tests.sh 49.6 KB
Newer Older
1 2
#!/bin/sh
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 9 10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
11 12 13 14

SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh

Evan Hunt's avatar
Evan Hunt committed
15
DIGOPTS="+tcp +dnssec -p ${PORT}"
Matthijs Mekking's avatar
Matthijs Mekking committed
16
DIGUDPOPTS="+dnssec -p ${PORT}"
Evan Hunt's avatar
Evan Hunt committed
17
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
18 19 20 21

status=0
n=0

Evan Hunt's avatar
Evan Hunt committed
22
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
23 24 25

for i in 1 2 3 4 5 6 7 8 9 0
do
Evan Hunt's avatar
Evan Hunt committed
26
	nsec3param=`$DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.`
27
	test "$nsec3param" = "1 0 0 -" && break
28 29 30
	sleep 1
done

31 32 33 34 35 36 37
n=`expr $n + 1`
echo_i "checking that an unsupported algorithm is not used for signing ($n)"
ret=0
grep -q "algorithm is unsupported" ns3/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

38
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
39
echo_i "checking that rrsigs are replaced with ksk only ($n)"
40
ret=0
Evan Hunt's avatar
Evan Hunt committed
41
$DIG $DIGOPTS @10.53.0.3 axfr nsec3. |
42
	awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
Evan Hunt's avatar
Evan Hunt committed
43
if [ $ret != 0 ]; then echo_i "failed"; fi
44 45
status=`expr $status + $ret`

46
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
47
echo_i "checking that the zone is signed on initial transfer ($n)"
48
ret=0
49
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
50 51
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
52 53
	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
	keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
54
	[ $keys = 2 ] || ret=1
55 56 57
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
58
if [ $ret != 0 ]; then echo_i "failed"; fi
59 60
status=`expr $status + $ret`

61
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
62
echo_i "checking expired signatures are updated on load ($n)"
63
ret=0
Evan Hunt's avatar
Evan Hunt committed
64
$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
65 66
expiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n`
[ "$expiry" = "20110101000000" ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
67
if [ $ret != 0 ]; then echo_i "failed"; fi
68 69
status=`expr $status + $ret`

70
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
71
echo_i "checking removal of private type record via 'rndc signing -clear' ($n)"
72
ret=0
Evan Hunt's avatar
Evan Hunt committed
73
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
74 75
keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
for key in $keys; do
Evan Hunt's avatar
Evan Hunt committed
76
	$RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1
77
	break;	# We only want to remove 1 record for now.
Evan Hunt's avatar
Evan Hunt committed
78
done 2>&1 |sed 's/^/ns3 /' | cat_i
79 80 81 82

for i in 1 2 3 4 5 6 7 8 9 10
do
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
83 84
	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
        num=`grep "Done signing with" signing.out.test$n.$i | wc -l`
85
	[ $num = 1 ] && break
86 87 88 89
	sleep 1
done
[ $ans = 0 ] || ret=1

Evan Hunt's avatar
Evan Hunt committed
90
if [ $ret != 0 ]; then echo_i "failed"; fi
91 92 93
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
94
echo_i "checking private type was properly signed ($n)"
95
ret=0
Evan Hunt's avatar
Evan Hunt committed
96
$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
97 98 99
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1

Evan Hunt's avatar
Evan Hunt committed
100
if [ $ret != 0 ]; then echo_i "failed"; fi
101 102 103
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
104
echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
105
ret=0
Evan Hunt's avatar
Evan Hunt committed
106
$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
107 108 109 110

for i in 1 2 3 4 5 6 7 8 9 10
do
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
111 112
	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
	grep "No signing records found" signing.out.test$n.$i > /dev/null || ans=1
113 114 115 116 117
	[ $ans = 1 ] || break
	sleep 1
done
[ $ans = 0 ] || ret=1

