tests.sh 46.4 KB
Newer Older
Michael Sawyer's avatar
Michael Sawyer committed
1
2
#!/bin/sh
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5
6
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
7
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8
9
10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
Mark Andrews's avatar
Mark Andrews committed
11

12
. ../conf.sh
Michael Sawyer's avatar
Michael Sawyer committed
13

Evan Hunt's avatar
Evan Hunt committed
14
DIGOPTS="-p ${PORT}"
15
RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
Evan Hunt's avatar
Evan Hunt committed
16

17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#
# Uncomment when creating credential cache files.
#
# KRB5_CONFIG=`pwd`/krb/krb5.conf
#
# Cd krb and run krb/setup.sh to create new keys.
# Run nsupdate system test.
# Kill the krb5kdc server started by krb/setup.sh.
# Check the expiry date on the cached machine.ccache with klist is in 2038.
# Comment out KRB5_CONFIG.
# Re-run nsupdate system test to confirm everything still works.
# git add and commit the resulting ns*/machine.ccache and ns*/dns.keytab files.
# Clean up krb.
#

Michael Sawyer's avatar
Michael Sawyer committed
32
status=0
33
n=0
Michael Sawyer's avatar
Michael Sawyer committed
34

35
36
nextpartreset ns3/named.run

37
38
39
40
41
42
43
44
# wait for zone transfer to complete
tries=0
while true; do
    if [ $tries -eq 10 ]
    then
        exit 1
    fi

45
    if grep "example.nil/IN.*Transfer status" ns2/named.run > /dev/null
46
47
48
    then
        break
    else
Evan Hunt's avatar
Evan Hunt committed
49
        echo_i "zones are not fully loaded, waiting..."
50
51
52
53
54
        tries=`expr $tries + 1`
        sleep 1
    fi
done

Evan Hunt's avatar
Evan Hunt committed
55
ret=0
Evan Hunt's avatar
Evan Hunt committed
56
57
58
59
echo_i "fetching first copy of zone before update"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
	@10.53.0.1 axfr > dig.out.ns1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
Michael Sawyer's avatar
Michael Sawyer committed
60

Evan Hunt's avatar
Evan Hunt committed
61
ret=0
Evan Hunt's avatar
Evan Hunt committed
62
63
64
65
echo_i "fetching second copy of zone before update"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
	@10.53.0.2 axfr > dig.out.ns2 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
Michael Sawyer's avatar
Michael Sawyer committed
66

Evan Hunt's avatar
Evan Hunt committed
67
ret=0
Evan Hunt's avatar
Evan Hunt committed
68
echo_i "comparing pre-update copies to known good data"
Evan Hunt's avatar
Evan Hunt committed
69
70
digcomp knowngood.ns1.before dig.out.ns1 || ret=1
digcomp knowngood.ns1.before dig.out.ns2 || ret=1
Evan Hunt's avatar
Evan Hunt committed
71
[ $ret = 0 ] || { echo_i "failed"; status=1; }
Michael Sawyer's avatar
Michael Sawyer committed
72

Evan Hunt's avatar
Evan Hunt committed
73
ret=0
Evan Hunt's avatar
Evan Hunt committed
74
echo_i "updating zone"
75
# nsupdate will print a ">" prompt to stdout as it gets each input line.
Evan Hunt's avatar
Evan Hunt committed
76
$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
77
server 10.53.0.1 ${PORT}
78
update add updated.example.nil. 600 A 10.10.10.1
79
80
add updated.example.nil. 600 TXT Foo
delete t.example.nil.
81
82

END
Evan Hunt's avatar
Evan Hunt committed
83
[ $ret = 0 ] || { echo_i "failed"; status=1; }
Evan Hunt's avatar
Evan Hunt committed
84

Evan Hunt's avatar
Evan Hunt committed
85
echo_i "sleeping 5 seconds for server to incorporate changes"
86
sleep 5
Michael Sawyer's avatar
Michael Sawyer committed
87

Evan Hunt's avatar
Evan Hunt committed
88
ret=0
Evan Hunt's avatar
Evan Hunt committed
89
90
91
92
echo_i "fetching first copy of zone after update"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
	@10.53.0.1 axfr > dig.out.ns1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
Michael Sawyer's avatar
Michael Sawyer committed
93

Evan Hunt's avatar
Evan Hunt committed
94
ret=0
Evan Hunt's avatar
Evan Hunt committed
95
96
97
98
echo_i "fetching second copy of zone after update"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
	@10.53.0.2 axfr > dig.out.ns2 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
Michael Sawyer's avatar
Michael Sawyer committed
99

Evan Hunt's avatar
Evan Hunt committed
100
ret=0
Evan Hunt's avatar
Evan Hunt committed
101
echo_i "comparing post-update copies to known good data"
Evan Hunt's avatar
Evan Hunt committed
102
103
digcomp knowngood.ns1.after dig.out.ns1 || ret=1
digcomp knowngood.ns1.after dig.out.ns2 || ret=1
Evan Hunt's avatar
Evan Hunt committed
104
[ $ret = 0 ] || { echo_i "failed"; status=1; }
Michael Sawyer's avatar
Michael Sawyer committed
105

