tests.sh 60.8 KB
Newer Older
1
2
#!/bin/sh
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5
6
7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8
9
10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
11
12
13
14
15
16
17

SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh

status=0
n=0

Evan Hunt's avatar
Evan Hunt committed
18
19
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
20

21
22
23
24
25
# convert private-type records to readable form
showprivate () {
    echo "-- $@ --"
    $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
        while read record; do
Mark Andrews's avatar
Mark Andrews committed
26
            $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
27
28
29
30
31
32
33
34
35
36
37
38
                die "invalid record" unless length($rdata) == 5;
                my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
                my $action = "signing";
                $action = "removing" if $remove;
                my $state = " (incomplete)";
                $state = " (complete)" if $complete;
                print ("$action: alg: $alg, key: $key$state\n");' $record
        done
}

# check that signing records are marked as complete
checkprivate () {
39
40
    _ret=0
    expected="${3:-0}"
41
    x=`showprivate "$@"`
42
43
44
45
46
47
48
    echo $x | grep incomplete > /dev/null && _ret=1

    if [ $_ret = $expected ]; then
        return 0
    fi

    echo "$x"
Evan Hunt's avatar
Evan Hunt committed
49
    echo_i "failed"
50
    return 1
51
52
}

53
54
55
56
57
# wait until notifies for zone $1 are sent by server $2. This is an indication
# that the zone is signed with the active keys, and the changes have been
# committed.
wait_for_notifies () {
	wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1
Matthijs Mekking's avatar
Matthijs Mekking committed
58
59
}

60
61
62
63
64
freq() {
	_file=$1
	# remove first and last line that has incomplete set and skews the distribution
	awk '$4 == "RRSIG" {print substr($9,1,8)}' < "$_file" | sort | uniq -c | sed '1d;$d'
}
Matthijs Mekking's avatar
Matthijs Mekking committed
65
66
67
68
69
70
71
72
# Check the signatures expiration times.  First check how many signatures
# there are in total ($rrsigs).  Then see what the distribution of signature
# expiration times is ($expiretimes).  Ignore the time part for a better
# modelled distribution.
checkjitter () {
	_file=$1
	_ret=0

73
74
75
76
77
78
79
80
	if ! command -v bc >/dev/null 2>&1; then
		echo_i "skip: bc not available"
		return 0
	fi

	freq "$_file" | cat_i
	_expiretimes=$(freq "$_file" | awk '{print $1}')

Matthijs Mekking's avatar
Matthijs Mekking committed
81
	_count=0
82
83
84
85
86
	# Check if we have at least 5 days
	# This number has been tuned for `sig-validity-interval 10 2`, as
	# 1. 1. signature expiration dates should be spread out across at most 8 (10-2) days
	# 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days
	# 3. we substract one more day to allow test pass on day boundaries, etc. leaving us with 5 (6-1) days
87
88
89
90
	for _num in $_expiretimes
	do
		_count=$((_count+1))
	done
91
	if [ "$_count" -lt 5 ]; then
92
		echo_i "error: not enough categories"
93
		return 1
94
95
96
	fi

	# Calculate mean
Matthijs Mekking's avatar
Matthijs Mekking committed
97
98
99
	_total=0
	for _num in $_expiretimes
	do
100
101
102
103
104
105
106
107
108
		_total=$((_total+_num))
	done
	_mean=$(($_total / $_count))

	# Calculate stddev
	_stddev=0
	for _num in $_expiretimes
	do
		_stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc)
Matthijs Mekking's avatar
Matthijs Mekking committed
109
	done
110
111
	_stddev=$(echo "sqrt($_stddev/$_count)" | bc)

112
113
	# We expect the number of signatures not to exceed the mean +- 3 * stddev.
	_limit=$((_stddev*3))
114
115
	_low=$((_mean-_limit))
	_high=$((_mean+_limit))
Matthijs Mekking's avatar
Matthijs Mekking committed
116
	# Find outliers.
117
	echo_i "checking whether all frequencies fall into <$_low;$_high> range"
Matthijs Mekking's avatar
Matthijs Mekking committed
118
119
	for _num in $_expiretimes
	do
120
121
122
123
124
125
		if [ $_num -gt $_high ]; then
			echo_i "error: too many RRSIG records ($_num) in expiration bucket"
			_ret=1
		fi
		if [ $_num -lt $_low ]; then
			echo_i "error: too few RRSIG records ($_num) in expiration bucket"
Matthijs Mekking's avatar
Matthijs Mekking committed
126
127
128
129
130
131
132
			_ret=1
		fi
	done