Evan Hunt's avatar
Evan Hunt committed
118
if [ $ret != 0 ]; then echo_i "failed"; fi
119 120 121
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
122
echo_i "checking negative private type response was properly signed ($n)"
123
ret=0
124
sleep 1
Evan Hunt's avatar
Evan Hunt committed
125
$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
126 127 128 129
grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1

Evan Hunt's avatar
Evan Hunt committed
130
if [ $ret != 0 ]; then echo_i "failed"; fi
131 132
status=`expr $status + $ret`

133 134
$NSUPDATE << EOF
zone bits
Evan Hunt's avatar
Evan Hunt committed
135
server 10.53.0.2 ${PORT}
136 137 138 139 140
update add added.bits 0 A 1.2.3.4
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
141
echo_i "checking that the record is added on the hidden master ($n)"
142
ret=0
Evan Hunt's avatar
Evan Hunt committed
143
$DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n
144 145
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
146
if [ $ret != 0 ]; then echo_i "failed"; fi
147 148 149
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
150
echo_i "checking that update has been transfered and has been signed ($n)"
151 152 153 154
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
155 156 157
	$DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n.$i
	grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
158 159 160
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
161
if [ $ret != 0 ]; then echo_i "failed"; fi
162 163 164 165
status=`expr $status + $ret`

$NSUPDATE << EOF
zone bits
Evan Hunt's avatar
Evan Hunt committed
166
server 10.53.0.2 ${PORT}
167 168 169 170 171
update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
172
echo_i "checking YYYYMMDDVV (2011072400) serial on hidden master ($n)"
173
ret=0
Evan Hunt's avatar
Evan Hunt committed
174
$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
175 176 177
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
178
if [ $ret != 0 ]; then echo_i "failed"; fi
179 180 181
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
182
echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
183 184 185
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
186 187 188 189
	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
	grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "2011072400" dig.out.ns3.test$n.$i > /dev/null || ret=1
190 191 192
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
193
if [ $ret != 0 ]; then echo_i "failed"; fi
194 195
status=`expr $status + $ret`

196
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
197
echo_i "checking that the zone is signed on initial transfer, noixfr ($n)"
198 199 200 201
ret=0
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
202 203
	$RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n.$i 2>&1
	keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
204
	[ $keys = 2 ] || ret=1
205 206 207
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
208
if [ $ret != 0 ]; then echo_i "failed"; fi
209 210 211 212
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
Evan Hunt's avatar
Evan Hunt committed
213
server 10.53.0.4 ${PORT}
214 215 216 217 218
update add added.noixfr 0 A 1.2.3.4
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
219
echo_i "checking that the record is added on the hidden master, noixfr ($n)"
220
ret=0
Evan Hunt's avatar
Evan Hunt committed
221
$DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n
222 223
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
224
if [ $ret != 0 ]; then echo_i "failed"; fi
225 226 227
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
228
echo_i "checking that update has been transfered and has been signed, noixfr ($n)"
229 230 231 232
ret=0
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
233 234 235
	$DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n.$i
	grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
236 237 238
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
239
if [ $ret != 0 ]; then echo_i "failed"; fi
240 241 242 243
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
Evan Hunt's avatar
Evan Hunt committed
244
server 10.53.0.4 ${PORT}
245 246 247 248 249
update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
250
echo_i "checking YYYYMMDDVV (2011072400) serial on hidden master, noixfr ($n)"
251
ret=0
Evan Hunt's avatar
Evan Hunt committed
252
$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
253 254 255
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
256
if [ $ret != 0 ]; then echo_i "failed"; fi
257 258 259
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
260
echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
261 262 263
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
264 265 266 267
	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n.$i
	grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "2011072400" dig.out.ns3.test$n.$i > /dev/null || ret=1
268 269 270
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
271
if [ $ret != 0 ]; then echo_i "failed"; fi
272 273
status=`expr $status + $ret`