Evan Hunt's avatar
Evan Hunt committed
106
ret=0
Evan Hunt's avatar
Evan Hunt committed
107
108
echo_i "testing local update policy"
pre=`$DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a` || ret=1
Evan Hunt's avatar
Evan Hunt committed
109
[ -z "$pre" ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
110
[ $ret = 0 ] || { echo_i "failed"; status=1; }
111

Evan Hunt's avatar
Evan Hunt committed
112
ret=0
Evan Hunt's avatar
Evan Hunt committed
113
echo_i "updating zone"
114
# nsupdate will print a ">" prompt to stdout as it gets each input line.
Evan Hunt's avatar
Evan Hunt committed
115
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null <<END || ret=1
116
117
118
119
zone other.nil.
update add new.other.nil. 600 IN A 10.10.10.1
send
END
Evan Hunt's avatar
Evan Hunt committed
120
[ $ret = 0 ] || { echo_i "failed"; status=1; }
121

Evan Hunt's avatar
Evan Hunt committed
122
echo_i "sleeping 5 seconds for server to incorporate changes"
123
124
sleep 5

Evan Hunt's avatar
Evan Hunt committed
125
ret=0
Evan Hunt's avatar
Evan Hunt committed
126
127
echo_i "checking result of update"
post=`$DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a` || ret=1
Evan Hunt's avatar
Evan Hunt committed
128
[ "$post" = "10.10.10.1" ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
129
[ $ret = 0 ] || { echo_i "failed"; status=1; }
130

Evan Hunt's avatar
Evan Hunt committed
131
ret=0
Evan Hunt's avatar
Evan Hunt committed
132
echo_i "comparing post-update copy to known good data"
Evan Hunt's avatar
Evan Hunt committed
133
digcomp knowngood.ns1.after dig.out.ns1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
134
[ $ret = 0 ] || { echo_i "failed"; status=1; }
135

Evan Hunt's avatar
Evan Hunt committed
136
ret=0
Evan Hunt's avatar
Evan Hunt committed
137
echo_i "testing zone consistency checks"
138
# inserting an NS record without a corresponding A or AAAA record should fail
Evan Hunt's avatar
Evan Hunt committed
139
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END && ret=1
140
141
142
update add other.nil. 600 in ns ns3.other.nil.
send
END
Evan Hunt's avatar
Evan Hunt committed
143
grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1
144
# ...but should work if an A record is inserted first:
Evan Hunt's avatar
Evan Hunt committed
145
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
146
147
148
149
150
update add ns4.other.nil 600 in a 10.53.0.1
send
update add other.nil. 600 in ns ns4.other.nil.
send
END
Evan Hunt's avatar
Evan Hunt committed
151
grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
152
# ...or if an AAAA record does:
Evan Hunt's avatar
Evan Hunt committed
153
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
154
155
156
157
158
update add ns5.other.nil 600 in aaaa 2001:db8::1
send
update add other.nil. 600 in ns ns5.other.nil.
send
END
Evan Hunt's avatar
Evan Hunt committed
159
grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
160
# ...or if the NS and A/AAAA are inserted together:
Evan Hunt's avatar
Evan Hunt committed
161
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
162
163
164
165
update add other.nil. 600 in ns ns6.other.nil.
update add ns6.other.nil 600 in a 10.53.0.1
send
END
Evan Hunt's avatar
Evan Hunt committed
166
grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
167
[ $ret = 0 ] || { echo_i "failed"; status=1; }
168

Evan Hunt's avatar
Evan Hunt committed
169
echo_i "sleeping 5 seconds for server to incorporate changes"
170
171
sleep 5

Evan Hunt's avatar
Evan Hunt committed
172
ret=0
Evan Hunt's avatar
Evan Hunt committed
173
174
echo_i "checking result of update"
$DIG $DIGOPTS +short @10.53.0.1 ns other.nil > dig.out.ns1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
175
176
177
178
grep ns3.other.nil dig.out.ns1 > /dev/null 2>&1 && ret=1
grep ns4.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
grep ns5.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
179
[ $ret = 0 ] || { echo_i "failed"; status=1; }
180

181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
ret=0
echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning"
$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END || ret=1
server 10.53.0.1 ${PORT}
update add mx03.example.nil 600 IN MX 10 10.53.0.1
send
END
grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 && ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }

ret=0
echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning"
$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
update add mx03.other.nil 600 IN MX 10 10.53.0.1
send
END
grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }

ret=0
echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning"
$NSUPDATE > nsupdate.out 2>&1 << END && ret=1
server 10.53.0.1 ${PORT}
update add mx03.update.nil 600 IN MX 10 10.53.0.1
send
END
grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1
grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }

213
ret=0
Evan Hunt's avatar
Evan Hunt committed
214
echo_i "check SIG(0) key is accepted"
215
key=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -T KEY -n ENTITY xxx`
216
echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
217
[ $ret = 0 ] || { echo_i "failed"; status=1; }
218

