG $DIGOPTS +noauth q.optout.example. \ 336 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 337$DIG $DIGOPTS +noauth q.optout.example. \ 338 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 339$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 340grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 341# Note - this is looking for failure, hence the && 342grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 343n=`expr $n + 1` 344if [ $ret != 0 ]; then echo "I:failed"; fi 345status=`expr $status + $ret` 346 347if [ -x ${DELV} ] ; then 348 ret=0 349 echo "I:checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" 350 $DELV $DELVOPTS @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 351 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 352 n=`expr $n + 1` 353 if [ $ret != 0 ]; then echo "I:failed"; fi 354 status=`expr $status + $ret` 355fi 356 357echo "I:checking negative validation NODATA NSEC ($n)" 358ret=0 359$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 360$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 361$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 362grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 363grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 364grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 365n=`expr $n + 1` 366if [ $ret != 0 ]; then echo "I:failed"; fi 367status=`expr $status + $ret` 368 369if [ -x ${DELV} ] ; then 370 ret=0 371 echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)" 372 $DELV $DELVOPTS @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 373 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 374 n=`expr $n + 1` 375 if [ $ret != 0 ]; then echo "I:failed"; fi 376 status=`expr $status + $ret` 377fi 378 379echo "I:checking negative validation NODATA NSEC3 ($n)" 380ret=0 381$DIG $DIGOPTS +noauth a.nsec3.example. \ 382 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 383$DIG $DIGOPTS +noauth a.nsec3.example. \ 384 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 385$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 386grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 387grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 388grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 389n=`expr $n + 1` 390if [ $ret != 0 ]; then echo "I:failed"; fi 391status=`expr $status + $ret` 392 393if [ -x ${DELV} ] ; then 394 ret=0 395 echo "I:checking negative validation NODATA NSEC3 using dns_client ($n)" 396 $DELV $DELVOPTS @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 397 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 398 n=`expr $n + 1` 399 if [ $ret != 0 ]; then echo "I:failed"; fi 400 status=`expr $status + $ret` 401fi 402 403echo "I:checking negative validation NODATA OPTOUT ($n)" 404ret=0 405$DIG $DIGOPTS +noauth a.optout.example. \ 406 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 407$DIG $DIGOPTS +noauth a.optout.example. \ 408 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 409$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 410grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 411grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 412grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 413n=`expr $n + 1` 414if [ $ret != 0 ]; then echo "I:failed"; fi 415status=`expr $status + $ret` 416 417if [ -x ${DELV} ] ; then 418 ret=0 419 echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)" 420 $DELV $DELVOPTS @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 421 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 422 n=`expr $n + 1` 423 if [ $ret != 0 ]; then echo "I:failed"; fi 424 status=`expr $status + $ret` 425fi 426 427echo "I:checking negative wildcard validation NSEC ($n)" 428ret=0 429$DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 430$DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 431$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 432grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 433grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 434n=`expr $n + 1` 435if [ $ret != 0 ]; then echo "I:failed"; fi 436status=`expr $status + $ret` 437 438if [ -x ${DELV} ] ; then 439 ret=0 440 echo "I:checking negative wildcard validation NSEC using dns_client ($n)" 441 $DELV $DELVOPTS @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 442 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 443 n=`expr $n + 1` 444 if [ $ret != 0 ]; then echo "I:failed"; fi 445 status=`expr $status + $ret` 446fi 447 448echo "I:checking negative wildcard validation NSEC3 ($n)" 449ret=0 450$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 451$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 452$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 453grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 454n=`expr $n + 1` 455if [ $ret != 0 ]; then echo "I:failed"; fi 456status=`expr $status + $ret` 457 458if [ -x ${DELV} ] ; then 459 ret=0 460 echo "I:checking negative wildcard validation NSEC3 using dns_client ($n)" 461 $DELV $DELVOPTS @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 462 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 463 n=`expr $n + 1` 464 if [ $ret != 0 ]; then echo "I:failed"; fi 465 status=`expr $status + $ret` 466fi 467 468echo "I:checking negative wildcard validation OPTOUT ($n)" 469ret=0 470$DIG $DIGOPTS b.wild.optout.example. \ 471 @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 472$DIG $DIGOPTS b.wild.optout.example. \ 473 @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 474$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 475grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 476# Note - this is looking for failure, hence the && 477grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 478n=`expr $n + 1` 479if [ $ret != 0 ]; then echo "I:failed"; fi 480status=`expr $status + $ret` 481 482if [ -x ${DELV} ] ; then 483 ret=0 484 echo "I:checking negative wildcard validation OPTOUT using dns_client ($n)" 485 $DELV $DELVOPTS @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 486 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 487 n=`expr $n + 1` 488 if [ $ret != 0 ]; then echo "I:failed"; fi 489 status=`expr $status + $ret` 490fi 491 492# Check the insecure.example domain 493 494echo "I:checking 1-server insecurity proof NSEC ($n)" 495ret=0 496$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 497$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 498$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 499grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 500# Note - this is looking for failure, hence the && 501grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 502n=`expr $n + 1` 503if [ $ret != 0 ]; then echo "I:failed"; fi 504status=`expr $status + $ret` 505 506if [ -x ${DELV} ] ; then 507 ret=0 508 echo "I:checking 1-server insecurity proof NSEC using dns_client ($n)" 509 $DELV $DELVOPTS @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 510 grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 511 n=`expr $n + 1` 512 if [ $ret != 0 ]; then echo "I:failed"; fi 513 status=`expr $status + $ret` 514fi 515 516echo "I:checking 1-server insecurity proof NSEC3 ($n)" 517ret=0 518$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 519$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 520$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 521grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 522# Note - this is looking for failure, hence the && 523grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 524n=`expr $n + 1` 525if [ $ret != 0 ]; then echo "I:failed"; fi 526status=`expr $status + $ret` 527 528if [ -x ${DELV} ] ; then 529 ret=0 530 echo "I:checking 1-server insecurity proof NSEC3 using dns_client ($n)" 531 $DELV $DELVOPTS @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 532 grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 533 n=`expr $n + 1` 534 if [ $ret != 0 ]; then echo "I:failed"; fi 535 status=`expr $status + $ret` 536fi 537 538echo "I:checking 1-server insecurity proof OPTOUT ($n)" 539ret=0 540$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 541$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 542$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 543grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 544# Note - this is looking for failure, hence the && 545grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 546n=`expr $n + 1` 547if [ $ret != 0 ]; then echo "I:failed"; fi 548status=`expr $status + $ret` 549 550if [ -x ${DELV} ] ; then 551 ret=0 552 echo "I:checking 1-server insecurity proof OPTOUT using dns_client ($n)" 553 $DELV $DELVOPTS @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 554 grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 555 n=`expr $n + 1` 556 if [ $ret != 0 ]; then echo "I:failed"; fi 557 status=`expr $status + $ret` 558fi 559 560echo "I:checking 1-server negative insecurity proof NSEC ($n)" 561ret=0 562$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ 563 > dig.out.ns3.test$n || ret=1 564$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ 565 > dig.out.ns4.test$n || ret=1 566$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 567grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 568# Note - this is looking for failure, hence the && 569grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 570n=`expr $n + 1` 571if [ $ret != 0 ]; then echo "I:failed"; fi 572status=`expr $status + $ret` 573 574if [ -x ${DELV} ] ; then 575 ret=0 576 echo "I:checking 1-server negative insecurity proof NSEC using dns_client ($n)" 577 $DELV $DELVOPTS @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 578 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 579 n=`expr $n + 1` 580 if [ $ret != 0 ]; then echo "I:failed"; fi 581 status=`expr $status + $ret` 582fi 583 584echo "I:checking 1-server negative insecurity proof NSEC3 ($n)" 585ret=0 586$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \ 587 > dig.out.ns3.test$n || ret=1 588$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.4 \ 589 > dig.out.ns4.test$n || ret=1 590$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 591grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 592# Note - this is looking for failure, hence the && 593grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 594n=`expr $n + 1` 595if [ $ret != 0 ]; then echo "I:failed"; fi 596status=`expr $status + $ret` 597 598if [ -x ${DELV} ] ; then 599 ret=0 600 echo "I:checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" 601 $DELV $DELVOPTS @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 602 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 603 n=`expr $n + 1` 604 if [ $ret != 0 ]; then echo "I:failed"; fi 605 status=`expr $status + $ret` 606fi 607 608echo "I:checking 1-server negative insecurity proof OPTOUT ($n)" 609ret=0 610$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \ 611 > dig.out.ns3.test$n || ret=1 612$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.4 \ 613 > dig.out.ns4.test$n || ret=1 614$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 615grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 616# Note - this is looking for failure, hence the && 617grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 618n=`expr $n + 1` 619if [ $ret != 0 ]; then echo "I:failed"; fi 