1#!/bin/sh 2# 3# Copyright (C) 2011-2014 Internet Systems Consortium, Inc. ("ISC") 4# 5# Permission to use, copy, modify, and/or distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15# PERFORMANCE OF THIS SOFTWARE. 16 17# Id: tests.sh,v 1.18 2012/02/23 06:53:15 marka Exp 18 19SYSTEMTESTTOP=.. 20. $SYSTEMTESTTOP/conf.sh 21 22DIGOPTS="+tcp +dnssec" 23 24status=0 25n=0 26 27$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 28 29for i in 1 2 3 4 5 6 7 8 9 0 30do 31 nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param nsec3.` 32 test "$nsec3param" = "1 0 0 -" && break 33 sleep 1 34done 35 36# Loop until retransfer3 has been transferred. 37for i in 1 2 3 4 5 6 7 8 9 0 38do 39 ans=0 40 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ans=1 41 [ $ans = 0 ] && break 42done 43 44for i in 1 2 3 4 5 6 7 8 9 0 45do 46 nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param retransfer3.` 47 test "$nsec3param" = "1 0 0 -" && break 48 sleep 1 49done 50 51n=`expr $n + 1` 52echo "I:checking that rrsigs are replaced with ksk only" 53ret=0 54$DIG @10.53.0.3 -p 5300 axfr nsec3. | 55 awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 56#$DIG @10.53.0.3 -p 5300 axfr nsec3. | grep -w NSEC | grep -v "IN.RRSIG.NSEC" 57if [ $ret != 0 ]; then echo "I:failed"; fi 58status=`expr $status + $ret` 59 60n=`expr $n + 1` 61echo "I:checking that the zone is signed on initial transfer ($n)" 62ret=0 63for i in 1 2 3 4 5 6 7 8 9 10 64do 65 ret=0 66 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 67 keys=`grep '^Done signing' signing.out.test$n | wc -l` 68 [ $keys = 2 ] || ret=1 69 if [ $ret = 0 ]; then break; fi 70 sleep 1 71done 72if [ $ret != 0 ]; then echo "I:failed"; fi 73status=`expr $status + $ret` 74 75n=`expr $n + 1` 76echo "I:checking expired signatures are updated on load ($n)" 77ret=0 78$DIG $DIGOPTS @10.53.0.3 -p 5300 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n 79expiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n` 80[ "$expiry" = "20110101000000" ] && ret=1 81if [ $ret != 0 ]; then echo "I:failed"; fi 82status=`expr $status + $ret` 83 84n=`expr $n + 1` 85echo "I:checking removal of private type record via 'rndc signing -clear' ($n)" 86ret=0 87$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 88keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n` 89for key in $keys; do 90 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} bits > /dev/null || ret=1 91 break; # We only want to remove 1 record for now. 92done 2>&1 |sed 's/^/I:ns3 /' 93 94for i in 1 2 3 4 5 6 7 8 9 10 95do 96 ans=0 97 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 98 num=`grep "Done signing with" signing.out.test$n | wc -l` 99 [ $num = 1 ] && break 100 sleep 1 101done 102[ $ans = 0 ] || ret=1 103 104if [ $ret != 0 ]; then echo "I:failed"; fi 105status=`expr $status + $ret` 106 107n=`expr $n + 1` 108echo "I:checking private type was properly signed ($n)" 109ret=0 110$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n 111grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 112grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 113 114if [ $ret != 0 ]; then echo "I:failed"; fi 115status=`expr $status + $ret` 116 117n=`expr $n + 1` 118echo "I:checking removal of remaining private type record via 'rndc signing -clear all' ($n)" 119ret=0 120$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all bits > /dev/null || ret=1 121 122for i in 1 2 3 4 5 6 7 8 9 10 123do 124 ans=0 125 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1 126 grep "No signing records found" signing.out.test$n > /dev/null || ans=1 127 [ $ans = 1 ] || break 128 sleep 1 129done 130[ $ans = 0 ] || ret=1 131 132if [ $ret != 0 ]; then echo "I:failed"; fi 133status=`expr $status + $ret` 134 135n=`expr $n + 1` 136echo "I:checking negative private type response was properly signed ($n)" 137ret=0 138sleep 1 139$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n 140grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 141grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 142grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 143 144if [ $ret != 0 ]; then echo "I:failed"; fi 145status=`expr $status + $ret` 146 147$NSUPDATE << EOF 148zone bits 149server 10.53.0.2 5300 150update add added.bits 0 A 1.2.3.4 151send 