219
220
n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
221
echo_i "check TYPE=0 update is rejected by nsupdate ($n)"
222
$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
223
    server 10.53.0.1 ${PORT}
224
225
226
227
    ttl 300
    update add example.nil. in type0 ""
    send
END
Evan Hunt's avatar
Evan Hunt committed
228
grep "unknown class/type" nsupdate.out > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
229
[ $ret = 0 ] || { echo_i "failed"; status=1; }
230
231
232

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
233
echo_i "check TYPE=0 prerequisite is handled ($n)"
Evan Hunt's avatar
Evan Hunt committed
234
$NSUPDATE -k ns1/ddns.key <<END > nsupdate.out 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
235
    server 10.53.0.1 ${PORT}
236
237
238
    prereq nxrrset example.nil. type0
    send
END
Evan Hunt's avatar
Evan Hunt committed
239
$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
240
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
241
[ $ret = 0 ] || { echo_i "failed"; status=1; }
242
243
244

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
245
echo_i "check that TYPE=0 update is handled ($n)"
246
echo "a0e4280000010000000100000000060001c00c000000fe000000000000" |
247
$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
248
$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
249
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
250
[ $ret = 0 ] || { echo_i "failed"; status=1; }
251
252

n=`expr $n + 1`
253
ret=0
Evan Hunt's avatar
Evan Hunt committed
254
echo_i "check that TYPE=0 additional data is handled ($n)"
255
echo "a0e4280000010000000000010000060001c00c000000fe000000000000" |
256
$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
257
$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
258
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
259
[ $ret = 0 ] || { echo_i "failed"; status=1; }
260

261
n=`expr $n + 1`
262
ret=0
Evan Hunt's avatar
Evan Hunt committed
263
echo_i "check that update to undefined class is handled ($n)"
264
echo "a0e4280000010001000000000000060101c00c000000fe000000000000" |
265
$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
266
$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
267
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
268
[ $ret = 0 ] || { echo_i "failed"; status=1; }
269

270
n=`expr $n + 1`
271
ret=0
Evan Hunt's avatar
Evan Hunt committed
272
echo_i "check that address family mismatch is handled ($n)"
273
274
275
276
277
278
$NSUPDATE <<END > /dev/null 2>&1 && ret=1
server ::1
local 127.0.0.1
update add 600 txt.example.nil in txt "test"
send
END
Evan Hunt's avatar
Evan Hunt committed
279
[ $ret = 0 ] || { echo_i "failed"; status=1; }
280
281


282
n=`expr $n + 1`
283
ret=0
Evan Hunt's avatar
Evan Hunt committed
284
echo_i "check that unixtime serial number is correctly generated ($n)"
Mark Andrews's avatar
Mark Andrews committed
285
286
$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.old.test$n || ret=1
oldserial=`awk '{print $3}' dig.out.old.test$n` || ret=1
287
start=`$PERL -e 'print time()."\n";'`
288
$NSUPDATE <<END > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
289
    server 10.53.0.1 ${PORT}
290
291
292
293
294
295
    ttl 600
    update add new.unixtime.nil in a 1.2.3.4
    send
END
now=`$PERL -e 'print time()."\n";'`
sleep 1
Mark Andrews's avatar
Mark Andrews committed
296
297
$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.new.test$n || ret=1
serial=`awk '{print $3}' dig.out.new.test$n` || ret=1
298
299
300
301
302
303
[ "$oldserial" = "$serial" ] && { echo_i "oldserial == serial"; ret=1; }
if [ "$serial" -lt "$start" ]; then
    echo_i "out-of-range serial=$serial < start=$start"; ret=1;
elif [ "$serial" -gt "$now" ]; then
    echo_i "out-of-range serial=$serial > now=$now"; ret=1;
fi
Evan Hunt's avatar
Evan Hunt committed
304
[ $ret = 0 ] || { echo_i "failed"; status=1; }
305

Evan Hunt's avatar
Evan Hunt committed
306
ret=0
307
308
if $PERL -e 'use Net::DNS;' 2>/dev/null
then
Evan Hunt's avatar
Evan Hunt committed
309
310
311
312
    echo_i "running update.pl test"
    {
      $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. || ret=1
    } | cat_i
313
314
315
316
    if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' > /dev/null
    then
        grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run > /dev/null || ret=1
    fi
Evan Hunt's avatar
Evan Hunt committed
317
    [ $ret -eq 1 ] && { echo_i "failed"; status=1; }
318
else
Evan Hunt's avatar
Evan Hunt committed
319
    echo_i "The second part of this test requires the Net::DNS library." >&2
320
321
fi

Evan Hunt's avatar
Evan Hunt committed
322
ret=0
Evan Hunt's avatar
Evan Hunt committed
323
324
325
326
echo_i "fetching first copy of test zone"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
	@10.53.0.1 axfr > dig.out.ns1 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
327

328
ret=0
Evan Hunt's avatar
Evan Hunt committed
329
330
331
332
echo_i "fetching second copy of test zone"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
	@10.53.0.2 axfr > dig.out.ns2 || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
333

