1#!/bin/sh
2#
3# Copyright (C) 2011-2014  Internet Systems Consortium, Inc. ("ISC")
4#
5# Permission to use, copy, modify, and/or distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15# PERFORMANCE OF THIS SOFTWARE.
16
17# Id: tests.sh,v 1.18 2012/02/23 06:53:15 marka Exp
18
19SYSTEMTESTTOP=..
20. $SYSTEMTESTTOP/conf.sh
21
22DIGOPTS="+tcp +dnssec"
23
24status=0
25n=0
26
27$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
28
29for i in 1 2 3 4 5 6 7 8 9 0
30do
31	nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param nsec3.`
32	test "$nsec3param" = "1 0 0 -" && break
33	sleep 1
34done
35
36# Loop until retransfer3 has been transferred.
37for i in 1 2 3 4 5 6 7 8 9 0
38do
39        ans=0
40        $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ans=1
41	[ $ans = 0 ] && break
42done
43
44for i in 1 2 3 4 5 6 7 8 9 0
45do
46	nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param retransfer3.`
47	test "$nsec3param" = "1 0 0 -" && break
48	sleep 1
49done
50
51n=`expr $n + 1`
52echo "I:checking that rrsigs are replaced with ksk only"
53ret=0
54$DIG @10.53.0.3 -p 5300 axfr nsec3. |
55	awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
56#$DIG @10.53.0.3 -p 5300 axfr nsec3. | grep -w NSEC | grep -v "IN.RRSIG.NSEC"
57if [ $ret != 0 ]; then echo "I:failed"; fi
58status=`expr $status + $ret`
59
60n=`expr $n + 1`
61echo "I:checking that the zone is signed on initial transfer ($n)"
62ret=0
63for i in 1 2 3 4 5 6 7 8 9 10
64do
65	ret=0
66	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
67	keys=`grep '^Done signing' signing.out.test$n | wc -l`
68	[ $keys = 2 ] || ret=1
69	if [ $ret = 0 ]; then break; fi
70	sleep 1
71done
72if [ $ret != 0 ]; then echo "I:failed"; fi
73status=`expr $status + $ret`
74
75n=`expr $n + 1`
76echo "I:checking expired signatures are updated on load ($n)"
77ret=0
78$DIG $DIGOPTS @10.53.0.3 -p 5300 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
79expiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n`
80[ "$expiry" = "20110101000000" ] && ret=1
81if [ $ret != 0 ]; then echo "I:failed"; fi
82status=`expr $status + $ret`
83
84n=`expr $n + 1`
85echo "I:checking removal of private type record via 'rndc signing -clear' ($n)"
86ret=0
87$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
88keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
89for key in $keys; do
90	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} bits > /dev/null || ret=1
91	break;	# We only want to remove 1 record for now.
92done 2>&1 |sed 's/^/I:ns3 /'
93
94for i in 1 2 3 4 5 6 7 8 9 10
95do
96	ans=0
97	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
98        num=`grep "Done signing with" signing.out.test$n | wc -l`
99	[ $num = 1 ] && break
100	sleep 1
101done
102[ $ans = 0 ] || ret=1
103
104if [ $ret != 0 ]; then echo "I:failed"; fi
105status=`expr $status + $ret`
106
107n=`expr $n + 1`
108echo "I:checking private type was properly signed ($n)"
109ret=0
110$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
111grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
112grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
113
114if [ $ret != 0 ]; then echo "I:failed"; fi
115status=`expr $status + $ret`
116
117n=`expr $n + 1`
118echo "I:checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
119ret=0
120$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all bits > /dev/null || ret=1
121
122for i in 1 2 3 4 5 6 7 8 9 10
123do
124	ans=0
125	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
126	grep "No signing records found" signing.out.test$n > /dev/null || ans=1
127	[ $ans = 1 ] || break
128	sleep 1
129done
130[ $ans = 0 ] || ret=1
131
132if [ $ret != 0 ]; then echo "I:failed"; fi
133status=`expr $status + $ret`
134
135n=`expr $n + 1`
136echo "I:checking negative private type response was properly signed ($n)"
137ret=0
138sleep 1
139$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
140grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
141grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
142grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
143
144if [ $ret != 0 ]; then echo "I:failed"; fi
145status=`expr $status + $ret`
146
147$NSUPDATE << EOF
148zone bits
149server 10.53.0.2 5300
150update add added.bits 0 A 1.2.3.4
151send
152EOF
153
154n=`expr $n + 1`
155echo "I:checking that the record is added on the hidden master ($n)"
156ret=0
157$DIG $DIGOPTS @10.53.0.2 -p 5300 added.bits A > dig.out.ns2.test$n
158grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
159grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
160if [ $ret != 0 ]; then echo "I:failed"; fi
161status=`expr $status + $ret`
162
163n=`expr $n + 1`
164echo "I:checking that update has been transfered and has been signed ($n)"
165ret=0
166for i in 1 2 3 4 5 6 7 8 9 10
167do
168	ret=0