152EOF 153 154n=`expr $n + 1` 155echo "I:checking that the record is added on the hidden master ($n)" 156ret=0 157$DIG $DIGOPTS @10.53.0.2 -p 5300 added.bits A > dig.out.ns2.test$n 158grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 159grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 160if [ $ret != 0 ]; then echo "I:failed"; fi 161status=`expr $status + $ret` 162 163n=`expr $n + 1` 164echo "I:checking that update has been transfered and has been signed ($n)" 165ret=0 166for i in 1 2 3 4 5 6 7 8 9 10 167do 168 ret=0 169 $DIG $DIGOPTS @10.53.0.3 -p 5300 added.bits A > dig.out.ns3.test$n 170 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 171 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 172 if [ $ret = 0 ]; then break; fi 173 sleep 1 174done 175if [ $ret != 0 ]; then echo "I:failed"; fi 176status=`expr $status + $ret` 177 178$NSUPDATE << EOF 179zone bits 180server 10.53.0.2 5300 181update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600 182send 183EOF 184 185n=`expr $n + 1` 186echo "I:checking YYYYMMDDVV (2011072400) serial on hidden master ($n)" 187ret=0 188$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n 189grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 190grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 191grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1 192if [ $ret != 0 ]; then echo "I:failed"; fi 193status=`expr $status + $ret` 194 195n=`expr $n + 1` 196echo "I:checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" 197for i in 1 2 3 4 5 6 7 8 9 10 198do 199 ret=0 200 $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n 201 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 202 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 203 grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 204 if [ $ret = 0 ]; then break; fi 205 sleep 1 206done 207if [ $ret != 0 ]; then echo "I:failed"; fi 208status=`expr $status + $ret` 209n=`expr $n + 1` 210 211echo "I:checking that the zone is signed on initial transfer, noixfr ($n)" 212ret=0 213for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 214do 215 ret=0 216 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list noixfr > signing.out.test$n 2>&1 217 keys=`grep '^Done signing' signing.out.test$n | wc -l` 218 [ $keys = 2 ] || ret=1 219 if [ $ret = 0 ]; then break; fi 220 sleep 1 221done 222if [ $ret != 0 ]; then echo "I:failed"; fi 223status=`expr $status + $ret` 224 225$NSUPDATE << EOF 226zone noixfr 227server 10.53.0.4 5300 228update add added.noixfr 0 A 1.2.3.4 229send 230EOF 231 232n=`expr $n + 1` 233echo "I:checking that the record is added on the hidden master, noixfr ($n)" 234ret=0 235$DIG $DIGOPTS @10.53.0.4 -p 5300 added.noixfr A > dig.out.ns4.test$n 236grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 237grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 238if [ $ret != 0 ]; then echo "I:failed"; fi 239status=`expr $status + $ret` 240 241n=`expr $n + 1` 242echo "I:checking that update has been transfered and has been signed, noixfr ($n)" 243ret=0 244for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 245do 246 ret=0 247 $DIG $DIGOPTS @10.53.0.3 -p 5300 added.noixfr A > dig.out.ns3.test$n 248 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 249 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 250 if [ $ret = 0 ]; then break; fi 251 sleep 1 252done 253if [ $ret != 0 ]; then echo "I:failed"; fi 254status=`expr $status + $ret` 255 256$NSUPDATE << EOF 257zone noixfr 258server 10.53.0.4 5300 259update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600 260send 261EOF 262 263n=`expr $n + 1` 264echo "I:checking YYYYMMDDVV (2011072400) serial on hidden master, noixfr ($n)" 265ret=0 266$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n 267grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 268grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 269grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1 270if [ $ret != 0 ]; then echo "I:failed"; fi 271status=`expr $status + $ret` 272 273n=`expr $n + 1` 274echo "I:checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" 275for i in 1 2 3 4 5 6 7 8 9 10 276do 277 ret=0 278 $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n 279 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 280 