Evan Hunt's avatar
Evan Hunt committed
334
ret=0
Evan Hunt's avatar
Evan Hunt committed
335
echo_i "comparing zones"
Evan Hunt's avatar
Evan Hunt committed
336
digcomp dig.out.ns1 dig.out.ns2 || ret=1
Evan Hunt's avatar
Evan Hunt committed
337
[ $ret = 0 ] || { echo_i "failed"; status=1; }
338

Evan Hunt's avatar
Evan Hunt committed
339
echo_i "SIGKILL and restart server ns1"
340
cd ns1
341
$KILL -KILL `cat named.pid`
342
343
rm named.pid
cd ..
344
sleep 10
345
if
346
	start_server --noclean --restart --port ${PORT} nsupdate ns1
347
then
Evan Hunt's avatar
Evan Hunt committed
348
	echo_i "restarted server ns1"
349
else
Evan Hunt's avatar
Evan Hunt committed
350
	echo_i "could not restart server ns1"
351
352
	exit 1
fi
353
sleep 10
354

Evan Hunt's avatar
Evan Hunt committed
355
ret=0
Evan Hunt's avatar
Evan Hunt committed
356
357
358
359
echo_i "fetching ns1 after hard restart"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
	@10.53.0.1 axfr > dig.out.ns1.after || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
360

Evan Hunt's avatar
Evan Hunt committed
361
ret=0
Evan Hunt's avatar
Evan Hunt committed
362
echo_i "comparing zones"
Evan Hunt's avatar
Evan Hunt committed
363
digcomp dig.out.ns1 dig.out.ns1.after || ret=1
Evan Hunt's avatar
Evan Hunt committed
364
[ $ret = 0 ] || { echo_i "failed"; status=1; }
365

Evan Hunt's avatar
Evan Hunt committed
366
echo_i "begin RT #482 regression test"
367

Evan Hunt's avatar
Evan Hunt committed
368
ret=0
369
echo_i "update primary"
Evan Hunt's avatar
Evan Hunt committed
370
$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
371
server 10.53.0.1 ${PORT}
372
373
374
375
376
update add updated2.example.nil. 600 A 10.10.10.2
update add updated2.example.nil. 600 TXT Bar
update delete c.example.nil.
send
END
Evan Hunt's avatar
Evan Hunt committed
377
[ $ret = 0 ] || { echo_i "failed"; status=1; }
378
379
380

sleep 5

381
if [ ! "$CYGWIN" ]; then
382
    echo_i "SIGHUP secondary"
383
384
    $KILL -HUP `cat ns2/named.pid`
else
385
    echo_i "reload secondary"
386
    rndc_reload ns2 10.53.0.2
387
fi
388
389
390

sleep 5

Evan Hunt's avatar
Evan Hunt committed
391
ret=0
392
echo_i "update primary again"
Evan Hunt's avatar
Evan Hunt committed
393
$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
394
server 10.53.0.1 ${PORT}
395
396
update add updated3.example.nil. 600 A 10.10.10.3
update add updated3.example.nil. 600 TXT Zap
397
del d.example.nil.
398
399
send
END
Evan Hunt's avatar
Evan Hunt committed
400
[ $ret = 0 ] || { echo_i "failed"; status=1; }
401
402
403

sleep 5

404
if [ ! "$CYGWIN" ]; then
405
    echo_i "SIGHUP secondary again"
406
407
    $KILL -HUP `cat ns2/named.pid`
else
408
    echo_i "reload secondary again"
409
    rndc_reload ns2 10.53.0.2
410
fi
411
412
413

sleep 5

Evan Hunt's avatar
Evan Hunt committed
414
echo_i "check to 'out of sync' message"
415
416
if grep "out of sync" ns2/named.run
then
Evan Hunt's avatar
Evan Hunt committed
417
	echo_i "failed (found 'out of sync')"
418
419
420
	status=1
fi

Evan Hunt's avatar
Evan Hunt committed
421
echo_i "end RT #482 regression test"
422

423
424
n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
425
echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)"
426
$NSUPDATE << EOF
Evan Hunt's avatar
Evan Hunt committed
427
server 10.53.0.3 ${PORT}
428
429
430
431
432
433
update add example 3600 nsec3param 1 0 0 -
send
EOF

# the zone is not signed.  The nsec3param records should be removed.
# this also proves that the server is still running.
Evan Hunt's avatar
Evan Hunt committed
434
435
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
	@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
436
grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
437
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
438
[ $ret = 0 ] || { echo_i "failed"; status=1; }
439
440
441

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
442
echo_i "change the NSEC3PARAM ttl via update ($n)"
443
$NSUPDATE << EOF
Evan Hunt's avatar
Evan Hunt committed
444
server 10.53.0.3 ${PORT}
445
446
447
448
update add nsec3param.test 3600 NSEC3PARAM 1 0 1 -
send
EOF