620status=`expr $status + $ret` 621 622if [ -x ${DELV} ] ; then 623 ret=0 624 echo "I:checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" 625 $DELV $DELVOPTS @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 626 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 627 n=`expr $n + 1` 628 if [ $ret != 0 ]; then echo "I:failed"; fi 629 status=`expr $status + $ret` 630fi 631 632echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)" 633ret=0 634$DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \ 635 > dig.out.ns3.test$n || ret=1 636$DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \ 637 > dig.out.ns4.test$n || ret=1 638$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 639grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 640grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 641# Note - this is looking for failure, hence the && 642grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 643n=`expr $n + 1` 644if [ $ret != 0 ]; then echo "I:failed"; fi 645status=`expr $status + $ret` 646 647echo "I:checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" 648ret=0 649$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.3 \ 650 > dig.out.ns3.test$n || ret=1 651$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.4 \ 652 > dig.out.ns4.test$n || ret=1 653$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 654grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 655grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 656# Note - this is looking for failure, hence the && 657grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 658n=`expr $n + 1` 659if [ $ret != 0 ]; then echo "I:failed"; fi 660status=`expr $status + $ret` 661 662echo "I:checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" 663ret=0 664$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.3 \ 665 > dig.out.ns3.test$n || ret=1 666$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.4 \ 667 > dig.out.ns4.test$n || ret=1 668$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 669grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 670grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 671# Note - this is looking for failure, hence the && 672grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 673n=`expr $n + 1` 674if [ $ret != 0 ]; then echo "I:failed"; fi 675status=`expr $status + $ret` 676 677# Check the secure.example domain 678 679echo "I:checking multi-stage positive validation NSEC/NSEC ($n)" 680ret=0 681$DIG $DIGOPTS +noauth a.secure.example. \ 682 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 683$DIG $DIGOPTS +noauth a.secure.example. \ 684 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 685$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 686grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 687grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 688n=`expr $n + 1` 689if [ $ret != 0 ]; then echo "I:failed"; fi 690status=`expr $status + $ret` 691 692echo "I:checking multi-stage positive validation NSEC/NSEC3 ($n)" 693ret=0 694$DIG $DIGOPTS +noauth a.nsec3.example. \ 695 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 696$DIG $DIGOPTS +noauth a.nsec3.example. \ 697 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 698$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 699grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 700grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 701n=`expr $n + 1` 702if [ $ret != 0 ]; then echo "I:failed"; fi 703status=`expr $status + $ret` 704 705echo "I:checking multi-stage positive validation NSEC/OPTOUT ($n)" 706ret=0 707$DIG $DIGOPTS +noauth a.optout.example. \ 708 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 709$DIG $DIGOPTS +noauth a.optout.example. \ 710 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 711$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 712grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 713grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 714n=`expr $n + 1` 715if [ $ret != 0 ]; then echo "I:failed"; fi 716status=`expr $status + $ret` 717 718echo "I:checking multi-stage positive validation NSEC3/NSEC ($n)" 719ret=0 720$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ 721 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 722$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ 723 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 724$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 725grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 726grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 727n=`expr $n + 1` 728if [ $ret != 0 ]; then echo "I:failed"; fi 729status=`expr $status + $ret` 730 731echo "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)" 732ret=0 733$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ 734 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 735$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ 736 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 737$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 738grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 739grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 740n=`expr $n + 1` 741if [ $ret != 0 ]; then echo "I:failed"; fi 742status=`expr $status + $ret` 743 744echo "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)" 745ret=0 746$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ 747 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 748$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ 749 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 750$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 751grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 752grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 753n=`expr $n + 1` 754if [ $ret != 0 ]; then echo "I:failed"; fi 755status=`expr $status + $ret` 756 757echo "I:checking multi-stage positive validation OPTOUT/NSEC ($n)" 758ret=0 759$DIG $DIGOPTS +noauth a.secure.optout.example. \ 760 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 761$DIG $DIGOPTS +noauth a.secure.optout.example. \ 762 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 763$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 764grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 765grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 766n=`expr $n + 1` 767if [ $ret != 0 ]; then echo "I:failed"; fi 768status=`expr $status + $ret` 769 770echo "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)" 771ret=0 772$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ 773 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 774$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ 775 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 776$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 777grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 778grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 779n=`expr $n + 1` 780if [ $ret != 0 ]; then echo "I:failed"; fi 781status=`expr $status + $ret` 782 783echo "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)" 784ret=0 785$DIG $DIGOPTS +noauth a.optout.optout.example. \ 786 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 787$DIG $DIGOPTS +noauth a.optout.optout.example. \ 788 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 789$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 790grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 791grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 792n=`expr $n + 1` 793if [ $ret != 0 ]; then echo "I:failed"; fi 794status=`expr $status + $ret` 795 796echo "I:checking empty NODATA OPTOUT ($n)" 797ret=0 798$DIG $DIGOPTS +noauth empty.optout.example. \ 799 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 800$DIG $DIGOPTS +noauth empty.optout.example. \ 801 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 802$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 803grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 804#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 805n=`expr $n + 1` 806if [ $ret != 0 ]; then echo "I:failed"; fi 807status=`expr $status + $ret` 808 809# Check the bogus domain 810 811echo "I:checking failed validation ($n)" 812ret=0 813$DIG $DIGOPTS a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 814grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 815n=`expr $n + 1` 816if [ $ret != 0 ]; then echo "I:failed"; fi 817status=`expr $status + $ret` 818 819if [ -x ${DELV} ] ; then 820 ret=0 821 echo "I:checking failed validation using dns_client ($n)" 822 $DELV $DELVOPTS +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 823 grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1 824 n=`expr $n + 1` 825 if [ $ret != 0 ]; then echo "I:failed"; fi 826 status=`expr $status + $ret` 827fi 828 829# Try validating with a bad trusted key. 830# This should fail. 831 832echo "I:checking that validation fails with a misconfigured trusted key ($n)" 833ret=0 834$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 835grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 836n=`expr $n + 1` 837if [ $ret != 0 ]; then echo "I:failed"; fi 838status=`expr $status + $ret` 839 840echo "I:checking that negative validation fails with a misconfigured trusted key ($n)" 841ret=0 842$DIG $DIGOPTS example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 843grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 844n=`expr $n + 1` 845if [ $ret != 0 ]; then echo "I:failed"; fi 846status=`expr $status + $ret` 847 848echo "I:checking that insecurity proofs fail with a misconfigured trusted key ($n)" 849ret=0 850$DIG $DIGOPTS a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 851grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 852n=`expr $n + 1` 853if [ $ret != 0 ]; then echo "I:failed"; fi 854status=`expr $status + $ret` 855 856echo "I:checking that validation fails when key record is missing ($n)" 857ret=0 858$DIG $DIGOPTS a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 859grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 860n=`expr $n + 1` 861if [ $ret != 0 ]; then echo "I:failed"; fi 862status=`expr $status + $ret` 863 864if [ -x ${DELV} ] ; then 865 ret=0 866 echo "I:checking that validation fails when key record is missing using dns_client ($n)" 867 $DELV $DELVOPTS +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 868 grep "resolution failed: broken trust chain" delv.out$n > /dev/null || ret=1 869 n=`expr $n + 1` 870 if [ $ret != 0 ]; then echo "I:failed"; fi 871 status=`expr $status + $ret` 872fi 873 874echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)" 875ret=0 876#prime 877$DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 878#check: requery with +CD. pending data should be returned even if it's bogus 879expect="a.example. 88010.0.0.1" 881ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1 882test "$ans" = "$expect" || ret=1 883test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" 884#check: requery without +CD. bogus cached data should be rejected. 885$DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 886grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 887n=`expr $n + 1` 888if [ $ret != 0 ]; then echo "I:failed"; fi 889status=`expr $status + $ret` 890 891echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)" 892ret=0 893#prime 894$DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 895#check: requery with +CD. pending data should be returned even if it's bogus 896expect="example. 