	return $_ret
}

133
134
135
136
137
138
#
#  The NSEC record at the apex of the zone and its RRSIG records are
#  added as part of the last step in signing a zone.  We wait for the
#  NSEC records to appear before proceeding with a counter to prevent
#  infinite loops if there is a error.
#
Evan Hunt's avatar
Evan Hunt committed
139
echo_i "waiting for autosign changes to take effect"
140
141
142
143
i=0
while [ $i -lt 30 ]
do
	ret=0
144
145
146
147
148
149
	#
	# Wait for the root DNSKEY RRset to be fully signed.
	#
	$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
	grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
	for z in .
150
	do
151
152
153
154
155
156
		$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
		grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
	done
	for z in bar. example. private.secure.example.
	do
		$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
157
158
		grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
	done
159
160
	for z in bar. example. inacksk2.example. inacksk3.example \
		 inaczsk2.example. inaczsk3.example
161
	do
162
		$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
163
164
165
166
		grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
	done
	i=`expr $i + 1`
	if [ $ret = 0 ]; then break; fi
Evan Hunt's avatar
Evan Hunt committed
167
	echo_i "waiting ... ($i)"
168
169
	sleep 2
done
170
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
171
if [ $ret != 0 ]; then echo_i "done"; fi
172
173
status=`expr $status + $ret`

174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
for z in .
do
	echo_i zone $z
	$DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done
for z in bar. example. private.secure.example.
do
	echo_i zone $z
	$DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done
for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example
do
	echo_i zone $z
	$DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done

Matthijs Mekking's avatar
Matthijs Mekking committed
191
192
193
# Set logfile offset for wait_for_log usage.
nextpartreset ns3/named.run

194
195
196
#
# Check that DNSKEY is initially signed with a KSK and not a ZSK.
#
Evan Hunt's avatar
Evan Hunt committed
197
198
199
echo_i "check that zone with active and inactive KSK and active ZSK is properly"
echo_i "  resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
echo_i "  is initially signed with a KSK and not a ZSK. ($n)"
200
201
ret=0

Evan Hunt's avatar
Evan Hunt committed
202
$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
203
204

zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
Evan Hunt's avatar
Evan Hunt committed
205
       $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'`
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1

pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1

count=`awk 'BEGIN { count = 0 }
	    $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
	    END {print count}' dig.out.ns3.test$n`
test $count -eq 1 || ret=1

count=`awk 'BEGIN { count = 0 }
       $4 == "DNSKEY" { count++ }
       END {print count}' dig.out.ns3.test$n`
test $count -eq 3 || ret=1

awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
id=`awk "${awk}" dig.out.ns3.test$n`

224
225
$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > settime.out.test$n || ret=1
($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
226
227

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
228
if [ $ret != 0 ]; then echo_i "failed"; fi
229
230
status=`expr $status + $ret`

231
232
233
#
# Check that zone is initially signed with a ZSK and not a KSK.
#
Evan Hunt's avatar
Evan Hunt committed
234
235
236
echo_i "check that zone with active and inactive ZSK and active KSK is properly"
echo_i "  resigned after the active ZSK is deleted - stage 1: Verify that zone"
echo_i "  is initially signed with a ZSK and not a KSK. ($n)"
237
ret=0
Evan Hunt's avatar
Evan Hunt committed
238
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
239
240
241
242
243
244
245
246
247
248
249
250
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
       $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1
grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
count=`awk 'BEGIN { count = 0 }
	    $4 == "RRSIG" && $5 == "CNAME" { count++ }
	    END {print count}' dig.out.ns3.test$n`
test $count -eq 1 || ret=1
count=`awk 'BEGIN { count = 0 }
       $4 == "DNSKEY" { count++ }
       END {print count}' dig.out.ns3.test$n`
test $count -eq 3 || ret=1
251
id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n`
252
253
$SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > settime.out.test$n || ret=1
($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
254
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
255
if [ $ret != 0 ]; then echo_i "failed"; fi
256
257
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
258
echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)"
259
ret=0
260
261
262
263
264
# these commands should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
265
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
266
if [ $ret != 0 ]; then echo_i "failed"; fi
267
268
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
269
echo_i "checking NSEC3->NSEC conversion prerequisites ($n)"
270
271
272
273
ret=0
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
274
if [ $ret != 0 ]; then echo_i "failed"; fi
275
276
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
277
echo_i "converting zones from nsec to nsec3"
278
$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
Evan Hunt's avatar
Evan Hunt committed
279
server 10.53.0.3 ${PORT}
280
281
282
283
284
285
286
287
288
zone nsec3.nsec3.example.
update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
zone optout.nsec3.example.
update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
zone nsec3.example.
update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
289
zone autonsec3.example.
290
update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF
291
send
292
293
294
295
296
297
298
299
300
301
302
zone nsec3.optout.example.
update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
zone optout.optout.example.
update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
zone optout.example.
update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
END