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 281 grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 282 if [ $ret = 0 ]; then break; fi 283 sleep 1 284done 285if [ $ret != 0 ]; then echo "I:failed"; fi 286status=`expr $status + $ret` 287 288n=`expr $n + 1` 289echo "I:checking that the master zone signed on initial load ($n)" 290ret=0 291for i in 1 2 3 4 5 6 7 8 9 10 292do 293 ret=0 294 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 295 keys=`grep '^Done signing' signing.out.test$n | wc -l` 296 [ $keys = 2 ] || ret=1 297 if [ $ret = 0 ]; then break; fi 298 sleep 1 299done 300if [ $ret != 0 ]; then echo "I:failed"; fi 301 302n=`expr $n + 1` 303echo "I:checking removal of private type record via 'rndc signing -clear' (master) ($n)" 304ret=0 305$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 306keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n` 307for key in $keys; do 308 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} master > /dev/null || ret=1 309 break; # We only want to remove 1 record for now. 310done 2>&1 |sed 's/^/I:ns3 /' 311 312for i in 1 2 3 4 5 6 7 8 9 313do 314 ans=0 315 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 316 num=`grep "Done signing with" signing.out.test$n | wc -l` 317 [ $num = 1 ] && break 318 sleep 1 319done 320[ $ans = 0 ] || ret=1 321 322if [ $ret != 0 ]; then echo "I:failed"; fi 323status=`expr $status + $ret` 324 325n=`expr $n + 1` 326echo "I:checking private type was properly signed (master) ($n)" 327ret=0 328$DIG $DIGOPTS @10.53.0.6 -p 5300 master TYPE65534 > dig.out.ns6.test$n 329grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 330grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 331 332if [ $ret != 0 ]; then echo "I:failed"; fi 333status=`expr $status + $ret` 334 335n=`expr $n + 1` 336echo "I:checking removal of remaining private type record via 'rndc signing -clear' (master) ($n)" 337ret=0 338$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all master > /dev/null || ret=1 339for i in 1 2 3 4 5 6 7 8 9 10 340do 341 ans=0 342 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1 343 grep "No signing records found" signing.out.test$n > /dev/null || ans=1 344 [ $ans = 1 ] || break 345 sleep 1 346done 347[ $ans = 0 ] || ret=1 348 349if [ $ret != 0 ]; then echo "I:failed"; fi 350status=`expr $status + $ret` 351 352n=`expr $n + 1` 353echo "I:check adding of record to unsigned master ($n)" 354ret=0 355cp ns3/master2.db.in ns3/master.db 356$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1 357for i in 1 2 3 4 5 6 7 8 9 358do 359 ans=0 360 $DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns3.test$n 361 grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 362 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 363 [ $ans = 1 ] || break 364 sleep 1 365done 366[ $ans = 0 ] || ret=1 367if [ $ret != 0 ]; then echo "I:failed"; fi 368status=`expr $status + $ret` 369 370n=`expr $n + 1` 371echo "I:check adding record fails when SOA serial not changed ($n)" 372ret=0 373echo "c A 10.0.0.3" >> ns3/master.db 374$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload || ret=1 375sleep 1 376$DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n 377grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 378if [ $ret != 0 ]; then echo "I:failed"; fi 379status=`expr $status + $ret` 380 381n=`expr $n + 1` 382echo "I:check adding record works after updating SOA serial ($n)" 383ret=0 384cp ns3/master3.db.in ns3/master.db 385$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1 386for i in 1 2 3 4 5 6 7 8 9 387do 388 ans=0 389 $DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n 390 grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1 391 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 392 [ $ans = 1 ] || break 393 sleep 1 394done 395[ $ans = 0 ] || ret=1 396if [ $ret != 0 ]; then echo "I:failed"; fi 397status=`expr $status + $ret` 398 399n=`expr $n + 1` 400echo "I:check the added record was properly signed ($n)" 401ret=0 402$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns6.test$n 403grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 404grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 405grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 406 407if [ $ret != 0 ]; then echo "I:failed"; fi 