897a.example. 89810.0.0.1" 899ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1 900test "$ans" = "$expect" || ret=1 901test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" 902#check: requery without +CD. bogus cached data should be rejected. 903$DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 904grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 905n=`expr $n + 1` 906if [ $ret != 0 ]; then echo "I:failed"; fi 907status=`expr $status + $ret` 908 909# Check the insecure.secure.example domain (insecurity proof) 910 911echo "I:checking 2-server insecurity proof ($n)" 912ret=0 913$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ 914 > dig.out.ns2.test$n || ret=1 915$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ 916 > dig.out.ns4.test$n || ret=1 917$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 918grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 919# Note - this is looking for failure, hence the && 920grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 921n=`expr $n + 1` 922if [ $ret != 0 ]; then echo "I:failed"; fi 923status=`expr $status + $ret` 924 925# Check a negative response in insecure.secure.example 926 927echo "I:checking 2-server insecurity proof with a negative answer ($n)" 928ret=0 929$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ 930 || ret=1 931$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ 932 || ret=1 933$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 934grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 935# Note - this is looking for failure, hence the && 936grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 937n=`expr $n + 1` 938if [ $ret != 0 ]; then echo "I:failed"; fi 939status=`expr $status + $ret` 940 941echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)" 942ret=0 943$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ 944 || ret=1 945$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ 946 || ret=1 947$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 948grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 949# Note - this is looking for failure, hence the && 950grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 951n=`expr $n + 1` 952if [ $ret != 0 ]; then echo "I:failed"; fi 953status=`expr $status + $ret` 954 955# Check that the query for a security root is successful and has ad set 956 957echo "I:checking security root query ($n)" 958ret=0 959$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 960grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 961grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 962n=`expr $n + 1` 963if [ $ret != 0 ]; then echo "I:failed"; fi 964status=`expr $status + $ret` 965 966# Check that the setting the cd bit works 967 968echo "I:checking cd bit on a positive answer ($n)" 969ret=0 970$DIG $DIGOPTS +noauth example. soa @10.53.0.4 \ 971 > dig.out.ns4.test$n || ret=1 972$DIG $DIGOPTS +noauth +cdflag example. soa @10.53.0.5 \ 973 > dig.out.ns5.test$n || ret=1 974$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 975grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 976# Note - this is looking for failure, hence the && 977grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 978n=`expr $n + 1` 979if [ $ret != 0 ]; then echo "I:failed"; fi 980status=`expr $status + $ret` 981 982echo "I:checking cd bit on a negative answer ($n)" 983ret=0 984$DIG $DIGOPTS q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 985$DIG $DIGOPTS +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 986$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 987grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 988# Note - this is looking for failure, hence the && 989grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 990n=`expr $n + 1` 991if [ $ret != 0 ]; then echo "I:failed"; fi 992status=`expr $status + $ret` 993 994echo "I:checking positive validation RSASHA256 NSEC ($n)" 995ret=0 996$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 997$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 998$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 999grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1000n=`expr $n + 1` 1001if [ $ret != 0 ]; then echo "I:failed"; fi 1002status=`expr $status + $ret` 1003 1004echo "I:checking positive validation RSASHA512 NSEC ($n)" 1005ret=0 1006$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1007$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1008$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 1009grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1010n=`expr $n + 1` 1011if [ $ret != 0 ]; then echo "I:failed"; fi 1012status=`expr $status + $ret` 1013 1014echo "I:checking positive validation with KSK-only DNSKEY signature ($n)" 1015ret=0 1016$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1017$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1018$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 1019grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1020n=`expr $n + 1` 1021if [ $ret != 0 ]; then echo "I:failed"; fi 1022status=`expr $status + $ret` 1023 1024echo "I:checking cd bit on a query that should fail ($n)" 1025ret=0 1026$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \ 1027 > dig.out.ns4.test$n || ret=1 1028$DIG $DIGOPTS +cdflag a.bogus.example. soa @10.53.0.5 \ 1029 > dig.out.ns5.test$n || ret=1 1030$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 1031grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1032# Note - this is looking for failure, hence the && 1033grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 1034n=`expr $n + 1` 1035if [ $ret != 0 ]; then echo "I:failed"; fi 1036status=`expr $status + $ret` 1037 1038echo "I:checking cd bit on an insecurity proof ($n)" 1039ret=0 1040$DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \ 1041 > dig.out.ns4.test$n || ret=1 1042$DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ 1043 > dig.out.ns5.test$n || ret=1 1044$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 1045grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1046# Note - these are looking for failure, hence the && 1047grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1048grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 1049n=`expr $n + 1` 1050if [ $ret != 0 ]; then echo "I:failed"; fi 1051status=`expr $status + $ret` 1052 1053echo "I:checking cd bit on a negative insecurity proof ($n)" 1054ret=0 1055$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ 1056 > dig.out.ns4.test$n || ret=1 1057$DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \ 1058 > dig.out.ns5.test$n || ret=1 1059$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 1060grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 1061# Note - these are looking for failure, hence the && 1062grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1063grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 1064n=`expr $n + 1` 1065if [ $ret != 0 ]; then echo "I:failed"; fi 1066status=`expr $status + $ret` 1067 1068echo "I:checking that validation of an ANY query works ($n)" 1069ret=0 1070$DIG $DIGOPTS +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 1071$DIG $DIGOPTS +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 1072$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1073grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1074# 2 records in the zone, 1 NXT, 3 SIGs 1075grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 1076n=`expr $n + 1` 1077if [ $ret != 0 ]; then echo "I:failed"; fi 1078status=`expr $status + $ret` 1079 1080echo "I:checking that validation of a query returning a CNAME works ($n)" 1081ret=0 1082$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.2 \ 1083 > dig.out.ns2.test$n || ret=1 1084$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.4 \ 1085 > dig.out.ns4.test$n || ret=1 1086$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1087grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1088# the CNAME & its sig, the TXT and its SIG 1089grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 1090n=`expr $n + 1` 1091if [ $ret != 0 ]; then echo "I:failed"; fi 1092status=`expr $status + $ret` 1093 1094echo "I:checking that validation of a query returning a DNAME works ($n)" 1095ret=0 1096$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.2 \ 1097 > dig.out.ns2.test$n || ret=1 1098$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.4 \ 1099 > dig.out.ns4.test$n || ret=1 1100$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1101grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1102# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. 1103# It would be nice to test that the CNAME is being synthesized by the 1104# recursive server and not cached, but I don't know how. 1105grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 1106n=`expr $n + 1` 1107if [ $ret != 0 ]; then echo "I:failed"; fi 1108status=`expr $status + $ret` 1109 1110echo "I:checking that validation of an ANY query returning a CNAME works ($n)" 1111ret=0 1112$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.2 \ 1113 > dig.out.ns2.test$n || ret=1 1114$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.4 \ 1115 > dig.out.ns4.test$n || ret=1 1116$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1117grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1118# The CNAME, NXT, and their SIGs 1119grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 1120n=`expr $n + 1` 1121if [ $ret != 0 ]; then echo "I:failed"; fi 1122status=`expr $status + $ret` 1123 1124echo "I:checking that validation of an ANY query returning a DNAME works ($n)" 1125ret=0 1126$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.2 \ 1127 > dig.out.ns2.test$n || ret=1 1128$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.4 \ 1129 > dig.out.ns4.test$n || ret=1 1130$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1131grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1132n=`expr $n + 1` 1133if [ $ret != 0 ]; then echo "I:failed"; fi 1134status=`expr $status + $ret` 1135 1136echo "I:checking that positive validation in a privately secure zone works ($n)" 1137ret=0 1138$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ 1139 > dig.out.ns2.test$n || ret=1 1140$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ 1141 > dig.out.ns4.test$n || ret=1 1142$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1143grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1144# Note - this is looking for failure, hence the && 1145grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1146n=`expr $n + 1` 1147if [ $ret != 0 ]; then echo "I:failed"; fi 1148status=`expr $status + $ret` 1149 1150echo "I:checking that negative validation in a privately secure zone works ($n)" 1151ret=0 1152$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ 1153 > dig.out.ns2.test$n || ret=1 1154$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ 1155 > dig.out.ns4.test$n || ret=1 1156$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1157grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 1158# Note - this is looking for failure, hence the && 1159grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1160n=`expr $n + 1` 1161if [ $ret != 0 ]; then echo "I:failed"; fi 1162status=`expr $status + $ret` 1163 1164echo "I:checking that lookups succeed after disabling a algorithm works ($n)" 1165ret=0 1166$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \ 1167 > dig.out.ns2.test$n || ret=1 1168$DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \ 1169 > dig.out.ns6.test$n || ret=1 1170$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 1171# Note - this is looking for failure, hence the && 1172grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 1173n=`expr $n + 1` 1174if [ $ret != 0 ]; then echo "I:failed"; fi 1175status=`expr $status + $ret` 1176 1177echo "I:checking privately secure to nxdomain works ($n)" 1178ret=0 1179$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \ 1180 > dig.out.ns2.test$n || ret=1 1181$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \ 1182 > dig.out.ns4.test$n || ret=1 1183$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1184# Note - this is looking for failure, hence the && 1185grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1186n=`expr $n + 1` 1187if [ $ret != 0 ]; then echo "I:failed"; fi 1188status=`expr $status + $ret` 1189 1190echo "I:checking privately secure wildcard to nxdomain works ($n)" 1191ret=0 1192$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \ 1193 > dig.out.ns2.test$n || ret=1 1194$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \ 1195 > dig.out.ns4.test$n || ret=1 1196$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1197# Note - this is looking for failure, hence the && 1198grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1199n=`expr $n + 1` 1200if [ $ret != 0 ]; then echo "I:failed"; fi 1201status=`expr $status + $ret` 1202 1203echo "I:checking a non-cachable NODATA works ($n)" 1204ret=0 1205$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.7 \ 1206 > dig.out.ns7.test$n || ret=1 1207grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 1208$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.4 \ 1209 > dig.out.ns4.test$n || ret=1 1210grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1211n=`expr $n + 1` 1212if [ $ret != 0 ]; then echo "I:failed"; fi 1213status=`expr $status + $ret` 1214 1215echo "I:checking a non-cachable NXDOMAIN works ($n)" 1216ret=0 1217$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.7 \ 1218 > dig.out.ns7.test$n || ret=1 1219grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 1220$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.4 \ 1221 > dig.out.ns4.test$n || ret=1 1222grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 1223n=`expr $n + 1` 1224if [ $ret != 0 ]; then echo "I:failed"; fi 1225status=`expr $status + $ret` 1226 1227# 1228# private.secure.example is served by the same server as its 1229# grand parent and there is not a secure delegation from secure.example 1230# to private.secure.example. In addition secure.example is using a 1231# algorithm which the validation does not support. 1232# 1233echo "I:checking dnssec-lookaside-validation works ($n)" 1234ret=0 1235$DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \ 1236 > dig.out.ns6.test$n || ret=1 1237grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1 1238n=`expr $n + 1` 1239if [ $ret != 0 ]; then echo "I:failed"; fi 1240status=`expr $status + $ret` 1241 1242echo "I:checking that we can load a rfc2535 signed zone ($n)" 1243ret=0 1244$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \ 1245 > dig.out.ns2.test$n || ret=1 1246grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 1247n=`expr $n + 1` 1248if [ $ret != 0 ]; then echo "I:failed"; fi 1249status=`expr $status + $ret` 1250 1251echo "I:checking that we can transfer a rfc2535 signed zone ($n)" 1252ret=0 1253$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \ 1254 > dig.out.ns3.test$n || ret=1 1255grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 1256n=`expr $n + 1` 1257if [ $ret != 0 ]; then echo "I:failed"; fi 1258status=`expr $status + $ret` 1259 1260echo "I:checking that we can sign a zone with out-of-zone records ($n)" 1261ret=0 1262zone=example 1263key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1264key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1265( 1266cd signer 1267cat example.db.in $key1.key $key2.key > example.db 1268$SIGNER -o example -f example.db example.db > /dev/null 2>&1 1269) || ret=1 1270n=`expr $n + 1` 1271if [ $ret != 0 ]; then echo "I:failed"; fi 1272status=`expr $status + $ret` 1273 1274echo "I:checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" 1275ret=0 1276zone=example 1277key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1278key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1279( 1280cd signer 1281cat example.db.in $key1.key $key2.key > example.db 1282$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1 1283awk '/^IQF9LQTLK/ { 1284 printf("%s", $0); 1285 while (!index($0, ")")) { 1286 if (getline <= 0) 1287 break; 1288 printf (" %s", $0); 1289 } 1290 printf("\n"); 1291 }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out 1292 1293grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null 1294) || ret=1 1295n=`expr $n + 1` 1296if [ $ret != 0 ]; then echo "I:failed"; fi 1297status=`expr $status + $ret` 1298 1299echo "I:checking NSEC3 signing with empty nonterminals above a delegation ($n)" 1300ret=0 1301zone=example 1302key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1303key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` 1304( 1305cd signer 1306cat example.db.in $key1.key $key2.key > example3.db 1307echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db 1308$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1 1309awk '/^IQF9LQTLK/ { 1310 printf("%s", $0); 1311 while (!index($0, ")")) { 1312 if (getline <= 0) 1313 break; 1314 printf (" %s", $0); 1315 } 1316 printf("\n"); 1317 }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out 1318 1319grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null 1320) || ret=1 1321n=`expr $n + 1` 1322if [ $ret != 0 ]; then echo "I:failed"; fi 1323status=`expr $status + $ret` 1324 1325echo "I:checking that dnsssec-signzone updates originalttl on ttl changes ($n)" 1326ret=0 1327zone=example 1328key1=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 1329key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone` 1330( 1331cd signer 1332cat example.db.in $key1.key $key2.key > example.db 1333$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1 1334sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed 1335$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1 1336) 1337grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1 1338n=`expr $n + 1` 1339if [ $ret != 0 ]; then echo "I:failed"; fi 1340status=`expr $status + $ret` 1341 1342echo "I:checking dnssec-signzone keeps valid signatures from removed keys ($n)" 1343ret=0 1344zone=example 1345key1=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone` 1346key2=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 1347keyid2=`echo $key2 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'` 1348key3=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` 1349keyid3=`echo $key3 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'` 1350( 1351cd signer 1352cat example.db.in $key1.key $key2.key > example.db 1353$SIGNER -D -o example example.db > /dev/null 2>&1 1354 1355# now switch out key2 for key3 and resign the zone 1356cat example.db.in $key1.key $key3.key > example.db 1357echo '$INCLUDE "example.db.signed"' >> example.db 1358$SIGNER -D -o example example.db > /dev/null 2>&1 1359) || ret=1 1360grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1361grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1362n=`expr $n + 1` 1363if [ $ret != 0 ]; then echo "I:failed"; fi 1364status=`expr $status + $ret` 1365 1366echo "I:checking dnssec-signzone -R purges signatures from removed keys ($n)" 1367ret=0 1368( 1369cd signer 1370$SIGNER -RD -o example example.db > /dev/null 2>&1 1371) || ret=1 1372grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1 1373grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1374n=`expr $n + 1` 1375if [ $ret != 0 ]; then echo "I:failed"; fi 1376status=`expr $status + $ret` 1377 1378echo "I:checking dnssec-signzone keeps valid signatures from inactive keys ($n)" 1379ret=0 1380zone=example 1381( 1382cd signer 1383cp -f example.db.in example.db 1384$SIGNER -SD -o example example.db > /dev/null 2>&1 1385echo '$INCLUDE "example.db.signed"' >> example.db 1386# now retire key2 and resign the zone 1387$SETTIME -I now $key2 > /dev/null 2>&1 1388$SIGNER -SD -o example example.db > /dev/null 2>&1 1389) || ret=1 1390grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1391grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1392n=`expr $n + 1` 1393if [ $ret != 0 ]; then echo "I:failed"; fi 1394status=`expr $status + $ret` 1395 1396echo "I:checking dnssec-signzone -Q purges signatures from inactive keys ($n)" 1397ret=0 1398( 1399cd signer 1400$SIGNER -SDQ -o example example.db > /dev/null 2>&1 1401) || ret=1 1402grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1 1403grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 1404n=`expr $n + 1` 1405if [ $ret != 0 ]; then echo "I:failed"; fi 1406status=`expr $status + $ret` 1407 1408echo "I:checking dnssec-signzone retains unexpired signatures ($n)" 1409ret=0 1410( 1411cd signer 1412$SIGNER -Sxt -o example example.db > signer.out.1 2>&1 1413$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1 1414) || ret=1 1415gen1=`awk '/generated/ {print $3}' signer/signer.out.1` 1416retain1=`awk '/retained/ {print $3}' signer/signer.out.1` 1417drop1=`awk '/dropped/ {print $3}' signer/signer.out.1` 1418gen2=`awk '/generated/ {print $3}' signer/signer.out.2` 1419retain2=`awk '/retained/ {print $3}' signer/signer.out.2` 1420drop2=`awk '/dropped/ {print $3}' signer/signer.out.2` 1421[ "$retain2" -eq `expr "$gen1" + "$retain1"` ] || ret=1 1422[ "$gen2" -eq 0 ] || ret=1 1423[ "$drop2" -eq 0 ] || ret=1 1424n=`expr $n + 1` 1425if [ $ret != 0 ]; then echo "I:failed"; fi 1426status=`expr $status + $ret` 1427 1428echo "I:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" 1429ret=0 1430( 1431cd signer 1432# remove NSEC-only keys 1433rm -f Kexample.+005* 1434cp -f example.db.in example2.db 1435cat << EOF >> example2.db 1436sub1.example. IN A 10.53.0.1 1437ns.sub2.example. IN A 10.53.0.2 1438EOF 1439echo '$INCLUDE "example2.db.signed"' >> example2.db 1440touch example2.db.signed 1441$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 1442) || ret=1 1443grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 1444grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 1445( 1446cd signer 1447cp -f example.db.in example2.db 1448cat << EOF >> example2.db 1449sub1.example. IN NS sub1.example. 1450sub1.example. IN A 10.53.0.1 1451sub2.example. IN NS ns.sub2.example. 