Evan Hunt's avatar
Evan Hunt committed
449
450
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
        @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
451
grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
452
453
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
454
[ $ret = 0 ] || { echo_i "failed"; status=1; }
455
456
457

n=`expr $n + 1`
ret=0
458
echo_i "add a new NSEC3PARAM via update ($n)"
459
$NSUPDATE << EOF
Evan Hunt's avatar
Evan Hunt committed
460
server 10.53.0.3 ${PORT}
461
462
463
464
update add nsec3param.test 3600 NSEC3PARAM 1 0 4 -
send
EOF

465
466
467
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
	$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
468
	if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
469
470
471
472
473
		_ret=0
		break
	fi
	sleep 1
done
474

475
if [ $_ret -ne 0 ]; then ret=1; fi
476
477
grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
478
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $ret + $status`; fi
479
480
481

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
482
echo_i "add, delete and change the ttl of the NSEC3PARAM rrset via update ($n)"
483
$NSUPDATE << EOF
Evan Hunt's avatar
Evan Hunt committed
484
server 10.53.0.3 ${PORT}
485
486
487
488
489
update delete nsec3param.test NSEC3PARAM
update add nsec3param.test 7200 NSEC3PARAM 1 0 5 -
send
EOF

490
491
492
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
	$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
493
	if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
494
495
496
497
498
		_ret=0
		break
	fi
	sleep 1
done
499

500
if [ $_ret -ne 0 ]; then ret=1; fi
501
502
503
504
505
506
507
508
509
510
grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl > jp.out.ns3.$n
# intermediate TTL changes.
grep "add nsec3param.test.	7200	IN	NSEC3PARAM 1 0 4 -" jp.out.ns3.$n > /dev/null || ret=1
grep "add nsec3param.test.	7200	IN	NSEC3PARAM 1 0 1 -" jp.out.ns3.$n > /dev/null || ret=1
# delayed adds and deletes.
grep "add nsec3param.test.	0	IN	TYPE65534 .# 6 000180000500" jp.out.ns3.$n > /dev/null || ret=1
grep "add nsec3param.test.	0	IN	TYPE65534 .# 6 000140000100" jp.out.ns3.$n > /dev/null || ret=1
grep "add nsec3param.test.	0	IN	TYPE65534 .# 6 000140000400" jp.out.ns3.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
511
if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $ret + $status`; fi
512
513


514
ret=0
515
echo_i "testing that rndc stop updates the file"
Evan Hunt's avatar
Evan Hunt committed
516
$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
517
server 10.53.0.1 ${PORT}
518
519
520
update add updated4.example.nil. 600 A 10.10.10.3
send
END
521
sleep 3
522
$PERL ../stop.pl --use-rndc --port ${CONTROLPORT} nsupdate ns1
523
sleep 3
Andreas Gustafsson's avatar
updated    
Andreas Gustafsson committed
524
525
# Removing the journal file and restarting the server means
# that the data served by the new server process are exactly
526
# those dumped to the file by "rndc stop".
527
rm -f ns1/*jnl
528
start_server --noclean --restart --port ${PORT} nsupdate ns1
529
530
531
532
533
534
535
536
537
538
for try in 0 1 2 3 4 5 6 7 8 9; do
    iret=0
    $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
	updated4.example.nil. @10.53.0.1 a > dig.out.ns1 || iret=1
    digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1
    [ "$iret" -eq 0 ] && break
    sleep 1
done
[ "$iret" -ne 0 ] && ret=1
[ "$ret" -eq 0 ] || { echo_i "failed"; status=1; }
539

540
ret=0
Evan Hunt's avatar
Evan Hunt committed
541
echo_i "check that 'nsupdate -l' with a missing keyfile reports the missing file"
542
543
$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2> nsupdate.out < /dev/null
grep ns1/nonexistent.key nsupdate.out > /dev/null || ret=1
544
545
if test $ret -ne 0
then
Evan Hunt's avatar
Evan Hunt committed
546
echo_i "failed"; status=1
547
548
fi

549
550
n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
551
552
553
echo_i "check that 'update-policy local' works from localhost address ($n)"
$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END || ret=1
server 10.53.0.5 ${PORT}
Mark Andrews's avatar
Mark Andrews committed
554
local 127.0.0.1
555
556
557
558
update add fromlocal.local.nil. 600 A 1.2.3.4
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
559
$DIG $DIGOPTS @10.53.0.5 \
560
561
562
563
564
        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
        fromlocal.local.nil. > dig.out.ns5.$n || ret=1
grep fromlocal dig.out.ns5.$n > /dev/null 2>&1 || ret=1
if test $ret -ne 0
then
Evan Hunt's avatar
Evan Hunt committed
565
echo_i "failed"; status=1
566
567
568
569
fi

n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
570
echo_i "check that 'update-policy local' fails from non-localhost address ($n)"
571
grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
572
573
$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
server 10.53.0.5 ${PORT}
Mark Andrews's avatar
Mark Andrews committed
574
local 10.53.0.1
575
576
577
578
update add nonlocal.local.nil. 600 A 4.3.2.1
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
579
grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
580
$DIG $DIGOPTS @10.53.0.5 \
581
582
583
        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
        nonlocal.local.nil. > dig.out.ns5.$n || ret=1
grep nonlocal dig.out.ns5.$n > /dev/null 2>&1 && ret=1
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
if test $ret -ne 0
then
echo_i "failed"; status=1
fi