274
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
275
echo_i "checking that the master zone signed on initial load ($n)"
276 277 278 279
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
280 281
	$RNDCCMD 10.53.0.3 signing -list master  > signing.out.test$n.$i 2>&1
	keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
282
	[ $keys = 2 ] || ret=1
283 284 285
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
286
if [ $ret != 0 ]; then echo_i "failed"; fi
287
status=`expr $status + $ret`
288 289

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
290
echo_i "checking removal of private type record via 'rndc signing -clear' (master) ($n)"
291
ret=0
Evan Hunt's avatar
Evan Hunt committed
292
$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
293 294
keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
for key in $keys; do
Evan Hunt's avatar
Evan Hunt committed
295
	$RNDCCMD 10.53.0.3 signing -clear ${key} master > /dev/null || ret=1
296
	break;	# We only want to remove 1 record for now.
Evan Hunt's avatar
Evan Hunt committed
297
done 2>&1 |sed 's/^/ns3 /' | cat_i
298 299 300 301

for i in 1 2 3 4 5 6 7 8 9
do
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
302 303
	$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1
        num=`grep "Done signing with" signing.out.test$n.$i | wc -l`
304
	[ $num = 1 ] && break
305 306 307 308
	sleep 1
done
[ $ans = 0 ] || ret=1

Evan Hunt's avatar
Evan Hunt committed
309
if [ $ret != 0 ]; then echo_i "failed"; fi
310 311 312
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
313
echo_i "checking private type was properly signed (master) ($n)"
314
ret=0
Evan Hunt's avatar
Evan Hunt committed
315
$DIG $DIGOPTS @10.53.0.6 master TYPE65534 > dig.out.ns6.test$n
316 317 318
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1

Evan Hunt's avatar
Evan Hunt committed
319
if [ $ret != 0 ]; then echo_i "failed"; fi
320 321 322
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
323
echo_i "checking removal of remaining private type record via 'rndc signing -clear' (master) ($n)"
324
ret=0
Evan Hunt's avatar
Evan Hunt committed
325
$RNDCCMD 10.53.0.3 signing -clear all master > /dev/null || ret=1
326
for i in 1 2 3 4 5 6 7 8 9 10
327 328
do
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
329 330
	$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1
	grep "No signing records found" signing.out.test$n.$i > /dev/null || ans=1
331 332 333 334 335
	[ $ans = 1 ] || break
	sleep 1
done
[ $ans = 0 ] || ret=1

Evan Hunt's avatar
Evan Hunt committed
336
if [ $ret != 0 ]; then echo_i "failed"; fi
337 338 339
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
340
echo_i "check adding of record to unsigned master ($n)"
341 342
ret=0
cp ns3/master2.db.in ns3/master.db
Evan Hunt's avatar
Evan Hunt committed
343
$RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i
344 345 346
for i in 1 2 3 4 5 6 7 8 9
do
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
347 348 349
	$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n.$i
	grep "10.0.0.5" dig.out.ns3.test$n.$i > /dev/null || ans=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
350 351 352 353
	[ $ans = 1 ] || break
	sleep 1
done
[ $ans = 0 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
354
if [ $ret != 0 ]; then echo_i "failed"; fi
355
status=`expr $status + $ret`
356

357
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
358
echo_i "check adding record fails when SOA serial not changed ($n)"
359 360
ret=0
echo "c A 10.0.0.3" >> ns3/master.db
Evan Hunt's avatar
Evan Hunt committed
361
$RNDCCMD 10.53.0.3 reload 2>&1 | sed 's/^/ns3 /' | cat_i
362
sleep 1
Evan Hunt's avatar
Evan Hunt committed
363
$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
364
grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
365
if [ $ret != 0 ]; then echo_i "failed"; fi
366 367 368
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
369
echo_i "check adding record works after updating SOA serial ($n)"
370 371
ret=0
cp ns3/master3.db.in ns3/master.db
Evan Hunt's avatar
Evan Hunt committed
372
$RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i
373 374 375
for i in 1 2 3 4 5 6 7 8 9
do
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
376 377 378
	$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n.$i
	grep "10.0.0.3" dig.out.ns3.test$n.$i > /dev/null || ans=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
379 380 381 382
	[ $ans = 1 ] || break
	sleep 1
done
[ $ans = 0 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
383
if [ $ret != 0 ]; then echo_i "failed"; fi
384 385 386
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
387
echo_i "check the added record was properly signed ($n)"
388
ret=0
Evan Hunt's avatar
Evan Hunt committed
389
$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns6.test$n
390 391 392 393
grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1