169	$DIG $DIGOPTS @10.53.0.3 -p 5300 added.bits A > dig.out.ns3.test$n
170	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
171	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
172	if [ $ret = 0 ]; then break; fi
173	sleep 1
174done
175if [ $ret != 0 ]; then echo "I:failed"; fi
176status=`expr $status + $ret`
177
178$NSUPDATE << EOF
179zone bits
180server 10.53.0.2 5300
181update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
182send
183EOF
184
185n=`expr $n + 1`
186echo "I:checking YYYYMMDDVV (2011072400) serial on hidden master ($n)"
187ret=0
188$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n
189grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
190grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
191grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
192if [ $ret != 0 ]; then echo "I:failed"; fi
193status=`expr $status + $ret`
194
195n=`expr $n + 1`
196echo "I:checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
197for i in 1 2 3 4 5 6 7 8 9 10
198do
199	ret=0
200	$DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n
201	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
202	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
203	grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
204	if [ $ret = 0 ]; then break; fi
205	sleep 1
206done
207if [ $ret != 0 ]; then echo "I:failed"; fi
208status=`expr $status + $ret`
209n=`expr $n + 1`
210
211echo "I:checking that the zone is signed on initial transfer, noixfr ($n)"
212ret=0
213for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
214do
215	ret=0
216	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list noixfr > signing.out.test$n 2>&1
217	keys=`grep '^Done signing' signing.out.test$n | wc -l`
218	[ $keys = 2 ] || ret=1
219	if [ $ret = 0 ]; then break; fi
220	sleep 1
221done
222if [ $ret != 0 ]; then echo "I:failed"; fi
223status=`expr $status + $ret`
224
225$NSUPDATE << EOF
226zone noixfr
227server 10.53.0.4 5300
228update add added.noixfr 0 A 1.2.3.4
229send
230EOF
231
232n=`expr $n + 1`
233echo "I:checking that the record is added on the hidden master, noixfr ($n)"
234ret=0
235$DIG $DIGOPTS @10.53.0.4 -p 5300 added.noixfr A > dig.out.ns4.test$n
236grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
237grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
238if [ $ret != 0 ]; then echo "I:failed"; fi
239status=`expr $status + $ret`
240
241n=`expr $n + 1`
242echo "I:checking that update has been transfered and has been signed, noixfr ($n)"
243ret=0
244for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
245do
246	ret=0
247	$DIG $DIGOPTS @10.53.0.3 -p 5300 added.noixfr A > dig.out.ns3.test$n
248	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
249	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
250	if [ $ret = 0 ]; then break; fi
251	sleep 1
252done
253if [ $ret != 0 ]; then echo "I:failed"; fi
254status=`expr $status + $ret`
255
256$NSUPDATE << EOF
257zone noixfr
258server 10.53.0.4 5300
259update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
260send
261EOF
262
263n=`expr $n + 1`
264echo "I:checking YYYYMMDDVV (2011072400) serial on hidden master, noixfr ($n)"
265ret=0
266$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n
267grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
268grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
269grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
270if [ $ret != 0 ]; then echo "I:failed"; fi
271status=`expr $status + $ret`
272
273n=`expr $n + 1`
274echo "I:checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
275for i in 1 2 3 4 5 6 7 8 9 10
276do
277	ret=0
278	$DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n
279	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
280	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
281	grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
282	if [ $ret = 0 ]; then break; fi
283	sleep 1
284done
285if [ $ret != 0 ]; then echo "I:failed"; fi
286status=`expr $status + $ret`
287
288n=`expr $n + 1`
289echo "I:checking that the master zone signed on initial load ($n)"
290ret=0
291for i in 1 2 3 4 5 6 7 8 9 10
292do
293	ret=0
294	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master  > signing.out.test$n 2>&1
295	keys=`grep '^Done signing' signing.out.test$n | wc -l`
296	[ $keys = 2 ] || ret=1
297	if [ $ret = 0 ]; then break; fi
298	sleep 1
299done
300if [ $ret != 0 ]; then echo "I:failed"; fi
301
302n=`expr $n + 1`
303echo "I:checking removal of private type record via 'rndc signing -clear' (master) ($n)"
304ret=0
305$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
306keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
307for key in $keys; do
308	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} master > /dev/null || ret=1
309	break;	# We only want to remove 1 record for now.
