1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14SYSTEMTESTTOP=.. 15. $SYSTEMTESTTOP/conf.sh 16 17DIGOPTS="-p ${PORT}" 18 19status=0 20n=0 21 22ns3_reset() { 23 copy_setports $1 ns3/named.conf 24 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns3 /' 25 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush | sed 's/^/I:ns3 /' 26} 27 28ns3_sends_aaaa_queries() { 29 if grep "started AAAA fetch" ns3/named.run >/dev/null; then 30 return 0 31 else 32 return 1 33 fi 34} 35 36# Check whether the number of queries ans2 received from ns3 (this value is 37# read from dig output stored in file $1) is as expected. The expected query 38# count is variable: 39# - if ns3 sends AAAA queries, the query count should equal $2, 40# - if ns3 does not send AAAA queries, the query count should equal $3. 41check_query_count() { 42 count1=`sed 's/[^0-9]//g;' $1` 43 count2=`sed 's/[^0-9]//g;' $2` 44 count=`expr $count1 + $count2` 45 #echo_i "count1=$count1 count2=$count2 count=$count" 46 expected_count_with_aaaa=$3 47 expected_count_without_aaaa=$4 48 49 if ns3_sends_aaaa_queries; then 50 expected_count=$expected_count_with_aaaa 51 else 52 expected_count=$expected_count_without_aaaa 53 fi 54 55 if [ $count -ne $expected_count ]; then 56 echo_i "count $count (actual) != $expected_count (expected)" 57 ret=1 58 fi 59} 60 61echo_i "set max-recursion-depth=12" 62 63n=`expr $n + 1` 64echo_i "attempt excessive-depth lookup ($n)" 65ret=0 66echo "1000" > ans2/ans.limit 67echo "1000" > ans4/ans.limit 68$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 69$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 70$DIG $DIGOPTS @10.53.0.3 indirect1.example.org > dig.out.1.test$n || ret=1 71grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 72$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 73$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 74check_query_count dig.out.2.test$n dig.out.4.test$n 27 14 75if [ $ret != 0 ]; then echo_i "failed"; fi 76status=`expr $status + $ret` 77 78n=`expr $n + 1` 79echo_i "attempt permissible lookup ($n)" 80ret=0 81echo "12" > ans2/ans.limit 82echo "12" > ans4/ans.limit 83ns3_reset ns3/named1.conf.in 84$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 85$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 86$DIG $DIGOPTS @10.53.0.3 indirect2.example.org > dig.out.1.test$n || ret=1 87grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 88$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 89$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 90check_query_count dig.out.2.test$n dig.out.4.test$n 50 26 91if [ $ret != 0 ]; then echo_i "failed"; fi 92status=`expr $status + $ret` 93 94echo_i "set max-recursion-depth=5" 95 96n=`expr $n + 1` 97echo_i "attempt excessive-depth lookup ($n)" 98ret=0 99echo "12" > ans2/ans.limit 100ns3_reset ns3/named2.conf.in 101$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 102$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 103$DIG $DIGOPTS @10.53.0.3 indirect3.example.org > dig.out.1.test$n || ret=1 104grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 105$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 106$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 107check_query_count dig.out.2.test$n dig.out.4.test$n 13 7 108if [ $ret != 0 ]; then echo_i "failed"; fi 109status=`expr $status + $ret` 110 111n=`expr $n + 1` 112echo_i "attempt permissible lookup ($n)" 113ret=0 114echo "5" > ans2/ans.limit 115echo "5" > ans4/ans.limit 116ns3_reset ns3/named2.conf.in 117$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 118$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 119$DIG $DIGOPTS @10.53.0.3 indirect4.example.org > dig.out.1.test$n || ret=1 120grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 121$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 122$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 123check_query_count dig.out.2.test$n dig.out.4.test$n 22 12 124if [ $ret != 0 ]; then echo_i "failed"; fi 125status=`expr $status + $ret` 126 127echo_i "set max-recursion-depth=100, max-recursion-queries=50" 128 129n=`expr $n + 1` 130echo_i "attempt excessive-queries lookup ($n)" 131ret=0 132echo "13" > ans2/ans.limit 133echo "13" > ans4/ans.limit 134ns3_reset ns3/named3.conf.in 135$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 136$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 137$DIG $DIGOPTS @10.53.0.3 indirect5.example.org > dig.out.1.test$n || ret=1 138if ns3_sends_aaaa_queries; then 139 grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 140fi 141$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 142$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 143eval count=`cat dig.out.2.test$n` 144[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } 145if [ $ret != 0 ]; then echo_i "failed"; fi 146status=`expr $status + $ret` 147 148n=`expr $n + 1` 149echo_i "attempt permissible lookup ($n)" 150ret=0 151echo "12" > ans2/ans.limit 152ns3_reset ns3/named3.conf.in 153$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 154$DIG $DIGOPTS @10.53.0.3 indirect6.example.org > dig.out.1.test$n || ret=1 155grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 156$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 157eval count=`cat dig.out.2.test$n` 158[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } 159if [ $ret != 0 ]; then echo_i "failed"; fi 160status=`expr $status + $ret` 161 162echo_i "set max-recursion-depth=100, max-recursion-queries=40" 163 164n=`expr $n + 1` 165echo_i "attempt excessive-queries lookup ($n)" 166ret=0 167echo "11" > ans2/ans.limit 168ns3_reset ns3/named4.conf.in 169$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 170$DIG $DIGOPTS @10.53.0.3 indirect7.example.org > dig.out.1.test$n || ret=1 171if ns3_sends_aaaa_queries; then 172 grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 173fi 174$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 175eval count=`cat dig.out.2.test$n` 176[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; } 177if [ $ret != 0 ]; then echo_i "failed"; fi 178status=`expr $status + $ret` 179 180n=`expr $n + 1` 181echo_i "attempt permissible lookup ($n)" 182ret=0 183echo "9" > ans2/ans.limit 184ns3_reset ns3/named4.conf.in 185$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 186$DIG $DIGOPTS @10.53.0.3 indirect8.example.org > dig.out.1.test$n || ret=1 187grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 188$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 189eval count=`cat dig.out.2.test$n` 190[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; } 191if [ $ret != 0 ]; then echo_i "failed"; fi 192status=`expr $status + $ret` 193 194n=`expr $n + 1` 195echo_i "attempting NS explosion ($n)" 196ret=0 197ns3_reset ns3/named4.conf.in 198$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 199$DIG $DIGOPTS +short @10.53.0.3 ns1.1.example.net > dig.out.1.test$n || ret=1 200$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 201eval count=`cat dig.out.2.test$n` 202[ $count -lt 50 ] || ret=1 203$DIG $DIGOPTS +short @10.53.0.7 count txt > dig.out.3.test$n || ret=1 204eval count=`cat dig.out.3.test$n` 205[ $count -lt 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } 206if [ $ret != 0 ]; then echo_i "failed"; fi 207status=`expr $status + $ret` 208 209#grep "duplicate query" ns3/named.run 210echo_i "exit status: $status" 211[ $status -eq 0 ] || exit 1 212