Evan Hunt's avatar
Evan Hunt committed
394
if [ $ret != 0 ]; then echo_i "failed"; fi
395 396 397
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
398
echo_i "checking that the dynamic master zone signed on initial load ($n)"
399 400 401 402
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
403 404
	$RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n.$i 2>&1
	keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
405
	[ $keys = 2 ] || ret=1
406 407 408
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
409
if [ $ret != 0 ]; then echo_i "failed"; fi
410
status=`expr $status + $ret`
411

412
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
413
echo_i "checking master zone that was updated while offline is correct ($n)"
414
ret=0
Evan Hunt's avatar
Evan Hunt committed
415
serial=`$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA | awk '{print $3}'`
416 417 418
# serial should have changed
[ "$serial" = "2000042407" ] && ret=1
# e.updated should exist and should be signed
Evan Hunt's avatar
Evan Hunt committed
419
$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n
420 421 422 423 424 425 426 427 428 429
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
# updated.db.signed.jnl should exist, should have the source serial
# of master2.db, and should show a minimal diff: no more than 8 added
# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
# (SOA/RRSIG, NSEC/RRSIG).
serial=`$JOURNALPRINT ns3/updated.db.signed.jnl | head -1 | awk '{print $4}'`
[ "$serial" = "2000042408" ] || ret=1
diffsize=`$JOURNALPRINT ns3/updated.db.signed.jnl | wc -l`
[ "$diffsize" -le 13 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
430
if [ $ret != 0 ]; then echo_i "failed"; fi
431 432
status=`expr $status + $ret`

433
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
434
echo_i "checking adding of record to unsigned master using UPDATE ($n)"
435 436
ret=0

Evan Hunt's avatar
Evan Hunt committed
437
[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo_i "journal exists (pretest)" ; }
438 439 440

$NSUPDATE << EOF
zone dynamic
Evan Hunt's avatar
Evan Hunt committed
441
server 10.53.0.3 ${PORT}
442 443 444 445
update add e.dynamic 0 A 1.2.3.4
send
EOF

Evan Hunt's avatar
Evan Hunt committed
446
[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo_i "journal does not exist (posttest)" ; }
447 448

for i in 1 2 3 4 5 6 7 8 9 10
449
do
450
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
451 452 453 454
	$DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n.$i
	grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ans=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
	grep "1.2.3.4" dig.out.ns3.test$n.$i > /dev/null || ans=1
455 456 457
	[ $ans = 0 ] && break
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
458
[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; }
459

Evan Hunt's avatar
Evan Hunt committed
460
if [ $ret != 0 ]; then echo_i "failed"; fi
461 462
status=`expr $status + $ret`

463
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
464
echo_i "stop bump in the wire signer server ($n)"
465
ret=0
466
$PERL ../stop.pl inline ns3 || ret=1
Evan Hunt's avatar
Evan Hunt committed
467
if [ $ret != 0 ]; then echo_i "failed"; fi
468 469 470
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
471
echo_i "restart bump in the wire signer server ($n)"
472
ret=0
473
$PERL ../start.pl --noclean --restart --port ${PORT} inline ns3 || ret=1
Evan Hunt's avatar
Evan Hunt committed
474
if [ $ret != 0 ]; then echo_i "failed"; fi
475 476 477 478
status=`expr $status + $ret`