310done 2>&1 |sed 's/^/I:ns3 /'
311
312for i in 1 2 3 4 5 6 7 8 9
313do
314	ans=0
315	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
316        num=`grep "Done signing with" signing.out.test$n | wc -l`
317	[ $num = 1 ] && break
318	sleep 1
319done
320[ $ans = 0 ] || ret=1
321
322if [ $ret != 0 ]; then echo "I:failed"; fi
323status=`expr $status + $ret`
324
325n=`expr $n + 1`
326echo "I:checking private type was properly signed (master) ($n)"
327ret=0
328$DIG $DIGOPTS @10.53.0.6 -p 5300 master TYPE65534 > dig.out.ns6.test$n
329grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
330grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
331
332if [ $ret != 0 ]; then echo "I:failed"; fi
333status=`expr $status + $ret`
334
335n=`expr $n + 1`
336echo "I:checking removal of remaining private type record via 'rndc signing -clear' (master) ($n)"
337ret=0
338$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all master > /dev/null || ret=1
339for i in 1 2 3 4 5 6 7 8 9 10
340do
341	ans=0
342	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
343	grep "No signing records found" signing.out.test$n > /dev/null || ans=1
344	[ $ans = 1 ] || break
345	sleep 1
346done
347[ $ans = 0 ] || ret=1
348
349if [ $ret != 0 ]; then echo "I:failed"; fi
350status=`expr $status + $ret`
351
352n=`expr $n + 1`
353echo "I:check adding of record to unsigned master ($n)"
354ret=0
355cp ns3/master2.db.in ns3/master.db
356$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1
357for i in 1 2 3 4 5 6 7 8 9
358do
359	ans=0
360	$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns3.test$n
361	grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
362	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
363	[ $ans = 1 ] || break
364	sleep 1
365done
366[ $ans = 0 ] || ret=1
367if [ $ret != 0 ]; then echo "I:failed"; fi
368status=`expr $status + $ret`
369
370n=`expr $n + 1`
371echo "I:check adding record fails when SOA serial not changed ($n)"
372ret=0
373echo "c A 10.0.0.3" >> ns3/master.db
374$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload || ret=1
375sleep 1
376$DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n
377grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
378if [ $ret != 0 ]; then echo "I:failed"; fi
379status=`expr $status + $ret`
380
381n=`expr $n + 1`
382echo "I:check adding record works after updating SOA serial ($n)"
383ret=0
384cp ns3/master3.db.in ns3/master.db
385$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1
386for i in 1 2 3 4 5 6 7 8 9
387do
388	ans=0
389	$DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n
390	grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1
391	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
392	[ $ans = 1 ] || break
393	sleep 1
394done
395[ $ans = 0 ] || ret=1
396if [ $ret != 0 ]; then echo "I:failed"; fi
397status=`expr $status + $ret`
398
399n=`expr $n + 1`
400echo "I:check the added record was properly signed ($n)"
401ret=0
402$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns6.test$n
403grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
404grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
405grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1
406
407if [ $ret != 0 ]; then echo "I:failed"; fi
408status=`expr $status + $ret`
409
410n=`expr $n + 1`
411echo "I:checking that the dynamic master zone signed on initial load ($n)"
412ret=0
413for i in 1 2 3 4 5 6 7 8 9 10
414do
415	ret=0
416	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic > signing.out.test$n 2>&1
417	keys=`grep '^Done signing' signing.out.test$n | wc -l`
418	[ $keys = 2 ] || ret=1
419	if [ $ret = 0 ]; then break; fi
420	sleep 1
421done
422if [ $ret != 0 ]; then echo "I:failed"; fi
423
424n=`expr $n + 1`
425echo "I:checking master zone that was updated while offline is correct ($n)"
426ret=0
427serial=`$DIG $DIGOPTS +short @10.53.0.3 -p 5300 updated SOA | awk '{print $3}'`
428# serial should have changed
429[ "$serial" = "2000042407" ] && ret=1
430# e.updated should exist and should be signed
431$DIG $DIGOPTS @10.53.0.3 -p 5300 e.updated A > dig.out.ns3.test$n
432grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
433grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
434# updated.db.signed.jnl should exist, should have the source serial
435# of master2.db, and should show a minimal diff: no more than 8 added
436# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
437# (SOA/RRSIG, NSEC/RRSIG).
