1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14SYSTEMTESTTOP=..
15. $SYSTEMTESTTOP/conf.sh
16
17DIGOPTS="-p ${PORT}"
18
19status=0
20n=0
21
22ns3_reset() {
23	copy_setports $1 ns3/named.conf
24	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns3 /'
25	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush | sed 's/^/I:ns3 /'
26}
27
28ns3_sends_aaaa_queries() {
29	if grep "started AAAA fetch" ns3/named.run >/dev/null; then
30		return 0
31	else
32		return 1
33	fi
34}
35
36# Check whether the number of queries ans2 received from ns3 (this value is
37# read from dig output stored in file $1) is as expected.  The expected query
38# count is variable:
39#   - if ns3 sends AAAA queries, the query count should equal $2,
40#   - if ns3 does not send AAAA queries, the query count should equal $3.
41check_query_count() {
42	count1=`sed 's/[^0-9]//g;' $1`
43	count2=`sed 's/[^0-9]//g;' $2`
44	count=`expr $count1 + $count2`
45	#echo_i "count1=$count1 count2=$count2 count=$count"
46	expected_count_with_aaaa=$3
47	expected_count_without_aaaa=$4
48
49	if ns3_sends_aaaa_queries; then
50		expected_count=$expected_count_with_aaaa
51	else
52		expected_count=$expected_count_without_aaaa
53	fi
54
55	if [ $count -ne $expected_count ]; then
56		echo_i "count $count (actual) != $expected_count (expected)"
57		ret=1
58	fi
59}
60
61echo_i "set max-recursion-depth=12"
62
63n=`expr $n + 1`
64echo_i "attempt excessive-depth lookup ($n)"
65ret=0
66echo "1000" > ans2/ans.limit
67echo "1000" > ans4/ans.limit
68$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
69$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
70$DIG $DIGOPTS @10.53.0.3 indirect1.example.org > dig.out.1.test$n || ret=1
71grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
72$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
73$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
74check_query_count dig.out.2.test$n dig.out.4.test$n 27 14
75if [ $ret != 0 ]; then echo_i "failed"; fi
76status=`expr $status + $ret`
77
78n=`expr $n + 1`
79echo_i "attempt permissible lookup ($n)"
80ret=0
81echo "12" > ans2/ans.limit
82echo "12" > ans4/ans.limit
83ns3_reset ns3/named1.conf.in
84$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
85$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
86$DIG $DIGOPTS @10.53.0.3 indirect2.example.org > dig.out.1.test$n || ret=1
87grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
88$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
89$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
90check_query_count dig.out.2.test$n dig.out.4.test$n 50 26
91if [ $ret != 0 ]; then echo_i "failed"; fi
92status=`expr $status + $ret`
93
94echo_i "set max-recursion-depth=5"
95
96n=`expr $n + 1`
97echo_i "attempt excessive-depth lookup ($n)"
98ret=0
99echo "12" > ans2/ans.limit
100ns3_reset ns3/named2.conf.in
101$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
102$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
103$DIG $DIGOPTS @10.53.0.3 indirect3.example.org > dig.out.1.test$n || ret=1
104grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
105$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
106$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
107check_query_count dig.out.2.test$n dig.out.4.test$n 13 7
108if [ $ret != 0 ]; then echo_i "failed"; fi
109status=`expr $status + $ret`
110
111n=`expr $n + 1`
112echo_i "attempt permissible lookup ($n)"
113ret=0
114echo "5" > ans2/ans.limit
115echo "5" > ans4/ans.limit
116ns3_reset ns3/named2.conf.in
117$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
118$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
119$DIG $DIGOPTS @10.53.0.3 indirect4.example.org > dig.out.1.test$n || ret=1
120grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
121$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
122$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
123check_query_count dig.out.2.test$n dig.out.4.test$n 22 12
124if [ $ret != 0 ]; then echo_i "failed"; fi
125status=`expr $status + $ret`
126
127echo_i "set max-recursion-depth=100, max-recursion-queries=50"
128
129n=`expr $n + 1`
130echo_i "attempt excessive-queries lookup ($n)"
131ret=0
132echo "13" > ans2/ans.limit
133echo "13" > ans4/ans.limit
134ns3_reset ns3/named3.conf.in
135$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
136$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
137$DIG $DIGOPTS @10.53.0.3 indirect5.example.org > dig.out.1.test$n || ret=1
138if ns3_sends_aaaa_queries; then
139  grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
140fi
141$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
142$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
143eval count=`cat dig.out.2.test$n`
144[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; }
145if [ $ret != 0 ]; then echo_i "failed"; fi
146status=`expr $status + $ret`
147
148n=`expr $n + 1`
149echo_i "attempt permissible lookup ($n)"
150ret=0
151echo "12" > ans2/ans.limit
152ns3_reset ns3/named3.conf.in
153$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
154$DIG $DIGOPTS @10.53.0.3 indirect6.example.org > dig.out.1.test$n || ret=1
155grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
156$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
157eval count=`cat dig.out.2.test$n`
158[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; }
159if [ $ret != 0 ]; then echo_i "failed"; fi
160status=`expr $status + $ret`
161
162echo_i "set max-recursion-depth=100, max-recursion-queries=40"
163
164n=`expr $n + 1`
165echo_i "attempt excessive-queries lookup ($n)"
166ret=0
167echo "11" > ans2/ans.limit
168ns3_reset ns3/named4.conf.in
169$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
170$DIG $DIGOPTS @10.53.0.3 indirect7.example.org > dig.out.1.test$n || ret=1
171if ns3_sends_aaaa_queries; then
172  grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
173fi
174$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
175eval count=`cat dig.out.2.test$n`
176[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; }
177if [ $ret != 0 ]; then echo_i "failed"; fi
178status=`expr $status + $ret`
179
180n=`expr $n + 1`
181echo_i "attempt permissible lookup ($n)"
182ret=0
183echo "9" > ans2/ans.limit
184ns3_reset ns3/named4.conf.in
185$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
186$DIG $DIGOPTS @10.53.0.3 indirect8.example.org > dig.out.1.test$n || ret=1
187grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
188$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
189eval count=`cat dig.out.2.test$n`
190[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; }
191if [ $ret != 0 ]; then echo_i "failed"; fi
192status=`expr $status + $ret`
193
194n=`expr $n + 1`
195echo_i "attempting NS explosion ($n)"
196ret=0
197ns3_reset ns3/named4.conf.in
198$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
199$DIG $DIGOPTS +short @10.53.0.3 ns1.1.example.net > dig.out.1.test$n || ret=1
200$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
201eval count=`cat dig.out.2.test$n`
202[ $count -lt 50 ] || ret=1
203$DIG $DIGOPTS +short @10.53.0.7 count txt > dig.out.3.test$n || ret=1
204eval count=`cat dig.out.3.test$n`
205[ $count -lt 50 ] || { ret=1; echo_i "count ($count) !<= 50";  }
206if [ $ret != 0 ]; then echo_i "failed"; fi
207status=`expr $status + $ret`
208
209#grep "duplicate query" ns3/named.run
210echo_i "exit status: $status"
211[ $status -eq 0 ] || exit 1
212