$NSUPDATE << EOF
zone bits
Evan Hunt's avatar
Evan Hunt committed
479
server 10.53.0.2 ${PORT}
480 481 482 483 484
update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
485
echo_i "checking YYYYMMDDVV (2011072450) serial on hidden master ($n)"
486
ret=0
Evan Hunt's avatar
Evan Hunt committed
487
$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
488 489 490
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
491
if [ $ret != 0 ]; then echo_i "failed"; fi
492 493 494
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
495
echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
496 497 498
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
499 500 501 502
	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
	grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "2011072450" dig.out.ns3.test$n.$i > /dev/null || ret=1
503 504 505
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
506
if [ $ret != 0 ]; then echo_i "failed"; fi
507 508 509 510
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
Evan Hunt's avatar
Evan Hunt committed
511
server 10.53.0.4 ${PORT}
512 513 514 515 516
update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
517
echo_i "checking YYYYMMDDVV (2011072450) serial on hidden master, noixfr ($n)"
518
ret=0
Evan Hunt's avatar
Evan Hunt committed
519
$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
520 521 522
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
523
if [ $ret != 0 ]; then echo_i "failed"; fi
524 525 526
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
527
echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
528 529 530
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
531 532 533 534
	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n.$i
	grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "2011072450" dig.out.ns3.test$n.$i > /dev/null || ret=1
535 536 537
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
538
if [ $ret != 0 ]; then echo_i "failed"; fi
539 540 541 542
status=`expr $status + $ret`

$NSUPDATE << EOF
zone bits
Evan Hunt's avatar
Evan Hunt committed
543
server 10.53.0.3 ${PORT}
544 545 546 547 548
update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
549
echo_i "checking forwarded update on hidden master ($n)"
550
ret=0
Evan Hunt's avatar
Evan Hunt committed
551
$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
552 553 554
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
555
if [ $ret != 0 ]; then echo_i "failed"; fi
556 557 558
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
559
echo_i "checking forwarded update on signed zone ($n)"
560 561 562
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Matthijs Mekking's avatar
Matthijs Mekking committed
563 564 565 566
	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
	grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
	grep "2011072460" dig.out.ns3.test$n.$i > /dev/null || ret=1
567 568 569
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
570
if [ $ret != 0 ]; then echo_i "failed"; fi
571 572 573 574
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
Evan Hunt's avatar
Evan Hunt committed
575
server 10.53.0.3 ${PORT}
576 577 578 579 580
update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
581
echo_i "checking forwarded update on hidden master, noixfr ($n)"
582
ret=0
Evan Hunt's avatar
Evan Hunt committed
583
$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
584 585 586
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
587
if [ $ret != 0 ]; then echo_i "failed"; fi
588 589 590
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
591
echo_i "checking forwarded update on signed zone, noixfr ($n)"
592 593 594
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
595
	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
596 597 598 599 600 601
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
602
if [ $ret != 0 ]; then echo_i "failed"; fi
603 604
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
605
ret=0
606
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
607 608
echo_i "checking turning on of inline signing in a slave zone via reload ($n)"
$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n
609 610
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
611
if [ $ret != 0 ]; then echo_i "setup broken"; fi
612
status=`expr $status + $ret`
Evan Hunt's avatar
Evan Hunt committed
613 614

copy_setports ns5/named.conf.post ns5/named.conf
615 616
(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1
(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1
Evan Hunt's avatar
Evan Hunt committed
617
$RNDCCMD 10.53.0.5 reload 2>&1 | sed 's/^/ns5 /' | cat_i
618 619 620
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
621
	$DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n
622 623 624 625 626
	grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
627
if [ $ret != 0 ]; then echo_i "failed"; fi
628 629
status=`expr $status + $ret`

630
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
631
echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)"
632
ret=0
Evan Hunt's avatar
Evan Hunt committed
633
$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1;  }
634
sleep 1
Evan Hunt's avatar
Evan Hunt committed
635
$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; }
636 637
sleep 1
grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null ||  ret=1
Evan Hunt's avatar
Evan Hunt committed
638
if [ $ret != 0 ]; then echo_i "failed"; fi
639 640 641
status=`expr $status + $ret`