438serial=`$JOURNALPRINT ns3/updated.db.signed.jnl | head -1 | awk '{print $4}'`
439[ "$serial" = "2000042408" ] || ret=1
440diffsize=`$JOURNALPRINT ns3/updated.db.signed.jnl | wc -l`
441[ "$diffsize" -le 13 ] || ret=1
442if [ $ret != 0 ]; then echo "I:failed"; fi
443status=`expr $status + $ret`
444
445n=`expr $n + 1`
446echo "I:checking adding of record to unsigned master using UPDATE ($n)"
447ret=0
448
449[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo "I:journal exists (pretest)" ; }
450
451$NSUPDATE << EOF
452zone dynamic
453server 10.53.0.3 5300
454update add e.dynamic 0 A 1.2.3.4
455send
456EOF
457
458[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo "I:journal does not exist (posttest)" ; }
459
460for i in 1 2 3 4 5 6 7 8 9 10
461do
462	ans=0
463	$DIG $DIGOPTS @10.53.0.3 -p 5300 e.dynamic > dig.out.ns3.test$n
464	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
465	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
466	grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
467	[ $ans = 0 ] && break
468	sleep 1
469done
470[ $ans = 0 ] || { ret=1; echo "I:signed record not found"; cat dig.out.ns3.test$n ; }
471
472if [ $ret != 0 ]; then echo "I:failed"; fi
473status=`expr $status + $ret`
474
475n=`expr $n + 1`
476echo "I:stop bump in the wire signer server ($n)"
477ret=0
478$PERL ../stop.pl . ns3 || ret=1
479if [ $ret != 0 ]; then echo "I:failed"; fi
480status=`expr $status + $ret`
481
482n=`expr $n + 1`
483echo "I:restart bump in the wire signer server ($n)"
484ret=0
485$PERL ../start.pl --noclean --restart . ns3 || ret=1
486if [ $ret != 0 ]; then echo "I:failed"; fi
487status=`expr $status + $ret`
488
489$NSUPDATE << EOF
490zone bits
491server 10.53.0.2 5300
492update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600
493send
494EOF
495
496n=`expr $n + 1`
497echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master ($n)"
498ret=0
499$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n
500grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
501grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
502grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1
503if [ $ret != 0 ]; then echo "I:failed"; fi
504status=`expr $status + $ret`
505
506n=`expr $n + 1`
507echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
508for i in 1 2 3 4 5 6 7 8 9 10
509do
510	ret=0
511	$DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n
512	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
513	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
514	grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
515	if [ $ret = 0 ]; then break; fi
516	sleep 1
517done
518if [ $ret != 0 ]; then echo "I:failed"; fi
519status=`expr $status + $ret`
520
521$NSUPDATE << EOF
522zone noixfr
523server 10.53.0.4 5300
524update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600
525send
526EOF
527
528n=`expr $n + 1`
529echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master, noixfr ($n)"
530ret=0
531$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n
532grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
533grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
534grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1
535if [ $ret != 0 ]; then echo "I:failed"; fi
536status=`expr $status + $ret`
537
538n=`expr $n + 1`
539echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
540for i in 1 2 3 4 5 6 7 8 9 10
541do
542	ret=0
543	$DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n
544	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
545	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
546	grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
547	if [ $ret = 0 ]; then break; fi
548	sleep 1
549done
550if [ $ret != 0 ]; then echo "I:failed"; fi
551status=`expr $status + $ret`
552
553$NSUPDATE << EOF
554zone bits
555server 10.53.0.3 5300
556update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600
557send
558EOF
559
560n=`expr $n + 1`
561echo "I:checking forwarded update on hidden master ($n)"