408status=`expr $status + $ret` 409 410n=`expr $n + 1` 411echo "I:checking that the dynamic master zone signed on initial load ($n)" 412ret=0 413for i in 1 2 3 4 5 6 7 8 9 10 414do 415 ret=0 416 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic > signing.out.test$n 2>&1 417 keys=`grep '^Done signing' signing.out.test$n | wc -l` 418 [ $keys = 2 ] || ret=1 419 if [ $ret = 0 ]; then break; fi 420 sleep 1 421done 422if [ $ret != 0 ]; then echo "I:failed"; fi 423 424n=`expr $n + 1` 425echo "I:checking master zone that was updated while offline is correct ($n)" 426ret=0 427serial=`$DIG $DIGOPTS +short @10.53.0.3 -p 5300 updated SOA | awk '{print $3}'` 428# serial should have changed 429[ "$serial" = "2000042407" ] && ret=1 430# e.updated should exist and should be signed 431$DIG $DIGOPTS @10.53.0.3 -p 5300 e.updated A > dig.out.ns3.test$n 432grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 433grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 434# updated.db.signed.jnl should exist, should have the source serial 435# of master2.db, and should show a minimal diff: no more than 8 added 436# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records 437# (SOA/RRSIG, NSEC/RRSIG). 438serial=`$JOURNALPRINT ns3/updated.db.signed.jnl | head -1 | awk '{print $4}'` 439[ "$serial" = "2000042408" ] || ret=1 440diffsize=`$JOURNALPRINT ns3/updated.db.signed.jnl | wc -l` 441[ "$diffsize" -le 13 ] || ret=1 442if [ $ret != 0 ]; then echo "I:failed"; fi 443status=`expr $status + $ret` 444 445n=`expr $n + 1` 446echo "I:checking adding of record to unsigned master using UPDATE ($n)" 447ret=0 448 449[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo "I:journal exists (pretest)" ; } 450 451$NSUPDATE << EOF 452zone dynamic 453server 10.53.0.3 5300 454update add e.dynamic 0 A 1.2.3.4 455send 456EOF 457 458[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo "I:journal does not exist (posttest)" ; } 459 460for i in 1 2 3 4 5 6 7 8 9 10 461do 462 ans=0 463 $DIG $DIGOPTS @10.53.0.3 -p 5300 e.dynamic > dig.out.ns3.test$n 464 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 465 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 466 grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 467 [ $ans = 0 ] && break 468 sleep 1 469done 470[ $ans = 0 ] || { ret=1; echo "I:signed record not found"; cat dig.out.ns3.test$n ; } 471 472if [ $ret != 0 ]; then echo "I:failed"; fi 473status=`expr $status + $ret` 474 475n=`expr $n + 1` 476echo "I:stop bump in the wire signer server ($n)" 477ret=0 478$PERL ../stop.pl . ns3 || ret=1 479if [ $ret != 0 ]; then echo "I:failed"; fi 480status=`expr $status + $ret` 481 482n=`expr $n + 1` 483echo "I:restart bump in the wire signer server ($n)" 484ret=0 485$PERL ../start.pl --noclean --restart . ns3 || ret=1 486if [ $ret != 0 ]; then echo "I:failed"; fi 487status=`expr $status + $ret` 488 489$NSUPDATE << EOF 490zone bits 491server 10.53.0.2 5300 492update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600 493send 494EOF 495 496n=`expr $n + 1` 497echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master ($n)" 498ret=0 499$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n 500grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 501grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 502grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1 503if [ $ret != 0 ]; then echo "I:failed"; fi 504status=`expr $status + $ret` 505 506n=`expr $n + 1` 507echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" 508for i in 1 2 3 4 5 6 7 8 9 10 509do 510 ret=0 511 $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n 512 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 513 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 514 grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 515 if [ $ret = 0 ]; then break; fi 516 sleep 1 517done 518if [ $ret != 0 ]; then echo "I:failed"; fi 519status=`expr $status + $ret` 520 521$NSUPDATE << EOF 522zone noixfr 523server 10.53.0.4 5300 524update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600 525send 526EOF 527 528n=`expr $n + 1` 529echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master, noixfr ($n)" 530ret=0 531$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n 532grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 533grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 534grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1 535if [ $ret != 0 ]; then echo "I:failed"; fi 536status=`expr $status + $ret` 537 538n=`expr $n + 1` 539echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" 540for i in 1 2 3 4 5 6 7 8 9 10 541do 542 ret=0 543 $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n 544 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 545 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 546 grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 547 if [ $ret = 0 ]; then break; fi 548 sleep 1 549done 550if [ $ret != 0 ]; then echo "I:failed"; fi 551status=`expr $status + $ret` 552 553$NSUPDATE << EOF 554zone bits 555server 10.53.0.3 5300 556update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600 557send 558EOF 559 560n=`expr $n + 1` 561echo "I:checking forwarded update on hidden master ($n)" 562ret=0 563$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n 564grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 565grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 566grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1 567if [ $ret != 0 ]; then echo "I:failed"; fi 568status=`expr $status + $ret` 569 570n=`expr $n + 1` 571echo "I:checking forwarded update on signed zone ($n)" 572for i in 1 2 3 4 5 6 7 8 9 10 573do 574 ret=0 575 $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n 576 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 577 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 578 grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 579 if [ $ret = 0 ]; then break; fi 580 sleep 1 581done 582if [ $ret != 0 ]; then echo "I:failed"; fi 583status=`expr $status + $ret` 584 585$NSUPDATE << EOF 586zone noixfr 587server 10.53.0.3 5300 588update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600 589send 590EOF 591 592n=`expr $n + 1` 593echo "I:checking forwarded update on hidden master, noixfr ($n)" 594ret=0 595$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n 596grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 597grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 598grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1 599if [ $ret != 0 ]; then echo "I:failed"; fi 600status=`expr $status + $ret` 601 602n=`expr $n + 1` 603echo "I:checking forwarded update on signed zone, noixfr ($n)" 604for i in 1 2 3 4 5 6 7 8 9 10 605do 606 ret=0 607 $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n 608 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 609 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 610 grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 611 if [ $ret = 0 ]; then break; fi 612 sleep 1 613done 614if [ $ret != 0 ]; then echo "I:failed"; fi 615status=`expr $status + $ret` 616 617n=`expr $n + 1` 618echo "I:checking turning on of inline signing in a slave zone via reload ($n)" 619$DIG $DIGOPTS @10.53.0.5 -p 5300 +dnssec bits SOA > dig.out.ns5.test$n 620grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 621grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 622if [ $ret != 0 ]; then echo "I:setup broken"; fi 623status=`expr $status + $ret` 624cp ns5/named.conf.post ns5/named.conf 625(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1 626(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1 627$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /' 628for i in 1 2 3 4 5 6 7 8 9 10 629do 630 ret=0 631 $DIG $DIGOPTS @10.53.0.5 -p 5300 bits SOA > dig.out.ns5.test$n 632 grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 633 grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1 634 if [ $ret = 0 ]; then break; fi 635 sleep 1 636done 637if [ $ret != 0 ]; then echo "I:failed"; fi 638status=`expr $status + $ret` 639 640n=`expr $n + 1` 641echo "I:checking rndc freeze/thaw of dynamic inline zone no change ($n)" 642ret=0 643$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || { echo "I: rndc freeze dynamic failed" ; sed 's/^/I:/' < freeze.test$n ; ret=1; } 644sleep 1 645$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || { echo "I: rndc thaw dynamic failed" ; ret=1; } 646sleep 1 647grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1 648if [ $ret != 0 ]; then echo "I:failed"; fi 649status=`expr $status + $ret` 650 651 652n=`expr $n + 1` 653echo "I:checking rndc freeze/thaw of dynamic inline zone ($n)" 654ret=0 655$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || ret=1 656sleep 1 657awk '$2 == ";" && $3 == "serial" { printf("%d %s %s\n", $1 + 1, $2, $3); next; } 658 { print; } 659 END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new 660mv ns3/dynamic.db.new ns3/dynamic.db 661$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || ret=1 662if [ $ret != 0 ]; then echo "I:failed"; fi 663status=`expr $status + $ret` 664 665n=`expr $n + 1` 666echo "I:check added record freeze1.dynamic ($n)" 667for i in 1 2 3 4 5 6 7 8 9 668do 669 ret=0 670 $DIG $DIGOPTS @10.53.0.3 -p 5300 freeze1.dynamic TXT > dig.out.ns3.test$n 671 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 672 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 673 test $ret = 0 && break 674 sleep 1 675done 676if [ $ret != 0 ]; then echo "I:failed"; fi 677status=`expr $status + $ret` 678 679# allow 1 second so that file time stamps change 680sleep 1 681 682n=`expr $n + 1` 683echo "I:checking rndc freeze/thaw of server ($n)" 684ret=0 685$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze > freeze.test$n 2>&1 || ret=1 686sleep 1 687awk '$2 == ";" && $3 == "serial" { printf("%d %s %s\n", $1 + 1, $2, $3); next; } 688 { print; } 689 END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new 690mv ns3/dynamic.db.new ns3/dynamic.db 691$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw > thaw.test$n 2>&1 || ret=1 692if [ $ret != 0 ]; then echo "I:failed"; fi 693status=`expr $status + $ret` 694 695n=`expr $n + 1` 696echo "I:check added record freeze2.dynamic ($n)" 697for i in 1 2 3 4 5 6 7 8 9 698do 699 ret=0 700 $DIG $DIGOPTS @10.53.0.3 -p 5300 freeze2.dynamic TXT > dig.out.ns3.test$n 701 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 702 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 703 test $ret = 0 && break 704 sleep 1 705done 706if [ $ret != 0 ]; then echo "I:failed"; fi 707status=`expr $status + $ret` 708 709n=`expr $n + 1` 710echo "I:check rndc reload allows reuse of inline-signing zones ($n)" 711ret=0 712{ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 || ret=1 ; } | 713sed 's/^/I:ns3 /' 714grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1 715if [ $ret != 0 ]; then echo "I:failed"; fi 716status=`expr $status + $ret` 717 718n=`expr $n + 1` 719echo "I:check rndc sync removes both signed and unsigned journals ($n)" 720ret=0 721[ -f ns3/dynamic.db.jnl ] || ret=1 722[ -f ns3/dynamic.db.signed.jnl ] || ret=1 723$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sync -clean dynamic 2>&1 || ret=1 724[ -f ns3/dynamic.db.jnl ] && ret=1 725[ -f ns3/dynamic.db.signed.jnl ] && ret=1 726if [ $ret != 0 ]; then echo "I:failed"; fi 727status=`expr $status + $ret` 728 729$NSUPDATE << EOF 730zone retransfer 731server 10.53.0.2 5300 732update add added.retransfer 0 A 1.2.3.4 733send 734 735EOF 736 737n=`expr $n + 1` 738echo "I:checking that the retransfer record is added on the hidden master ($n)" 739ret=0 740$DIG $DIGOPTS @10.53.0.2 -p 5300 added.retransfer A > dig.out.ns2.test$n 741grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 742grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 743if [ $ret != 0 ]; then echo "I:failed"; fi 744status=`expr $status + $ret` 745 746n=`expr $n + 1` 747echo "I:checking that the change has not been transfered due to notify ($n)" 748ret=0 749for i in 0 1 2 3 4 5 6 7 8 9 750do 751 ans=0 752 $DIG $DIGOPTS @10.53.0.3 -p 5300 added.retransfer A > dig.out.ns3.test$n 753 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 754 [ $ans = 0 ] && break 755 sleep 1 756done 757if [ $ans != 1 ]; then echo "I:failed"; ret=1; fi 758status=`expr $status + $ret` 759n=`expr $n + 1` 760 761echo "I:check rndc retransfer of a inline slave zone works ($n)" 762ret=0 763$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 retransfer retransfer 2>&1 || ret=1 764for i in 0 1 2 3 4 5 6 7 8 9 765do 766 ans=0 767 $DIG $DIGOPTS @10.53.0.3 -p 5300 added.retransfer A > dig.out.ns3.test$n 768 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 769 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 770 [ $ans = 0 ] && break 771 sleep 1 772done 773[ $ans = 1 ] && ret=1 774n=`expr $n + 1` 775if [ $ret != 0 ]; then echo "I:failed"; fi 776status=`expr $status + $ret` 777 778echo "I:check rndc retransfer of a inline nsec3 slave retains nsec3 ($n)" 779ret=0 780for i in 0 1 2 3 4 5 6 7 8 9 781do 782 ans=0 783 $DIG $DIGOPTS @10.53.0.3 -p 5300 nonexist.retransfer3 A > dig.out.ns3.pre.test$n 784 grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1 785 grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1 786 [ $ans = 0 ] && break 787 sleep 1 788done 789$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 retransfer retransfer3 2>&1 || ret=1 790for i in 0 1 2 3 4 5 6 7 8 9 791do 792 ans=0 793 $DIG $DIGOPTS @10.53.0.3 -p 5300 nonexist.retransfer3 A > dig.out.ns3.post.test$n 794 grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1 795 grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1 796 [ $ans = 0 ] && break 797 sleep 1 798done 799[ $ans = 1 ] && ret=1 800n=`expr $n + 1` 801if [ $ret != 0 ]; then echo "I:failed"; fi 802status=`expr $status + $ret` 803 804n=`expr $n + 1` 805echo "I:stop bump in the wire signer server ($n)" 806ret=0 807$PERL ../stop.pl . ns3 || ret=1 808if [ $ret != 0 ]; then echo "I:failed"; fi 809status=`expr $status + $ret` 810 811echo "I:update SOA record while stopped" 812cp ns3/master4.db.in ns3/master.db 813rm ns3/master.db.jnl 814 815n=`expr $n + 1` 816echo "I:restart bump in the wire signer server ($n)" 817ret=0 818$PERL ../start.pl --noclean --restart . ns3 || ret=1 819if [ $ret != 0 ]; then echo "I:failed"; fi 820status=`expr $status + $ret` 821 822n=`expr $n + 1` 823echo "I:updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)" 824ret=0 825for i in 1 2 3 4 5 6 7 8 9 826do 827 ans=0 828 $DIG $DIGOPTS @10.53.0.3 -p 5300 master SOA > dig.out.ns3.test$n 829 grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1 830 grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 831 [ $ans = 1 ] || break 832 sleep 1 833done 834[ $ans = 0 ] || ret=1 835if [ $ret != 0 ]; then echo "I:failed"; fi 836status=`expr $status + $ret` 837 838n=`expr $n + 1` 839echo "I:test add/del zone combinations ($n)" 840ret=0 841for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z 842do 843$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 addzone test-$zone \ 844 '{ type master; file "bits.db.in"; allow-transfer { any; }; };' 845$DIG $DIGOPTS @10.53.0.2 -p 5300 test-$zone SOA > dig.out.ns2.$zone.test$n 846grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; } 847$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone test-$zone \ 848 '{ type slave; masters { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' 849$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 delzone test-$zone > /dev/null 2>&1 850done 851 852n=`expr $n + 1` 853echo "I:testing adding external keys to a inline zone ($n)" 854ret=0 855$DIG $DIGOPTS @10.53.0.3 -p 5300 dnskey externalkey > dig.out.ns3.test$n 856for alg in 3 7 12 13 857do 858 [ $alg = 3 -a ! -f checkdsa ] && continue; 859 [ $alg = 12 -a ! -f checkgost ] && continue; 860 [ $alg = 13 -a ! -f checkecdsa ] && continue; 861 862 case $alg in 863 3) echo "I: checking DSA";; 864 7) echo "I: checking NSEC3RSASHA1";; 865 12) echo "I: checking GOST";; 866 13) echo "I: checking ECDSAP256SHA256";; 867 *) echo "I: checking $alg";; 868 esac 869 870 dnskeys=`grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l` 871 rrsigs=`grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l` 872 test ${dnskeys:-0} -eq 3 || { echo "I: failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } 873 test ${rrsigs:-0} -eq 2 || { echo "I: failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } 874done 875status=`expr $status + $ret` 876 877n=`expr $n + 1` 878echo "I:testing imported key won't overwrite a private key ($n)" 879ret=0 880key=`$KEYGEN -r $RANDFILE -q import.example` 881cp ${key}.key import.key 882# import should fail 883$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1 884rm -f ${key}.private 885# private key removed; import should now succeed 886$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 887# now that it's an external key, re-import should succeed 888$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 889if [ $ret != 0 ]; then echo "I:failed"; fi 890status=`expr $status + $ret` 891 892exit $status 893