642
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
643
echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)"
644
ret=0
Evan Hunt's avatar
Evan Hunt committed
645
$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1
646
sleep 1
Evan Hunt's avatar
Evan Hunt committed
647
awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
648 649 650
     { print; }
     END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new
mv ns3/dynamic.db.new ns3/dynamic.db
Evan Hunt's avatar
Evan Hunt committed
651 652
$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
653 654 655
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
656
echo_i "check added record freeze1.dynamic ($n)"
657 658 659
for i in 1 2 3 4 5 6 7 8 9
do
    ret=0
Evan Hunt's avatar
Evan Hunt committed
660
    $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n
661 662 663 664 665
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    test $ret = 0 && break
    sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
666
if [ $ret != 0 ]; then echo_i "failed"; fi
667
status=`expr $status + $ret`
668 669 670 671 672

# allow 1 second so that file time stamps change
sleep 1

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
673
echo_i "checking rndc freeze/thaw of server ($n)"
674
ret=0
Evan Hunt's avatar
Evan Hunt committed
675
$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1
676
sleep 1
Evan Hunt's avatar
Evan Hunt committed
677
awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
678 679 680
     { print; }
     END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new
mv ns3/dynamic.db.new ns3/dynamic.db
Evan Hunt's avatar
Evan Hunt committed
681 682
$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
683 684 685
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
686
echo_i "check added record freeze2.dynamic ($n)"
687 688 689
for i in 1 2 3 4 5 6 7 8 9
do
    ret=0
Evan Hunt's avatar
Evan Hunt committed
690
    $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n
691 692 693 694 695
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    test $ret = 0 && break
    sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
696
if [ $ret != 0 ]; then echo_i "failed"; fi
697 698
status=`expr $status + $ret`

699
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
700
echo_i "check rndc reload allows reuse of inline-signing zones ($n)"
701
ret=0
Evan Hunt's avatar
Evan Hunt committed
702
{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i
703
grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
704
if [ $ret != 0 ]; then echo_i "failed"; fi
705 706
status=`expr $status + $ret`

707
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
708
echo_i "check rndc sync removes both signed and unsigned journals ($n)"
709
ret=0
710 711
[ -f ns3/dynamic.db.jnl ] || ret=1
[ -f ns3/dynamic.db.signed.jnl ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
712
$RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1
713 714
[ -f ns3/dynamic.db.jnl ] && ret=1
[ -f ns3/dynamic.db.signed.jnl ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
715
if [ $ret != 0 ]; then echo_i "failed"; fi
716 717
status=`expr $status + $ret`

718 719
$NSUPDATE << EOF
zone retransfer
Evan Hunt's avatar
Evan Hunt committed
720
server 10.53.0.2 ${PORT}
721 722 723 724 725 726
update add added.retransfer 0 A 1.2.3.4
send

EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
727
echo_i "checking that the retransfer record is added on the hidden master ($n)"
728
ret=0
Evan Hunt's avatar
Evan Hunt committed
729
$DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n
730 731
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
732
if [ $ret != 0 ]; then echo_i "failed"; fi
733 734 735
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
736
echo_i "checking that the change has not been transfered due to notify ($n)"
737 738 739 740
ret=0
for i in 0 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
741
	$DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
742 743 744 745
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
	[ $ans = 0 ] && break
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
746
if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi
747 748
status=`expr $status + $ret`

749
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
750
echo_i "check rndc retransfer of a inline slave zone works ($n)"
751
ret=0
Evan Hunt's avatar
Evan Hunt committed
752
$RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1
753 754 755
for i in 0 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
756
	$DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
757 758 759 760 761 762
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
	[ $ans = 0 ] && break
	sleep 1
done
[ $ans = 1 ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
763
if [ $ret != 0 ]; then echo_i "failed"; fi
764 765
status=`expr $status + $ret`