562ret=0
563$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n
564grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
565grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
566grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1
567if [ $ret != 0 ]; then echo "I:failed"; fi
568status=`expr $status + $ret`
569
570n=`expr $n + 1`
571echo "I:checking forwarded update on signed zone ($n)"
572for i in 1 2 3 4 5 6 7 8 9 10
573do
574	ret=0
575	$DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n
576	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
577	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
578	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
579	if [ $ret = 0 ]; then break; fi
580	sleep 1
581done
582if [ $ret != 0 ]; then echo "I:failed"; fi
583status=`expr $status + $ret`
584
585$NSUPDATE << EOF
586zone noixfr
587server 10.53.0.3 5300
588update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600
589send
590EOF
591
592n=`expr $n + 1`
593echo "I:checking forwarded update on hidden master, noixfr ($n)"
594ret=0
595$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n
596grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
597grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
598grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1
599if [ $ret != 0 ]; then echo "I:failed"; fi
600status=`expr $status + $ret`
601
602n=`expr $n + 1`
603echo "I:checking forwarded update on signed zone, noixfr ($n)"
604for i in 1 2 3 4 5 6 7 8 9 10
605do
606	ret=0
607	$DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n
608	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
609	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
610	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
611	if [ $ret = 0 ]; then break; fi
612	sleep 1
613done
614if [ $ret != 0 ]; then echo "I:failed"; fi
615status=`expr $status + $ret`
616
617n=`expr $n + 1`
618echo "I:checking turning on of inline signing in a slave zone via reload ($n)"
619$DIG $DIGOPTS @10.53.0.5 -p 5300 +dnssec bits SOA > dig.out.ns5.test$n
620grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
621grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
622if [ $ret != 0 ]; then echo "I:setup broken"; fi
623status=`expr $status + $ret`
624cp ns5/named.conf.post ns5/named.conf
625(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1
626(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1
627$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /'
628for i in 1 2 3 4 5 6 7 8 9 10
629do
630	ret=0
631	$DIG $DIGOPTS @10.53.0.5 -p 5300 bits SOA > dig.out.ns5.test$n
632	grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
633	grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
634	if [ $ret = 0 ]; then break; fi
635	sleep 1
636done
637if [ $ret != 0 ]; then echo "I:failed"; fi
638status=`expr $status + $ret`
639
640n=`expr $n + 1`
641echo "I:checking rndc freeze/thaw of dynamic inline zone no change ($n)"
642ret=0
643$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || { echo "I: rndc freeze dynamic failed" ; sed 's/^/I:/' < freeze.test$n ; ret=1;  }
644sleep 1
645$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || { echo "I: rndc thaw dynamic failed" ; ret=1; }
646sleep 1
647grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null ||  ret=1
648if [ $ret != 0 ]; then echo "I:failed"; fi
649status=`expr $status + $ret`
650
651
652n=`expr $n + 1`
653echo "I:checking rndc freeze/thaw of dynamic inline zone ($n)"
654ret=0
655$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || ret=1
656sleep 1
657awk '$2 == ";" && $3 == "serial" { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
658     { print; }
659     END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new
660mv ns3/dynamic.db.new ns3/dynamic.db
661$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || ret=1
662if [ $ret != 0 ]; then echo "I:failed"; fi
663status=`expr $status + $ret`
664
665n=`expr $n + 1`
666echo "I:check added record freeze1.dynamic ($n)"