1452ns.sub2.example. IN A 10.53.0.2 1453EOF 1454echo '$INCLUDE "example2.db.signed"' >> example2.db 1455$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 1456) || ret=1 1457grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 1458grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 1459n=`expr $n + 1` 1460if [ $ret != 0 ]; then echo "I:failed"; fi 1461status=`expr $status + $ret` 1462 1463echo "I:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" 1464ret=0 1465( 1466cd signer 1467rm -f example2.db.signed 1468cp -f example.db.in example2.db 1469cat << EOF >> example2.db 1470sub1.example. IN A 10.53.0.1 1471ns.sub2.example. IN A 10.53.0.2 1472EOF 1473echo '$INCLUDE "example2.db.signed"' >> example2.db 1474touch example2.db.signed 1475$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 1476) || ret=1 1477grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 1478grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 1479( 1480cd signer 1481cp -f example.db.in example2.db 1482cat << EOF >> example2.db 1483sub1.example. IN NS sub1.example. 1484sub1.example. IN A 10.53.0.1 1485sub2.example. IN NS ns.sub2.example. 1486ns.sub2.example. IN A 10.53.0.2 1487EOF 1488echo '$INCLUDE "example2.db.signed"' >> example2.db 1489$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 1490) || ret=1 1491grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 1492grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 1493n=`expr $n + 1` 1494if [ $ret != 0 ]; then echo "I:failed"; fi 1495status=`expr $status + $ret` 1496 1497echo "I:checking dnssec-signzone output format ($n)" 1498ret=0 1499( 1500cd signer 1501$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null 1502$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null 1503$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1 1504$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1 1505$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null 1506) || ret=1 1507awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 1508awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1 1509israw1 signer/signer.out.5 || ret=1 1510israw0 signer/signer.out.6 || ret=1 1511israw1 signer/signer.out.7 || ret=1 1512if [ $ret != 0 ]; then echo "I:failed"; fi 1513status=`expr $status + $ret` 1514 1515echo "I:checking dnssec-signzone output format ($n)" 1516ret=0 1517( 1518cd signer 1519$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2>&1 1520$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2>&1 1521) || ret=1 1522awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 1523awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1 1524if [ $ret != 0 ]; then echo "I:failed"; fi 1525status=`expr $status + $ret` 1526 1527echo "I:checking TTLs are capped by dnssec-signzone -M ($n)" 1528ret=0 1529( 1530cd signer 1531$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1 1532) || ret=1 1533awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 1534if [ $ret != 0 ]; then echo "I:failed"; fi 1535status=`expr $status + $ret` 1536 1537echo "I:checking validated data are not cached longer than originalttl ($n)" 1538ret=0 1539$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1540$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1541grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 1542grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 1543grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 1544grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 1545n=`expr $n + 1` 1546if [ $ret != 0 ]; then echo "I:failed"; fi 1547status=`expr $status + $ret` 1548 1549# Test that "rndc secroots" is able to dump trusted keys 1550echo "I:checking rndc secroots ($n)" 1551ret=0 1552$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /' 1553keyid=`cat ns1/managed.key.id` 1554cp ns4/named.secroots named.secroots.test$n 1555linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l` 1556[ "$linecount" -eq 1 ] || ret=1 1557linecount=`cat named.secroots.test$n | wc -l` 1558[ "$linecount" -eq 5 ] || ret=1 1559n=`expr $n + 1` 1560if [ $ret != 0 ]; then echo "I:failed"; fi 1561status=`expr $status + $ret` 1562 1563# Check direct query for RRSIG. If we first ask for normal (non RRSIG) 1564# record, the corresponding RRSIG should be cached and subsequent query 1565# for RRSIG will be returned with the cached record. 1566echo "I:checking RRSIG query from cache ($n)" 1567ret=0 1568$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 1569ans=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.4 rrsig` || ret=1 1570expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1 1571test "$ans" = "$expect" || ret=1 1572# also check that RA is set 1573$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 1574grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1575n=`expr $n + 1` 1576if [ $ret != 0 ]; then echo "I:failed"; fi 1577status=`expr $status + $ret` 1578 1579# Check direct query for RRSIG: If it's not cached with other records, 1580# it should result in an empty response. 1581echo "I:checking RRSIG query not in cache ($n)" 1582ret=0 1583ans=`$DIG $DIGOPTS +short rrsigonly.secure.example. @10.53.0.4 rrsig` || ret=1 1584test -z "$ans" || ret=1 1585# also check that RA is cleared 1586$DIG $DIGOPTS rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 1587grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1588n=`expr $n + 1` 1589if [ $ret != 0 ]; then echo "I:failed"; fi 1590status=`expr $status + $ret` 1591 1592# 1593# RT21868 regression test. 1594# 1595echo "I:checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" 1596ret=0 1597$DIG $DIGOPTS non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1598grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 1599n=`expr $n + 1` 1600if [ $ret != 0 ]; then echo "I:failed"; fi 1601status=`expr $status + $ret` 1602 1603# 1604# RT22007 regression test. 1605# 1606echo "I:checking optout NSEC3 referral with only insecure delegations ($n)" 1607ret=0 1608$DIG $DIGOPTS +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1609grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 1610grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1611n=`expr $n + 1` 1612if [ $ret != 0 ]; then echo "I:failed"; fi 1613status=`expr $status + $ret` 1614 1615echo "I:checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" 1616ret=0 1617$DIG $DIGOPTS +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1618grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 1619grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1620n=`expr $n + 1` 1621if [ $ret != 0 ]; then echo "I:failed"; fi 1622 1623status=`expr $status + $ret` 1624echo "I:checking optout NSEC3 nodata with only insecure delegations ($n)" 1625ret=0 1626$DIG $DIGOPTS +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1627grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 1628grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 1629n=`expr $n + 1` 1630if [ $ret != 0 ]; then echo "I:failed"; fi 1631status=`expr $status + $ret` 1632 1633echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)" 1634ret=0 1635$DIG $DIGOPTS ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1636grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1637grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 1638if [ $ret != 0 ]; then echo "I:failed"; fi 1639status=`expr $status + $ret` 1640 1641# Run a minimal update test if possible. This is really just 1642# a regression test for RT #2399; more tests should be added. 1643 1644if $PERL -e 'use Net::DNS;' 2>/dev/null 1645then 1646 echo "I:running DNSSEC update test" 1647 $PERL dnssec_update_test.pl -s 10.53.0.3 -p 5300 dynamic.example. || status=1 1648else 1649 echo "I:The DNSSEC update test requires the Net::DNS library." >&2 1650fi 1651 1652echo "I:checking managed key maintenance has not started yet ($n)" 1653ret=0 1654[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 1655n=`expr $n + 1` 1656if [ $ret != 0 ]; then echo "I:failed"; fi 1657status=`expr $status + $ret` 1658 1659# Reconfigure caching server to use "dnssec-validation auto", and repeat 1660# some of the DNSSEC validation tests to ensure that it works correctly. 1661echo "I:switching to automatic root key configuration" 1662cp ns4/named2.conf ns4/named.conf 1663$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' 1664sleep 5 1665 1666echo "I:checking managed key maintenance timer has now started ($n)" 1667ret=0 1668[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 1669n=`expr $n + 1` 1670if [ $ret != 0 ]; then echo "I:failed"; fi 1671status=`expr $status + $ret` 1672 1673echo "I:checking positive validation NSEC ($n)" 1674ret=0 1675$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1676$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1677$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1678grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1679n=`expr $n + 1` 1680if [ $ret != 0 ]; then echo "I:failed"; fi 1681status=`expr $status + $ret` 1682 1683echo "I:checking positive validation NSEC3 ($n)" 1684ret=0 1685$DIG $DIGOPTS +noauth a.nsec3.example. \ 1686 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1687$DIG $DIGOPTS +noauth a.nsec3.example. \ 1688 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1689$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 1690grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1691n=`expr $n + 1` 1692if [ $ret != 0 ]; then echo "I:failed"; fi 1693status=`expr $status + $ret` 1694 1695echo "I:checking positive validation OPTOUT ($n)" 1696ret=0 1697$DIG $DIGOPTS +noauth a.optout.example. \ 1698 @10.53.0.3 a > dig.out.ns3.test$n || ret=1 1699$DIG $DIGOPTS +noauth a.optout.example. \ 1700 @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1701$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 1702grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1703n=`expr $n + 1` 1704if [ $ret != 0 ]; then echo "I:failed"; fi 1705status=`expr $status + $ret` 1706 1707echo "I:checking negative validation ($n)" 1708ret=0 1709$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 1710$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 1711$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 1712grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1713grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 1714n=`expr $n + 1` 1715if [ $ret != 0 ]; then echo "I:failed"; fi 1716status=`expr $status + $ret` 1717 1718echo "I:checking that root DS queries validate ($n)" 1719ret=0 1720$DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 1721$DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 1722$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 1723grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 1724grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1725n=`expr $n + 1` 1726if [ $ret != 0 ]; then echo "I:failed"; fi 1727status=`expr $status + $ret` 1728 1729echo "I:checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" 1730ret=0 1731$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 1732$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1 1733$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 1734grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 1735n=`expr $n + 1` 1736if [ $ret != 0 ]; then echo "I:failed"; fi 1737status=`expr $status + $ret` 1738 1739echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" 1740ret=0 1741$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 1742grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 1743n=`expr $n + 1` 1744if [ $ret != 0 ]; then echo "I:failed"; fi 1745 1746status=`expr $status + $ret` 1747echo "I:checking expired signatures do not validate ($n)" 1748ret=0 1749$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 1750grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 