766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785
n=`expr $n + 1`
echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)"
ret=0
# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2,
# which means it should not yet be available on ns3.
$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n
grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1
# Switch the zone to NSEC3.  An "NSEC3 -> NSEC -> NSEC3" sequence is used purely
# to test that multiple queued "rndc signing -nsec3param" requests are handled
# properly.
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone.
sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new
mv ns2/named.conf.new ns2/named.conf
$RNDCCMD 10.53.0.2 reconfig || ret=1
# Request ns3 to retransfer the "retransfer3" zone.
$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
# Wait until ns3 finishes building the NSEC3 chain for "retransfer3".  There is
786 787 788
# no need to immediately set ret=1 if building the NSEC3 chain is not finished
# within the time limit because the query we will send shortly will detect any
# problems anyway.
789 790
for i in 0 1 2 3 4 5 6 7 8 9
do
791 792 793 794
	$RNDCCMD 10.53.0.3 signing -list retransfer3 > signing.out.test$n.$i 2>&1
	keys_done=`grep "Done signing" signing.out.test$n.$i | wc -l`
	nsec3_pending=`grep "NSEC3 chain" signing.out.test$n.$i | wc -l`
	test $keys_done -eq 2 -a $nsec3_pending -eq 0 && break
795 796 797 798 799 800 801 802 803
	sleep 1
done
# Check whether "retransfer3" uses NSEC3 as requested.
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ret=1
grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

804
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
805
echo_i "check rndc retransfer of a inline nsec3 slave retains nsec3 ($n)"
806
ret=0
807
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
808 809 810
for i in 0 1 2 3 4 5 6 7 8 9
do
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
811 812 813
	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n.$i
	grep "status: NXDOMAIN" dig.out.ns3.pre.test$n.$i > /dev/null || ans=1
	grep "NSEC3" dig.out.ns3.pre.test$n.$i > /dev/null || ans=1
814 815 816
	[ $ans = 0 ] && break
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
817
$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1
818 819 820
for i in 0 1 2 3 4 5 6 7 8 9
do
	ans=0
Matthijs Mekking's avatar
Matthijs Mekking committed
821 822 823
	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i
	grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ans=1
	grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ans=1
824 825 826 827
	[ $ans = 0 ] && break
	sleep 1
done
[ $ans = 1 ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
828
if [ $ret != 0 ]; then echo_i "failed"; fi
829 830 831 832
status=`expr $status + $ret`

# NOTE: The test below should be considered fragile.  More details can be found
# in the comment inside ns7/named.conf.
833
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
834
echo_i "check rndc retransfer of a inline nsec3 slave does not trigger an infinite loop ($n)"
835 836 837
ret=0
zone=nsec3-loop
# Add slave zone using rndc
Evan Hunt's avatar
Evan Hunt committed
838
$RNDCCMD 10.53.0.7 addzone $zone \
839 840 841 842 843
	'{ type slave; masters { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };'
# Wait until slave zone is fully signed using NSEC
for i in 1 2 3 4 5 6 7 8 9 0
do
	ret=1
Evan Hunt's avatar
Evan Hunt committed
844
	$RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1
845 846 847 848 849
	keys=`grep '^Done signing' signing.out.test$n | wc -l`
	[ $keys -eq 3 ] && ret=0 && break
	sleep 1
done
# Switch slave zone to NSEC3
Evan Hunt's avatar
Evan Hunt committed
850
$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1
851 852 853 854
# Wait until slave zone is fully signed using NSEC3
for i in 1 2 3 4 5 6 7 8 9 0
do
	ret=1
Evan Hunt's avatar
Evan Hunt committed
855
	nsec3param=`$DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone`
856 857 858 859
	test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
	sleep 1
done
# Attempt to retransfer the slave zone from master
Evan Hunt's avatar
Evan Hunt committed
860
$RNDCCMD 10.53.0.7 retransfer $zone
861 862 863 864 865 866 867 868 869 870 871 872 873 874
# Check whether the signer managed to fully sign the retransferred zone by
# waiting for a specific SOA serial number to appear in the logs; if this