667for i in 1 2 3 4 5 6 7 8 9
668do
669    ret=0
670    $DIG $DIGOPTS @10.53.0.3 -p 5300 freeze1.dynamic TXT > dig.out.ns3.test$n
671    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
672    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
673    test $ret = 0 && break
674    sleep 1
675done
676if [ $ret != 0 ]; then echo "I:failed"; fi
677status=`expr $status + $ret`
678
679# allow 1 second so that file time stamps change
680sleep 1
681
682n=`expr $n + 1`
683echo "I:checking rndc freeze/thaw of server ($n)"
684ret=0
685$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze > freeze.test$n 2>&1 || ret=1
686sleep 1
687awk '$2 == ";" && $3 == "serial" { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
688     { print; }
689     END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new
690mv ns3/dynamic.db.new ns3/dynamic.db
691$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw > thaw.test$n 2>&1 || ret=1
692if [ $ret != 0 ]; then echo "I:failed"; fi
693status=`expr $status + $ret`
694
695n=`expr $n + 1`
696echo "I:check added record freeze2.dynamic ($n)"
697for i in 1 2 3 4 5 6 7 8 9
698do
699    ret=0
700    $DIG $DIGOPTS @10.53.0.3 -p 5300 freeze2.dynamic TXT > dig.out.ns3.test$n
701    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
702    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
703    test $ret = 0 && break
704    sleep 1
705done
706if [ $ret != 0 ]; then echo "I:failed"; fi
707status=`expr $status + $ret`
708
709n=`expr $n + 1`
710echo "I:check rndc reload allows reuse of inline-signing zones ($n)"
711ret=0
712{ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 || ret=1 ; } |
713sed 's/^/I:ns3 /'
714grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1
715if [ $ret != 0 ]; then echo "I:failed"; fi
716status=`expr $status + $ret`
717
718n=`expr $n + 1`
719echo "I:check rndc sync removes both signed and unsigned journals ($n)"
720ret=0
721[ -f ns3/dynamic.db.jnl ] || ret=1
722[ -f ns3/dynamic.db.signed.jnl ] || ret=1
723$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sync -clean dynamic 2>&1 || ret=1
724[ -f ns3/dynamic.db.jnl ] && ret=1
725[ -f ns3/dynamic.db.signed.jnl ] && ret=1
726if [ $ret != 0 ]; then echo "I:failed"; fi
727status=`expr $status + $ret`
728
729$NSUPDATE << EOF
730zone retransfer
731server 10.53.0.2 5300
732update add added.retransfer 0 A 1.2.3.4
733send
734
735EOF
736
737n=`expr $n + 1`
738echo "I:checking that the retransfer record is added on the hidden master ($n)"
739ret=0
740$DIG $DIGOPTS @10.53.0.2 -p 5300 added.retransfer A > dig.out.ns2.test$n
741grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
742grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
743if [ $ret != 0 ]; then echo "I:failed"; fi
744status=`expr $status + $ret`
745
746n=`expr $n + 1`
747echo "I:checking that the change has not been transfered due to notify ($n)"
748ret=0
749for i in 0 1 2 3 4 5 6 7 8 9
750do
751	ans=0
752	$DIG $DIGOPTS @10.53.0.3 -p 5300 added.retransfer A > dig.out.ns3.test$n
753	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
754	[ $ans = 0 ] && break
755	sleep 1
756done
757if [ $ans != 1 ]; then echo "I:failed"; ret=1; fi
758status=`expr $status + $ret`
759n=`expr $n + 1`
760
761echo "I:check rndc retransfer of a inline slave zone works ($n)"
762ret=0
763$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 retransfer retransfer 2>&1 || ret=1
764for i in 0 1 2 3 4 5 6 7 8 9
765do
766	ans=0
767	$DIG $DIGOPTS @10.53.0.3 -p 5300 added.retransfer A > dig.out.ns3.test$n
768	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
769	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
770	[ $ans = 0 ] && break
771	sleep 1
772done
773[ $ans = 1 ] && ret=1
774n=`expr $n + 1`
775if [ $ret != 0 ]; then echo "I:failed"; fi
776status=`expr $status + $ret`
777
778echo "I:check rndc retransfer of a inline nsec3 slave retains nsec3 ($n)"
779ret=0
780for i in 0 1 2 3 4 5 6 7 8 9
781do
782	ans=0
783	$DIG $DIGOPTS @10.53.0.3 -p 5300 nonexist.retransfer3 A > dig.out.ns3.pre.test$n