1751grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 1752grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 1753n=`expr $n + 1` 1754if [ $ret != 0 ]; then echo "I:failed"; fi 1755status=`expr $status + $ret` 1756 1757echo "I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" 1758ret=0 1759( 1760cd ns3 1761kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example` 1762( 1763echo zone update-nsec3.example 1764echo server 10.53.0.3 5300 1765grep DNSKEY ${kskname}.key | sed -e 's/^/update add /' -e 's/IN/300 IN/' 1766echo send 1767) | $NSUPDATE 1768) 1769$DIG $DIGOPTS +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1770grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1771grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1772grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 1773n=`expr $n + 1` 1774if [ $ret != 0 ]; then echo "I:failed"; fi 1775status=`expr $status + $ret` 1776 1777echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" 1778ret=0 1779$DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1780grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1781grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1782grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 1783n=`expr $n + 1` 1784if [ $ret != 0 ]; then echo "I:failed"; fi 1785status=`expr $status + $ret` 1786 1787echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" 1788ret=0 1789$DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1790grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1791grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1792grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 1793n=`expr $n + 1` 1794if [ $ret != 0 ]; then echo "I:failed"; fi 1795status=`expr $status + $ret` 1796 1797echo "I:checking that signing records have been marked as complete ($n)" 1798ret=0 1799checkprivate dynamic.example 10.53.0.3 || ret=1 1800checkprivate update-nsec3.example 10.53.0.3 || ret=1 1801checkprivate auto-nsec3.example 10.53.0.3 || ret=1 1802checkprivate expiring.example 10.53.0.3 || ret=1 1803checkprivate auto-nsec.example 10.53.0.3 || ret=1 1804n=`expr $n + 1` 1805if [ $ret != 0 ]; then echo "I:failed"; fi 1806status=`expr $status + $ret` 1807 1808echo "I:check that 'rndc signing' without arguments is handled ($n)" 1809ret=0 1810$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing > /dev/null 2>&1 && ret=1 1811$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1812n=`expr $n + 1` 1813if [ $ret != 0 ]; then echo "I:failed"; fi 1814status=`expr $status + $ret` 1815 1816echo "I:check that 'rndc signing -list' without zone is handled ($n)" 1817ret=0 1818$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list > /dev/null 2>&1 && ret=1 1819$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1820n=`expr $n + 1` 1821if [ $ret != 0 ]; then echo "I:failed"; fi 1822status=`expr $status + $ret` 1823 1824echo "I:check that 'rndc signing -clear' without additional arguments is handled ($n)" 1825ret=0 1826$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear > /dev/null 2>&1 && ret=1 1827$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1828n=`expr $n + 1` 1829if [ $ret != 0 ]; then echo "I:failed"; fi 1830status=`expr $status + $ret` 1831 1832echo "I:check that 'rndc signing -clear all' without zone is handled ($n)" 1833ret=0 1834$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all > /dev/null 2>&1 && ret=1 1835$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1836n=`expr $n + 1` 1837if [ $ret != 0 ]; then echo "I:failed"; fi 1838status=`expr $status + $ret` 1839 1840echo "I:check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" 1841ret=0 1842$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param > /dev/null 2>&1 && ret=1 1843$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1844n=`expr $n + 1` 1845if [ $ret != 0 ]; then echo "I:failed"; fi 1846status=`expr $status + $ret` 1847 1848echo "I:check that 'rndc signing -nsec3param none' without zone is handled ($n)" 1849ret=0 1850$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none > /dev/null 2>&1 && ret=1 1851$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1852n=`expr $n + 1` 1853if [ $ret != 0 ]; then echo "I:failed"; fi 1854status=`expr $status + $ret` 1855 1856echo "I:check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" 1857ret=0 1858$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 1859$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1860n=`expr $n + 1` 1861if [ $ret != 0 ]; then echo "I:failed"; fi 1862status=`expr $status + $ret` 1863 1864echo "I:check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" 1865ret=0 1866$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 1867$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1868n=`expr $n + 1` 1869if [ $ret != 0 ]; then echo "I:failed"; fi 1870status=`expr $status + $ret` 1871 1872echo "I:check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" 1873ret=0 1874$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 1875$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1876n=`expr $n + 1` 1877if [ $ret != 0 ]; then echo "I:failed"; fi 1878status=`expr $status + $ret` 1879 1880echo "I:check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" 1881ret=0 1882$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 1883$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1884n=`expr $n + 1` 1885if [ $ret != 0 ]; then echo "I:failed"; fi 1886status=`expr $status + $ret` 1887 1888echo "I:check that 'rndc signing -nsec3param' works with salt ($n)" 1889ret=0 1890$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 1891$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1892for i in 1 2 3 4 5 6 7 8 9 10 ; do 1893 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` 1894 if [ "$salt" = "FFFF" ]; then 1895 break; 1896 fi 1897 echo "I:sleeping ...." 1898 sleep 1 1899done; 1900[ "$salt" = "FFFF" ] || ret=1 1901n=`expr $n + 1` 1902if [ $ret != 0 ]; then echo "I:failed"; fi 1903status=`expr $status + $ret` 1904 1905echo "I:check that 'rndc signing -nsec3param' works without salt ($n)" 1906ret=0 1907$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 1908$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1909for i in 1 2 3 4 5 6 7 8 9 10 ; do 1910 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` 1911 if [ "$salt" = "-" ]; then 1912 break; 1913 fi 1914 echo "I:sleeping ...." 1915 sleep 1 1916done; 1917[ "$salt" = "-" ] || ret=1 1918n=`expr $n + 1` 1919if [ $ret != 0 ]; then echo "I:failed"; fi 1920status=`expr $status + $ret` 1921 1922echo "I:check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" 1923ret=0 1924$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 1925$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1926for i in 1 2 3 4 5 6 7 8 9 10 ; do 1927 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` 1928 [ -n "$salt" -a "$salt" != "-" ] && break 1929 echo "I:sleeping ...." 1930 sleep 1 1931done; 1932[ "$salt" != "-" ] || ret=1 1933[ `expr "${salt}" : ".*"` -eq 16 ] || ret=1 1934n=`expr $n + 1` 1935if [ $ret != 0 ]; then echo "I:failed"; fi 1936status=`expr $status + $ret` 1937 1938echo "I:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" 1939ret=0 1940oldsalt=$salt 1941$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 1942$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 1943for i in 1 2 3 4 5 6 7 8 9 10 ; do 1944 salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` 1945 [ -n "$salt" -a "$salt" != "$oldsalt" ] && break 1946 echo "I:sleeping ...." 1947 sleep 1 1948done; 1949[ "$salt" != "$oldsalt" ] || ret=1 1950[ `expr "$salt" : ".*"` -eq 16 ] || ret=1 1951n=`expr $n + 1` 1952if [ $ret != 0 ]; then echo "I:failed"; fi 1953status=`expr $status + $ret` 1954 1955echo "I:check rndc signing -list output ($n)" 1956ret=0 1957$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic.example 2>&1 > signing.out 1958grep "No signing records found" signing.out > /dev/null 2>&1 || { 1959 ret=1 1960 sed 's/^/I:ns3 /' signing.out 1961} 1962$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out 1963grep "Done signing with key .*/NSEC3RSASHA1" signing.out > /dev/null 2>&1 || { 1964 ret=1 1965 sed 's/^/I:ns3 /' signing.out 1966} 1967n=`expr $n + 1` 1968if [ $ret != 0 ]; then echo "I:failed"; fi 1969status=`expr $status + $ret` 1970 1971echo "I:clear signing records ($n)" 1972$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all update-nsec3.example > /dev/null || ret=1 1973sleep 1 1974$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out 1975grep "No signing records found" signing.out > /dev/null 2>&1 || { 1976 ret=1 1977 sed 's/^/I:ns3 /' signing.out 1978} 1979n=`expr $n + 1` 1980if [ $ret != 0 ]; then echo "I:failed"; fi 1981status=`expr $status + $ret` 1982 1983echo "I:checking that a insecure zone beneath a cname resolves ($n)" 1984ret=0 1985$DIG $DIGOPTS soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1986grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1987grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 1988n=`expr $n + 1` 1989if [ $ret != 0 ]; then echo "I:failed"; fi 1990status=`expr $status + $ret` 1991 1992echo "I:checking that a secure zone beneath a cname resolves ($n)" 1993ret=0 1994$DIG $DIGOPTS soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 1995grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 1996grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 1997grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 1998n=`expr $n + 1` 1999if [ $ret != 0 ]; then echo "I:failed"; fi 2000status=`expr $status + $ret` 2001 2002echo "I:checking dnskey query with no data still gets put in cache ($n)" 2003ret=0 2004myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 @10.53.0.4" 2005firstVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'` 2006sleep 1 2007secondVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'` 2008if [ ${firstVal:-0} -eq ${secondVal:-0} ] 2009then 2010 sleep 1 2011 thirdVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '$1 != ";;" { print $2 }'` 2012 if [ ${firstVal:-0} -eq ${thirdVal:-0} ] 2013 then 2014 echo "I: cannot confirm query answer still in cache" 2015 ret=1 2016 fi 2017fi 2018n=`expr $n + 1` 2019if [ $ret != 0 ]; then echo "I:failed"; fi 2020status=`expr $status + $ret` 2021 2022echo "I:check that a split dnssec dnssec-signzone work ($n)" 2023ret=0 2024$DIG $DIGOPTS soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 2025grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 2026grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 2027grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 2028n=`expr $n + 1` 2029if [ $ret != 0 ]; then echo "I:failed"; fi 2030status=`expr $status + $ret` 2031 2032echo "I:check that a smart split dnssec dnssec-signzone work ($n)" 2033ret=0 2034$DIG $DIGOPTS soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 2035grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 2036grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 2037grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 2038n=`expr $n + 1` 2039if [ $ret != 0 ]; then echo "I:failed"; fi 2040status=`expr $status + $ret` 2041 2042echo "I:check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" 2043ret=0 2044( 2045echo zone nsec3chain-test 2046echo server 10.53.0.2 5300 2047echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 2048echo send 2049) | $NSUPDATE 2050for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 2051do 2052 $DIG $DIGOPTS nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 2053 if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null 2054 then 2055 break; 2056 fi 2057 echo "I:sleeping ...." 