303
# try to convert nsec.example; this should fail due to non-NSEC key
Evan Hunt's avatar
Evan Hunt committed
304
echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
305
$NSUPDATE > nsupdate.out 2>&1 <<END
Evan Hunt's avatar
Evan Hunt committed
306
server 10.53.0.3 ${PORT}
307
308
309
310
311
zone nsec.example.
update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END

Evan Hunt's avatar
Evan Hunt committed
312
echo_i "checking for nsec3param in unsigned zone ($n)"
313
314
315
316
ret=0
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
317
if [ $ret != 0 ]; then echo_i "failed"; fi
318
319
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
320
echo_i "checking for nsec3param signing record ($n)"
321
ret=0
322
$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
323
324
grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
325
if [ $ret != 0 ]; then echo_i "failed"; fi
326
327
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
328
echo_i "resetting nsec3param via rndc signing ($n)"
329
ret=0
Evan Hunt's avatar
Evan Hunt committed
330
331
$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1
$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
332
333
for i in 0 1 2 3 4 5 6 7 8 9; do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
334
	$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
335
336
337
338
	grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
	num=`grep "Pending " signing.out.test$n | wc -l`
	[ $num -eq 1 ] || ret=1
	[ $ret -eq 0 ] && break
Evan Hunt's avatar
Evan Hunt committed
339
	echo_i "waiting ... ($i)"
340
341
	sleep 2
done
342
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
343
if [ $ret != 0 ]; then echo_i "failed"; fi
344
345
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
346
echo_i "signing preset nsec3 zone"
347
348
zsk=`cat autozsk.key`
ksk=`cat autoksk.key`
349
350
351
$SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1
$SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1
($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
352

Evan Hunt's avatar
Evan Hunt committed
353
echo_i "waiting for changes to take effect"
354
355
sleep 3

Evan Hunt's avatar
Evan Hunt committed
356
echo_i "converting zone from nsec3 to nsec"
357
$NSUPDATE > /dev/null 2>&1 << END	|| status=1
Evan Hunt's avatar
Evan Hunt committed
358
server 10.53.0.3 ${PORT}
359
360
361
362
363
zone nsec3-to-nsec.example.
update delete nsec3-to-nsec.example. NSEC3PARAM
send
END

Evan Hunt's avatar
Evan Hunt committed
364
echo_i "waiting for change to take effect"
365
sleep 3
366

Evan Hunt's avatar
Evan Hunt committed
367
echo_i "checking that expired RRSIGs from missing key are not deleted ($n)"
368
ret=0
369
missing=$(keyfile_to_key_id "$(cat missingzsk.key)")
370
371
$JOURNALPRINT ns3/nozsk.example.db.jnl | \
   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
372
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
373
if [ $ret != 0 ]; then echo_i "failed"; fi
374
375
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
376
echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)"
377
ret=0
378
inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)")
379
380
$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
381
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
382
if [ $ret != 0 ]; then echo_i "failed"; fi
383
384
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
385
echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)"
386
387
388
ret=0
loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
[ "$loglines" -eq 1 ] || ret=1
389
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
390
if [ $ret != 0 ]; then echo_i "failed"; fi
391
392
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
393
echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)"
394
ret=0
395
396
397
loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
[ "$loglines" -eq 1 ] || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
398
if [ $ret != 0 ]; then echo_i "failed"; fi
399
400
status=`expr $status + $ret`

401
# Send rndc sync command to ns1, ns2 and ns3, to force the dynamically
402
# signed zones to be dumped to their zone files
Evan Hunt's avatar
Evan Hunt committed
403
echo_i "dumping zone files"
404
405
406
($RNDCCMD 10.53.0.1 sync 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
($RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
($RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
407

408
409
410
411
412
413
414
415
416
417
now="$(TZ=UTC date +%Y%m%d%H%M%S)"
check_expiry() (
	$DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 > dig.out.test$n
	nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)"
	if [ "$nearest_expiration" -le "$now" ]; then
		echo_i "failed: $nearest_expiration <= $now"
		return 1
	fi
)

Evan Hunt's avatar
Evan Hunt committed
418
echo_i "checking expired signatures were updated ($n)"
419
420
421
422
423
retry 10 check_expiry || ret=1
$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
424
n=`expr $n + 1`
Matthijs Mekking's avatar
Matthijs Mekking committed
425
426
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
427

428
429
430
431
432
433
434
435
# Check jitter distribution.
echo_i "checking expired signatures were jittered correctly ($n)"
ret=0
$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
436