n=`expr $n + 1`
ret=0
echo_i "check that 'update-policy tcp-self' refuses update of records via UDP ($n)"
$NSUPDATE > nsupdate.out.$n 2>&1 << END
server 10.53.0.6 ${PORT}
local 127.0.0.1
update add 1.0.0.127.in-addr.arpa. 600 PTR localhost.
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.6 \
        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
        -x 127.0.0.1 > dig.out.ns6.$n
grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1
if test $ret -ne 0
then
echo_i "failed"; status=1
fi

n=`expr $n + 1`
ret=0
echo_i "check that 'update-policy tcp-self' permits update of records for the client's own address via TCP ($n)"
$NSUPDATE -v > nsupdate.out.$n 2>&1 << END || ret=1
server 10.53.0.6 ${PORT}
local 127.0.0.1
update add 1.0.0.127.in-addr.arpa. 600 PTR localhost.
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1
$DIG $DIGOPTS @10.53.0.6 \
        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
        -x 127.0.0.1 > dig.out.ns6.$n || ret=1
grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1
if test $ret -ne 0
then
echo_i "failed"; status=1
fi

n=`expr $n + 1`
ret=0
echo_i "check that 'update-policy tcp-self' refuses update of records for a different address from the client's own address via TCP ($n)"
$NSUPDATE -v > nsupdate.out.$n 2>&1 << END
server 10.53.0.6 ${PORT}
local 127.0.0.1
update add 1.0.168.192.in-addr.arpa. 600 PTR localhost.
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.6 \
        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
        -x 192.168.0.1 > dig.out.ns6.$n
grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1
641
642
if test $ret -ne 0
then
Evan Hunt's avatar
Evan Hunt committed
643
echo_i "failed"; status=1
644
645
fi

646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
n=`expr $n + 1`
ret=0
echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
# and thus this UPDATE should succeed.
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
server 10.53.0.1 ${PORT}
key restricted.example.nil 1234abcd8765
update add restricted.example.nil 0 IN TXT everywhere.
send
END
$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
# thus this UPDATE should fail.
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
server 10.53.0.1 ${PORT}
key restricted.example.nil 1234abcd8765
update add example.nil 0 IN TXT everywhere.
send
END
$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }

671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
n=`expr $n + 1`
ret=0
echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
# grant zonesub-key.example.nil zonesub TXT;
# the A record update should be rejected as it is not in the type list
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
server 10.53.0.1 ${PORT}
key zonesub-key.example.nil 1234subk8765
update add zonesub.example.nil 0 IN A 1.2.3.4
send
END
$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
# the TXT record update should be accepted as it is in the type list
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
server 10.53.0.1 ${PORT}
key zonesub-key.example.nil 1234subk8765
update add zonesub.example.nil 0 IN TXT everywhere.
send
END
$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }

698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
n=`expr $n + 1`
ret=0
echo_i "check 'grant' in deny name + grant subdomain ($n)"
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
key hmac-sha256:subkey 1234abcd8765
server 10.53.0.9 ${PORT}
zone denyname.example
update add foo.denyname.example 3600 IN TXT added
send
EOF
$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n
grep "added" dig.out.ns9.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }

n=`expr $n + 1`
ret=0
echo_i "check 'deny' in deny name + grant subdomain ($n)"
$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
key hmac-sha256:subkey 1234abcd8765
server 10.53.0.9 ${PORT}
zone denyname.example
update add denyname.example 3600 IN TXT added
send
EOF
$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n
grep "added" dig.out.ns9.test$n > /dev/null && ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }

726
727
n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
728
729
730
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
        @10.53.0.3 dnskey | \
731
	sed -n 's/\(.*\)10.IN/update add \1600 IN/p' |
Evan Hunt's avatar
Evan Hunt committed
732
	(echo server 10.53.0.3 ${PORT}; cat - ; echo send ) |
733
$NSUPDATE
734

Evan Hunt's avatar
Evan Hunt committed
735
736
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
	@10.53.0.3 any > dig.out.ns3.$n
737
738

grep "600.*DNSKEY" dig.out.ns3.$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
739
grep TYPE65534 dig.out.ns3.$n > /dev/null && ret=1
740
741
if test $ret -ne 0
then
Evan Hunt's avatar
Evan Hunt committed
742
echo_i "failed"; status=1
743
fi
744

745
746
n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
747
echo_i "check notify with TSIG worked ($n)"
748
749
750
751
752
# if the alternate view received a notify--meaning, the notify was
# validly signed by "altkey"--then the zonefile update.alt.bk will
# will have been created.
[ -f ns2/update.alt.bk ] || ret=1
if [ $ret -ne 0 ]; then
Evan Hunt's avatar
Evan Hunt committed
753
    echo_i "failed"
754
755
756
    status=1
fi