2058 sleep 3 2059done; 2060grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 2061if [ $ret != 0 ]; then echo "I:nsec3 chain generation not complete"; fi 2062sleep 3 2063$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 2064$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 2065$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 2066n=`expr $n + 1` 2067if [ $ret != 0 ]; then echo "I:failed"; fi 2068status=`expr $status + $ret` 2069 2070echo "I:check dnssec-dsfromkey from stdin ($n)" 2071ret=0 2072$DIG $DIGOPTS dnskey algroll. @10.53.0.2 | \ 2073 $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 2074NF=`awk '{print NF}' dig.out.ns2.test$n | sort -u` 2075[ "${NF}" = 7 ] || ret=1 2076# make canonical 2077awk '{ 2078 for (i=1;i<7;i++) printf("%s ", $i); 2079 for (i=7;i<=NF;i++) printf("%s", $i); 2080 printf("\n"); 2081}' < dig.out.ns2.test$n > canonical1.$n || ret=1 2082awk '{ 2083 for (i=1;i<7;i++) printf("%s ", $i); 2084 for (i=7;i<=NF;i++) printf("%s", $i); 2085 printf("\n"); 2086}' < ns1/dsset-algroll. > canonical2.$n || ret=1 2087diff -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 2088n=`expr $n + 1` 2089if [ $ret != 0 ]; then echo "I:failed"; fi 2090status=`expr $status + $ret` 2091 2092echo "I:testing soon-to-expire RRSIGs without a replacement private key ($n)" 2093ret=0 2094$DIG +noall +answer +dnssec +nottl -p 5300 expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 2095# there must be a signature here 2096[ -s dig.out.ns3.test$n ] || ret=1 2097n=`expr $n + 1` 2098if [ $ret != 0 ]; then echo "I:failed"; fi 2099status=`expr $status + $ret` 2100 2101echo "I:testing new records are signed with 'no-resign' ($n)" 2102ret=0 2103( 2104echo zone nosign.example 2105echo server 10.53.0.3 5300 2106echo update add new.nosign.example 300 in txt "hi there" 2107echo send 2108) | $NSUPDATE 2109sleep 1 2110$DIG +noall +answer +dnssec -p 5300 txt new.nosign.example @10.53.0.3 \ 2111 > dig.out.ns3.test$n 2>&1 2112grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 2113n=`expr $n + 1` 2114if [ $ret != 0 ]; then echo "I:failed"; fi 2115status=`expr $status + $ret` 2116 2117echo "I:testing expiring records aren't resigned with 'no-resign' ($n)" 2118ret=0 2119$DIG +noall +answer +dnssec +nottl -p 5300 nosign.example ns @10.53.0.3 | \ 2120 grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 2121# the NS RRSIG should not be changed 2122cmp -s nosign.before dig.out.ns3.test$n || ret=1 2123n=`expr $n + 1` 2124if [ $ret != 0 ]; then echo "I:failed"; fi 2125status=`expr $status + $ret` 2126 2127echo "I:testing updates fail with no private key ($n)" 2128ret=0 2129rm -f ns3/Knosign.example.*.private 2130( 2131echo zone nosign.example 2132echo server 10.53.0.3 5300 2133echo update add fail.nosign.example 300 in txt "reject me" 2134echo send 2135) | $NSUPDATE > /dev/null 2>&1 && ret=1 2136$DIG +tcp +noall +answer +dnssec -p 5300 fail.nosign.example txt @10.53.0.3 \ 2137 > dig.out.ns3.test$n 2>&1 2138[ -s dig.out.ns3.test$n ] && ret=1 2139n=`expr $n + 1` 2140if [ $ret != 0 ]; then echo "I:failed"; fi 2141status=`expr $status + $ret` 2142 2143echo "I:testing legacy upper case signer name validation ($n)" 2144ret=0 2145$DIG +tcp +dnssec -p 5300 +noadd +noauth soa upper.example @10.53.0.4 \ 2146 > dig.out.ns4.test$n 2>&1 2147grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1 2148grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1 2149n=`expr $n + 1` 2150if [ $ret != 0 ]; then echo "I:failed"; fi 2151status=`expr $status + $ret` 2152 2153echo "I:testing that we lower case signer name ($n)" 2154ret=0 2155$DIG +tcp +dnssec -p 5300 +noadd +noauth soa LOWER.EXAMPLE @10.53.0.4 \ 2156 > dig.out.ns4.test$n 2>&1 2157grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1 2158grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1 2159n=`expr $n + 1` 2160if [ $ret != 0 ]; then echo "I:failed"; fi 2161status=`expr $status + $ret` 2162 2163echo "I:testing TTL is capped at RRSIG expiry time ($n)" 2164ret=0 2165$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze expiring.example 2>&1 | sed 's/^/I:ns3 /' 2166( 2167cd ns3 2168for file in K*.moved; do 2169 mv $file `basename $file .moved` 2170done 2171$SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1 2172) || ret=1 2173$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload expiring.example 2>&1 | sed 's/^/I:ns3 /' 2174 2175$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush 2176$DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n 2177$DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n 2178ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` 2179ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` 2180for ttl in ${ttls:-0}; do 2181 [ ${ttl:-0} -eq 300 ] || ret=1 2182done 2183for ttl in ${ttls2:-0}; do 2184 [ ${ttl:-0} -le 60 ] || ret=1 2185done 2186n=`expr $n + 1` 2187if [ $ret != 0 ]; then echo "I:failed"; fi 2188status=`expr $status + $ret` 2189 2190echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section ($n)" 2191ret=0 2192$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush 2193sleep 1 2194$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n 2195$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n 2196ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` 2197ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` 2198for ttl in ${ttls:-300}; do 2199 [ ${ttl:-0} -eq 300 ] || ret=1 2200done 2201for ttl in ${ttls2:-0}; do 2202 [ ${ttl:-0} -le 60 ] || ret=1 2203done 2204n=`expr $n + 1` 2205if [ $ret != 0 ]; then echo "I:failed"; fi 2206status=`expr $status + $ret` 2207 2208cp ns4/named3.conf ns4/named.conf 2209$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' 2210sleep 3 2211 2212echo "I:testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" 2213ret=0 2214$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush 2215$DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n 2216$DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n 2217ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` 2218ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` 2219for ttl in ${ttls:-0}; do 2220 [ $ttl -eq 300 ] || ret=1 2221done 2222for ttl in ${ttls2:-0}; do 2223 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 2224done 2225n=`expr $n + 1` 2226if [ $ret != 0 ]; then echo "I:failed"; fi 2227status=`expr $status + $ret` 2228 2229echo "I:testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" 2230ret=0 2231$DIG +noall +answer +dnssec +cd -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.1.$n 2232$DIG +noall +answer +dnssec -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.2.$n 2233ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` 2234ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` 2235for ttl in ${ttls:-0}; do 2236 [ $ttl -eq 300 ] || ret=1 2237done 2238for ttl in ${ttls2:-0}; do 2239 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 2240done 2241n=`expr $n + 1` 2242if [ $ret != 0 ]; then echo "I:failed"; fi 2243status=`expr $status + $ret` 2244 2245echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" 2246ret=0 2247$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush 2248$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n 2249$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n 2250ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` 2251ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` 2252for ttl in ${ttls:-300}; do 2253 [ $ttl -eq 300 ] || ret=1 2254done 2255for ttl in ${ttls2:-0}; do 2256 [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 2257done 2258n=`expr $n + 1` 2259if [ $ret != 0 ]; then echo "I:failed"; fi 2260status=`expr $status + $ret` 2261 2262echo "I:testing DNSKEY lookup via CNAME ($n)" 2263ret=0 2264$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ 2265 @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 2266$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ 2267 @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 2268$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 2269grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 2270grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 2271n=`expr $n + 1` 2272if [ $ret != 0 ]; then echo "I:failed"; fi 2273status=`expr $status + $ret` 2274 2275echo "I:testing KEY lookup at CNAME (present) ($n)" 2276ret=0 2277$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ 2278 @10.53.0.3 key > dig.out.ns3.test$n || ret=1 2279$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ 2280 @10.53.0.4 key > dig.out.ns4.test$n || ret=1 2281$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 2282grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 2283grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 2284n=`expr $n + 1` 2285if [ $ret != 0 ]; then echo "I:failed"; fi 2286status=`expr $status + $ret` 2287 2288echo "I:testing KEY lookup at CNAME (not present) ($n)" 2289ret=0 2290$DIG $DIGOPTS +noauth cnamenokey.secure.example. \ 2291 @10.53.0.3 key > dig.out.ns3.test$n || ret=1 2292$DIG $DIGOPTS +noauth cnamenokey.secure.example. \ 2293 @10.53.0.4 key > dig.out.ns4.test$n || ret=1 2294$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 2295grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 2296grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 2297n=`expr $n + 1` 2298if [ $ret != 0 ]; then echo "I:failed"; fi 2299status=`expr $status + $ret` 2300 2301echo "I:testing DNSKEY lookup via DNAME ($n)" 2302ret=0 2303$DIG $DIGOPTS a.dnameandkey.secure.example. \ 2304 @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 2305$DIG $DIGOPTS a.dnameandkey.secure.example. \ 2306 @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 2307$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 2308grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 2309grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 2310grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 2311n=`expr $n + 1` 2312if [ $ret != 0 ]; then echo "I:failed"; fi 2313status=`expr $status + $ret` 2314 2315echo "I:testing KEY lookup via DNAME ($n)" 2316ret=0 2317$DIG $DIGOPTS b.dnameandkey.secure.example. \ 2318 @10.53.0.3 key > dig.out.ns3.test$n || ret=1 2319$DIG $DIGOPTS b.dnameandkey.secure.example. \ 2320 @10.53.0.4 key > dig.out.ns4.test$n || ret=1 2321$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 2322grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 2323grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 2324n=`expr $n + 1` 2325if [ $ret != 0 ]; then echo "I:failed"; fi 2326status=`expr $status + $ret` 2327 2328echo "I:check that named doesn't loop when all private keys are not available ($n)" 2329ret=0 2330lines=`grep "reading private key file expiring.example" ns3/named.run | wc -l` 2331test ${lines:-1000} -lt 15 || ret=1 2332n=`expr $n + 1` 2333if [ $ret != 0 ]; then echo "I:failed"; fi 2334status=`expr $status + $ret` 2335 2336echo "I:check against against missing nearest provable proof ($n)" 2337$DIG $DIGOPTS +norec b.c.d.optout-tld. \ 2338 @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1 2339nsec3=`grep "IN.NSEC3" dig.out.ds.ns6.test$n | wc -l` 2340[ $nsec3 -eq 2 ] || ret=1 2341$DIG $DIGOPTS +norec b.c.d.optout-tld. \ 2342 @10.53.0.6 A > dig.out.ns6.test$n || ret=1 2343nsec3=`grep "IN.NSEC3" dig.out.ns6.test$n | wc -l` 2344[ $nsec3 -eq 1 ] || ret=1 2345$DIG $DIGOPTS optout-tld. \ 2346 @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1 2347grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1 2348$DIG $DIGOPTS b.c.d.optout-tld. \ 2349 @10.53.0.4 A > dig.out.ns4.test$n || ret=1 2350grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 2351grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 2352n=`expr $n + 1` 2353if [ $ret != 0 ]; then echo "I:failed"; fi 2354status=`expr $status + $ret` 2355 2356echo "I:check that key id are logged when dumping the cache ($n)" 2357ret=0 2358$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 dumpdb 2>&1 | sed 's/^/I:ns1 /' 2359sleep 1 2360grep "; key id = " ns4/named_dump.db > /dev/null || ret=1 2361n=`expr $n + 1` 2362if [ $ret != 0 ]; then echo "I:failed"; fi 2363status=`expr $status + $ret` 2364 2365echo "I:check KEYDATA records are printed in human readable form in key zone ($n)" 2366# force the managed-keys zone to be written out 2367$PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns4 2368ret=0 2369grep KEYDATA ns4/managed-keys.bind > /dev/null || ret=1 2370grep "next refresh:" ns4/managed-keys.bind > /dev/null || ret=1 2371# restart the server 2372$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4 2373n=`expr $n + 1` 2374if [ $ret != 0 ]; then echo "I:failed"; fi 2375status=`expr $status + $ret` 2376 2377echo "I:check dig's +nocrypto flag ($n)" 2378ret=0 2379$DIG $DIGOPTS +norec +nocrypto DNSKEY . \ 2380 @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 2381grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 2382grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 2383$DIG $DIGOPTS +norec +nocrypto DS example \ 2384 @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 2385grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1 2386n=`expr $n + 1` 2387if [ $ret != 0 ]; then echo "I:failed"; fi 2388status=`expr $status + $ret` 2389 2390echo "I:check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" 2391ret=0 2392cnt=0 2393while : 2394do 2395$DIG $DIGOPTS publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n 2396keys=`awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l` 2397test $keys -gt 2 && break 2398cnt=`expr $cnt + 1` 2399test $cnt -gt 120 && break 2400sleep 1 2401done 2402test $keys -gt 2 || ret=1 2403sigs=`grep RRSIG dig.out.ns3.test$n | wc -l` 2404sigs=`expr $sigs + 0` 2405n=`expr $n + 1` 2406test $sigs -eq 2 || ret=1 2407if test $ret != 0 ; then echo "I:failed"; fi 2408status=`expr $status + $ret` 2409 2410echo "I:check that increasing the sig-validity-interval resigning triggers re-signing" 2411ret=0 2412before=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA` 2413cp ns3/siginterval2.conf ns3/siginterval.conf 2414$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /' 2415for i in 1 2 3 4 5 6 7 8 9 0 2416do 2417after=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA` 2418test "$before" != "$after" && break 2419sleep 1 2420done 2421n=`expr $n + 1` 2422if test "$before" = "$after" ; then echo "I:failed"; ret=1; fi 2423status=`expr $status + $ret` 2424 2425cp ns4/named4.conf ns4/named.conf 2426$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' 2427sleep 3 2428 2429echo "I:check insecure delegation between static-stub zones ($n)" 2430ret=0 2431$DIG $DIGOPTS ns insecure.secure.example \ 2432 @10.53.0.4 > dig.out.ns4.1.test$n || ret=1 2433grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1 2434$DIG $DIGOPTS ns secure.example \ 2435 @10.53.0.4 > dig.out.ns4.2.test$n || ret=1 2436grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1 2437n=`expr $n + 1` 2438if [ $ret != 0 ]; then echo "I:failed"; fi 2439status=`expr $status + $ret` 2440 2441echo "I:check the acceptance of seconds as inception and expiration times ($n)" 2442ret=0 2443in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo=" 2444 2445exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo=" 2446 2447out=`echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//'` 2448[ "$out" = "$exp" ] || ret=1 2449n=`expr $n + 1` 2450if [ $ret != 0 ]; then echo "I:failed"; fi 2451status=`expr $status + $ret` 2452 2453echo "I:check the correct resigning time is reported in zonestatus ($n)" 2454ret=0 2455$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 \ 2456 zonestatus secure.example > rndc.out.test$n 2457# next resign node: secure.example/DNSKEY 2458name=`awk '/next resign node:/ { print $4 }' rndc.out.test$n | sed 's;/; ;'` 2459# next resign time: Thu, 24 Apr 2014 10:38:16 GMT 2460time=`awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; 2461 m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06"; 2462 m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; 2463 m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} 2464 /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.test$n | sed 's/://g'` 2465$DIG $DIGOPTS +noall +answer $name @10.53.0.3 -p 5300 > dig.out.test$n 2466expire=`awk '$4 == "RRSIG" { print $9 }' dig.out.test$n` 2467inception=`awk '$4 == "RRSIG" { print $10 }' dig.out.test$n` 2468$PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 2469n=`expr $n + 1` 2470if [ $ret != 0 ]; then echo "I:failed"; fi 2471status=`expr $status + $ret` 2472 2473echo "I:check that split rrsigs are handled ($n)" 2474ret=0 2475$DIG $DIGOPTS split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 2476awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 2477n=`expr $n + 1` 2478if [ $ret != 0 ]; then echo "I:failed"; fi 2479status=`expr $status + $ret` 2480 2481echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)" 2482ret=0 2483alg=1 2484until test $alg = 256 2485do 2486 size= 2487 case $alg in 2488 1) size="-b 512";; 2489 2) # Diffie Helman 2490 alg=`expr $alg + 1` 2491 continue;; 2492 3) size="-b 512";; 2493 5) size="-b 512";; 2494 6) size="-b 512";; 2495 7) size="-b 512";; 2496 8) size="-b 512";; 2497 10) size="-b 1024";; 2498 157|160|161|162|163|164|165) # private - non standard 2499 alg=`expr $alg + 1` 2500 continue;; 2501 esac 2502 key1=`$KEYGEN -a $alg $size -n zone -r $RANDFILE example 2> keygen.err` 2503 if grep "unsupported algorithm" keygen.err > /dev/null 2504 then 2505 alg=`expr $alg + 1` 2506 continue 2507 fi 2508 if test -z "$key1" 2509 then 2510 echo "I: '$KEYGEN -a $alg': failed" 2511 cat keygen.err 2512 ret=1 2513 alg=`expr $alg + 1` 2514 continue 2515 fi 2516 $SETTIME -I now+4d $key1.private > /dev/null 2517 key2=`$KEYGEN -v 10 -r $RANDFILE -i 3d -S $key1.private 2> /dev/null` 2518 test -f $key2.key -a -f $key2.private || { 2519 ret=1 2520 echo "I: 'dnssec-keygen -S' failed for algorithm: $alg" 2521 } 2522 alg=`expr $alg + 1` 2523done 2524n=`expr $n + 1` 2525if [ $ret != 0 ]; then echo "I:failed"; fi 2526status=`expr $status + $ret` 2527 2528# 2529# Test for +sigchase with a null set of trusted keys. 2530# 2531$DIG -p 5300 @10.53.0.3 +sigchase +trusted-key=/dev/null > dig.out.ns3.test$n 2>&1 2532if grep "Invalid option: +sigchase" dig.out.ns3.test$n > /dev/null 2533then 2534 echo "I:Skipping 'dig +sigchase' tests" 2535 n=`expr $n + 1` 2536else 2537 echo "I:checking that 'dig +sigchase' doesn't loop with future inception ($n)" 2538 ret=0 2539 $DIG -p 5300 @10.53.0.3 dnskey future.example +sigchase \ 2540 +trusted-key=ns3/trusted-future.key > dig.out.ns3.test$n & 2541 pid=$! 2542 sleep 1 2543 kill -9 $pid 2> /dev/null 2544 wait $pid 2545 grep ";; No DNSKEY is valid to check the RRSIG of the RRset: FAILED" dig.out.ns3.test$n > /dev/null || ret=1 2546 if [ $ret != 0 ]; then echo "I:failed"; fi 2547 status=`expr $status + $ret` 2548 n=`expr $n + 1` 2549fi 2550 2551echo "I:checking that positive unknown NSEC3 hash algorithm does validate ($n)" 2552ret=0 2553$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n 2554$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n 2555grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 2556grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 2557grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 2558grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 2559n=`expr $n + 1` 2560if [ $ret != 0 ]; then echo "I:failed"; fi 2561status=`expr $status + $ret` 2562 2563echo "I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" 2564ret=0 2565$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n 2566$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n 2567grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 2568grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 2569grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 2570grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 2571n=`expr $n + 1` 2572if [ $ret != 0 ]; then echo "I:failed"; fi 2573status=`expr $status + $ret` 2574 2575echo "I:checking that negative unknown NSEC3 hash algorithm does not validate ($n)" 2576ret=0 2577$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n 2578$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n 2579grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 2580grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 2581n=`expr $n + 1` 2582if [ $ret != 0 ]; then echo "I:failed"; fi 2583status=`expr $status + $ret` 2584 2585echo "I:checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" 2586ret=0 2587$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n 2588$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n 2589grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 2590grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 2591n=`expr $n + 1` 2592if [ $ret != 0 ]; then echo "I:failed"; fi 2593status=`expr $status + $ret` 2594 2595echo "I:checking that unknown DNSKEY algorithm validates as insecure ($n)" 2596ret=0 2597$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n 2598$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n 2599grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 2600grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 2601grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 2602n=`expr $n + 1` 2603if [ $ret != 0 ]; then echo "I:failed"; fi 2604status=`expr $status + $ret` 2605 2606echo "I:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" 2607ret=0 2608$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n 2609$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n 2610grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 2611grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 2612grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 2613n=`expr $n + 1` 2614if [ $ret != 0 ]; then echo "I:failed"; fi 2615status=`expr $status + $ret` 2616 2617echo "I:checking initialization with a revoked managed key ($n)" 2618ret=0 2619cp ns5/named2.conf ns5/named.conf 2620$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reconfig 2>&1 | sed 's/^/I:ns5 /' 2621sleep 3 2622$DIG $DIGOPTS +dnssec -p 5300 @10.53.0.5 SOA . > dig.out.ns5.test$n 2623grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 2624n=`expr $n + 1` 2625if [ $ret != 0 ]; then echo "I:failed"; fi 2626status=`expr $status + $ret` 2627 2628echo "I:exit status: $status" 2629exit $status 2630