784	grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
785	grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
786	[ $ans = 0 ] && break
787	sleep 1
788done
789$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 retransfer retransfer3 2>&1 || ret=1
790for i in 0 1 2 3 4 5 6 7 8 9
791do
792	ans=0
793	$DIG $DIGOPTS @10.53.0.3 -p 5300 nonexist.retransfer3 A > dig.out.ns3.post.test$n
794	grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
795	grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
796	[ $ans = 0 ] && break
797	sleep 1
798done
799[ $ans = 1 ] && ret=1
800n=`expr $n + 1`
801if [ $ret != 0 ]; then echo "I:failed"; fi
802status=`expr $status + $ret`
803
804n=`expr $n + 1`
805echo "I:stop bump in the wire signer server ($n)"
806ret=0
807$PERL ../stop.pl . ns3 || ret=1
808if [ $ret != 0 ]; then echo "I:failed"; fi
809status=`expr $status + $ret`
810
811echo "I:update SOA record while stopped"
812cp ns3/master4.db.in ns3/master.db
813rm ns3/master.db.jnl
814
815n=`expr $n + 1`
816echo "I:restart bump in the wire signer server ($n)"
817ret=0
818$PERL ../start.pl --noclean --restart . ns3 || ret=1
819if [ $ret != 0 ]; then echo "I:failed"; fi
820status=`expr $status + $ret`
821
822n=`expr $n + 1`
823echo "I:updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)"
824ret=0
825for i in 1 2 3 4 5 6 7 8 9
826do
827	ans=0
828	$DIG $DIGOPTS @10.53.0.3 -p 5300 master SOA > dig.out.ns3.test$n
829	grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1
830	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
831	[ $ans = 1 ] || break
832	sleep 1
833done
834[ $ans = 0 ] || ret=1
835if [ $ret != 0 ]; then echo "I:failed"; fi
836status=`expr $status + $ret`
837
838n=`expr $n + 1`
839echo "I:test add/del zone combinations ($n)"
840ret=0
841for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z
842do
843$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 addzone test-$zone \
844	'{ type master; file "bits.db.in"; allow-transfer { any; }; };'
845$DIG $DIGOPTS @10.53.0.2 -p 5300 test-$zone SOA > dig.out.ns2.$zone.test$n
846grep "status: NOERROR," dig.out.ns2.$zone.test$n  > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; }
847$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone test-$zone \
848	'{ type slave; masters { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };'
849$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 delzone test-$zone > /dev/null 2>&1
850done
851
852n=`expr $n + 1`
853echo "I:testing adding external keys to a inline zone ($n)"
854ret=0
855$DIG $DIGOPTS @10.53.0.3 -p 5300 dnskey externalkey > dig.out.ns3.test$n
856for alg in 3 7 12 13
857do
858   [ $alg = 3 -a ! -f checkdsa ] && continue;
859   [ $alg = 12 -a ! -f checkgost ] && continue;
860   [ $alg = 13 -a ! -f checkecdsa ] && continue;
861
862   case $alg in
863   3) echo "I: checking DSA";;
864   7) echo "I: checking NSEC3RSASHA1";;
865   12) echo "I: checking GOST";;
866   13) echo "I: checking ECDSAP256SHA256";;
867   *) echo "I: checking $alg";;
868   esac
869
870   dnskeys=`grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l`
871   rrsigs=`grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l`
872   test ${dnskeys:-0} -eq 3 || { echo "I: failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
873   test ${rrsigs:-0} -eq 2 || { echo "I: failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
874done
875status=`expr $status + $ret`
876
877n=`expr $n + 1`
878echo "I:testing imported key won't overwrite a private key ($n)"
879ret=0
880key=`$KEYGEN -r $RANDFILE -q import.example`
881cp ${key}.key import.key
882# import should fail
883$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
884rm -f ${key}.private
885# private key removed; import should now succeed
886$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
887# now that it's an external key, re-import should succeed
888$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
889if [ $ret != 0 ]; then echo "I:failed"; fi
890status=`expr $status + $ret`
891
892exit $status
893