757
758
n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
759
760
761
762
763
764
765
766
767
768
769
770
771
echo_i "check type list options ($n)"
$NSUPDATE -T > typelist.out.T.${n} || { ret=1; echo_i "nsupdate -T failed"; }
$NSUPDATE -P > typelist.out.P.${n} || { ret=1; echo_i "nsupdate -P failed"; }
$NSUPDATE -TP > typelist.out.TP.${n} || { ret=1; echo_i "nsupdate -TP failed"; }
grep ANY typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-T)"; }
grep ANY typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-P)"; }
grep ANY typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-TP)"; }
grep KEYDATA typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-T)"; }
grep KEYDATA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-P)"; }
grep KEYDATA typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-TP)"; }
grep AAAA typelist.out.T.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-T)"; }
grep AAAA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: AAAA found (-P)"; }
grep AAAA typelist.out.TP.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-TP)"; }
772
if [ $ret -ne 0 ]; then
Evan Hunt's avatar
Evan Hunt committed
773
    echo_i "failed"
774
775
776
    status=1
fi

777
778
n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
779
echo_i "check command list ($n)"
780
(
781
while read cmd
782
783
784
do
    echo "$cmd" | $NSUPDATE  > /dev/null 2>&1
    if test $? -gt 1 ; then
Evan Hunt's avatar
Evan Hunt committed
785
	echo_i "failed ($cmd)"
786
787
788
789
	ret=1
    fi
    echo "$cmd " | $NSUPDATE  > /dev/null 2>&1
    if test $? -gt 1 ; then
Evan Hunt's avatar
Evan Hunt committed
790
	echo_i "failed ($cmd)"
791
792
793
794
795
796
797
798
799
	ret=1
    fi
done
exit $ret
) < commandlist || ret=1
if [ $ret -ne 0 ]; then
    status=1
fi

800
801
n=`expr $n + 1`
ret=0
802
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
803
804
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
    $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
805
server 10.53.0.1 ${PORT}
806
807
808
809
810
811
update add ${alg}.keytests.nil. 600 A 10.10.10.3
send
END
done
sleep 2
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
Evan Hunt's avatar
Evan Hunt committed
812
    $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
813
814
done
if [ $ret -ne 0 ]; then
Evan Hunt's avatar
Evan Hunt committed
815
    echo_i "failed"
816
817
818
    status=1
fi

Evan Hunt's avatar
Evan Hunt committed
819
n=`expr $n + 1`
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
ret=0
echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
    secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
    $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.50
send
END
done
sleep 2
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
    $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
    echo_i "failed"
    status=1
fi

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
840
ret=0
Evan Hunt's avatar
Evan Hunt committed
841
echo_i "check that ttl is capped by max-ttl ($n)"
Evan Hunt's avatar
Evan Hunt committed
842
$NSUPDATE <<END > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
843
server 10.53.0.1 ${PORT}
Evan Hunt's avatar
Evan Hunt committed
844
845
846
847
848
update add cap.max-ttl.nil. 600 A 10.10.10.3
update add nocap.max-ttl.nil. 150 A 10.10.10.3
send
END
sleep 2
Evan Hunt's avatar
Evan Hunt committed
849
850
$DIG $DIGOPTS @10.53.0.1  cap.max-ttl.nil | grep "^cap.max-ttl.nil.	300" > /dev/null 2>&1 || ret=1
$DIG $DIGOPTS @10.53.0.1  nocap.max-ttl.nil | grep "^nocap.max-ttl.nil.	150" > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
851
if [ $ret -ne 0 ]; then
Evan Hunt's avatar
Evan Hunt committed
852
    echo_i "failed"
Evan Hunt's avatar
Evan Hunt committed
853
854
855
    status=1
fi

856
857
n=`expr $n + 1`
ret=0
Evan Hunt's avatar
Evan Hunt committed
858
echo_i "add a record which is truncated when logged. ($n)"
859
$NSUPDATE verylarge || ret=1
Evan Hunt's avatar
Evan Hunt committed
860
$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil > dig.out.ns1.test$n
861
862
863
grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1
grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]"  ns1/named.run > /dev/null || ret=1
if [ $ret -ne 0 ]; then
Evan Hunt's avatar
Evan Hunt committed
864
    echo_i "failed"
865
866
867
    status=1
fi

868
n=`expr $n + 1`
869
ret=0
Evan Hunt's avatar
Evan Hunt committed
870
871
echo_i "check that yyyymmddvv serial number is correctly generated ($n)"
oldserial=`$DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}'` || ret=1
872
$NSUPDATE <<END > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
873
    server 10.53.0.1 ${PORT}
874
875
876
877
    ttl 600
    update add new.yyyymmddvv.nil in a 1.2.3.4
    send
END
Mark Andrews's avatar
Mark Andrews committed
878
now=`$PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];'`
879
sleep 1
Evan Hunt's avatar
Evan Hunt committed
880
serial=`$DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}'` || ret=1
881
882
[ "$oldserial" -ne "$serial" ] || ret=1
[ "$serial" -eq "$now" ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
883
[ $ret = 0 ] || { echo_i "failed"; status=1; }
884

885
886
887
888
889
#
#  Refactor to use perl to launch the parallel updates.
#
if false
then
890
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
891
echo_i "send many simultaneous updates via a update forwarder ($n)"
892
ret=0
893
for i in 0 1 2 3 4 5 6 7
894
895
do
(
896
    for j in 0 1 2 3 4 5 6 7
897
898
899
    do
    (
	$NSUPDATE << EOF
Evan Hunt's avatar
Evan Hunt committed
900
server 10.53.0.3 ${PORT}
901
902
903
904
905
906
907
908
909
910
zone many.test
update add $i-$j.many.test 0 IN A 1.2.3.4
send
EOF
    ) &
    done
    wait
) &
done
wait
Evan Hunt's avatar
Evan Hunt committed
911
dig axfr many.test @10.53.0.1 > dig.out.test$n
912
lines=`awk '$4 == "A" { l++ } END { print l }' dig.out.test$n`
Mark Andrews's avatar
Mark Andrews committed
913
test ${lines:-0} -eq 64 || ret=1
Evan Hunt's avatar
Evan Hunt committed
914
[ $ret = 0 ] || { echo_i "failed"; status=1; }
915
fi
916

917
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
918
echo_i "check max-journal-size limits ($n)"
919
920
921
922
ret=0
rm -f nsupdate.out1-$n
# add one record
$NSUPDATE << EOF >> nsupdate.out1-$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
923
server 10.53.0.1 ${PORT}
924
925
926
927
928
929
930
931
zone maxjournal.test
update add z.maxjournal.test 300 IN A 10.20.30.40
send
EOF
for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
    # repeatedly add and remove the same set of records to fill up
    # the journal file without changing the zone content
    $NSUPDATE << EOF >> nsupdate.out1-$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
932
server 10.53.0.1 ${PORT}
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
zone maxjournal.test
update add a.maxjournal.test 300 IN A 1.2.3.4
update add b.maxjournal.test 300 IN A 1.2.3.4
update add c.maxjournal.test 300 IN A 1.2.3.4
update add d.maxjournal.test 300 IN A 1.2.3.4
send
update del a.maxjournal.test
update del b.maxjournal.test
update del c.maxjournal.test
update del d.maxjournal.test
send
EOF
done
# check that the journal is big enough to require truncation.
size=`$PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl`
[ "$size" -gt 6000 ] || ret=1
sleep 1
Evan Hunt's avatar
Evan Hunt committed
950
$RNDCCMD 10.53.0.1 sync maxjournal.test
951
check_size_lt_5000() (
952
    size=`$PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl`
953
954
955
    [ "$size" -lt 5000 ]
)
retry_quiet 20 check_size_lt_5000 || ret=1
Evan Hunt's avatar
Evan Hunt committed
956
[ $ret = 0 ] || { echo_i "failed"; status=1; }
957

958
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
959
echo_i "check check-names processing ($n)"
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
ret=0
$NSUPDATE << EOF > nsupdate.out1-$n 2>&1
update add # 0 in a 1.2.3.4
EOF
grep "bad owner" nsupdate.out1-$n > /dev/null || ret=1

$NSUPDATE << EOF > nsupdate.out2-$n 2>&1
check-names off
update add # 0 in a 1.2.3.4
EOF
grep "bad owner" nsupdate.out2-$n > /dev/null && ret=1

$NSUPDATE << EOF > nsupdate.out3-$n 2>&1
update add . 0 in mx 0 #
EOF
grep "bad name" nsupdate.out3-$n > /dev/null || ret=1

$NSUPDATE << EOF > nsupdate.out4-$n 2>&1
check-names off
update add . 0 in mx 0 #
EOF
grep "bad name" nsupdate.out4-$n > /dev/null && ret=1

Evan Hunt's avatar
Evan Hunt committed
983
[ $ret = 0 ] || { echo_i "failed"; status=1; }
984

985
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
986
echo_i "check adding of delegating NS records processing ($n)"
987
988
ret=0
$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
989
server 10.53.0.3 ${PORT}
990
991
992
993
994
zone delegation.test.
update add child.delegation.test. 3600 NS foo.example.net.
update add child.delegation.test. 3600 NS bar.example.net.
send
EOF
Evan Hunt's avatar
Evan Hunt committed
995
$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n
996
997
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
998
[ $ret = 0 ] || { echo_i "failed"; status=1; }
999
1000

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
1001
echo_i "check deleting of delegating NS records processing ($n)"
1002
1003
ret=0
$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
1004
server 10.53.0.3 ${PORT}
1005
1006
1007
1008
1009
zone delegation.test.
update del child.delegation.test. 3600 NS foo.example.net.
update del child.delegation.test. 3600 NS bar.example.net.
send
EOF
Evan Hunt's avatar
Evan Hunt committed
1010
$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n
1011
grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
1012
[ $ret = 0 ] || { echo_i "failed"; status=1; }
1013

1014
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
1015
echo_i "check that adding too many records is blocked ($n)"
1016
1017
ret=0
$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
1018
server 10.53.0.3 ${PORT}
1019
1020
1021