Evan Hunt's avatar
Evan Hunt committed
437
echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
438
ret=0
439
440
441
442
$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
443
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
444
445
446
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
447
if [ $ret != 0 ]; then echo_i "failed"; fi
448
449
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
450
echo_i "checking direct NSEC3 autosigning succeeded ($n)"
451
452
453
454
455
456
ret=0
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
[ -s  dig.out.ns3.ok.test$n ] || ret=1
grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
457
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
458
459
460
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
461
if [ $ret != 0 ]; then echo_i "failed"; fi
462
463
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
464
echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
465
466
467
ret=0
grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
468
if [ $ret != 0 ]; then echo_i "failed"; fi
469
470
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
471
echo_i "checking NSEC3->NSEC conversion succeeded ($n)"
472
473
474
475
476
477
ret=0
# this command should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
478
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
479
480
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
481
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
482
if [ $ret != 0 ]; then echo_i "failed"; fi
483
484
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
485
echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
486
ret=0
Evan Hunt's avatar
Evan Hunt committed
487
$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
488
# this command should result in an empty file:
489
490
491
492
493
494
no_nsec3param() (
 $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1
 grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1
 return 0
)
retry_quiet 10 no_nsec3param || ret=1
495
496
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
497
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
498
499
500
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
501
if [ $ret != 0 ]; then echo_i "failed"; fi
502
503
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
504
echo_i "checking TTLs of imported DNSKEYs (no default) ($n)"
505
506
507
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
508
(awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
509
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
510
if [ $ret != 0 ]; then echo_i "failed"; fi
511
512
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
513
echo_i "checking TTLs of imported DNSKEYs (with default) ($n)"
514
515
516
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
517
(awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
518
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
519
if [ $ret != 0 ]; then echo_i "failed"; fi
520
521
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
522
echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)"
523
524
525
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
526
(awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
527
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
528
if [ $ret != 0 ]; then echo_i "failed"; fi
529
530
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
531
echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)"
532
533
534
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
535
(awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
536
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
537
if [ $ret != 0 ]; then echo_i "failed"; fi
538
539
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
540
echo_i "checking positive validation NSEC ($n)"
541
542
543
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
544
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
545
546
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
547
if [ $ret != 0 ]; then echo_i "failed"; fi
548
549
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
550
echo_i "checking positive validation NSEC3 ($n)"
551
552
553
554
555
ret=0
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
556
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
557
558
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
559
if [ $ret != 0 ]; then echo_i "failed"; fi
560
561
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
562
echo_i "checking positive validation OPTOUT ($n)"
563
564
565
566
567
ret=0
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
568
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
569
570
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
571
if [ $ret != 0 ]; then echo_i "failed"; fi
572
573
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
574
echo_i "checking negative validation NXDOMAIN NSEC ($n)"
575
576
577
ret=0
$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
578
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
579
580
581
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
582
if [ $ret != 0 ]; then echo_i "failed"; fi
583
584
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
585
echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
586
587
588
589
590
ret=0
$DIG $DIGOPTS +noauth q.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
591
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
592
593
594
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
595
if [ $ret != 0 ]; then echo_i "failed"; fi
596
597
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
598
echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
599
600
601
602
603
ret=0
$DIG $DIGOPTS +noauth q.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
604
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
605
606
607
608
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
609
if [ $ret != 0 ]; then echo_i "failed"; fi
610
611
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
612
echo_i "checking negative validation NODATA NSEC ($n)"
613
614
615
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
616
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
617
618
619
620
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
621
if [ $ret != 0 ]; then echo_i "failed"; fi
622
623
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
624
echo_i "checking negative validation NODATA NSEC3 ($n)"
625
626
627
628
629
ret=0
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
630
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
631
632
633
634
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
635
if [ $ret != 0 ]; then echo_i "failed"; fi
636
637
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
638
echo_i "checking negative validation NODATA OPTOUT ($n)"
639
640
641
642
643
ret=0
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
644
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
645
646
647
648
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
649
if [ $ret != 0 ]; then echo_i "failed"; fi
650
651
652
653
status=`expr $status + $ret`

# Check the insecure.example domain

Evan Hunt's avatar
Evan Hunt committed
654
echo_i "checking 1-server insecurity proof NSEC ($n)"
655
656
657
ret=0
$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
658
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
659
660
661
662
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
663
if [ $ret != 0 ]; then echo_i "failed"; fi
664
665
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
666
echo_i "checking 1-server negative insecurity proof NSEC ($n)"
667
668
669
670
671
ret=0
$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
	> dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
672
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
673
674
675
676
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
677
if [ $ret != 0 ]; then echo_i "failed"; fi
678
679
680
681
status=`expr $status + $ret`

# Check the secure.example domain

Evan Hunt's avatar
Evan Hunt committed
682
echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
683
684
685
686
687
ret=0
$DIG $DIGOPTS +noauth a.secure.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.secure.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
688
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
689
690
691
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
692
if [ $ret != 0 ]; then echo_i "failed"; fi
693
694
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
695
echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
696
697
698
699
700
ret=0
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
701
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
702
703
704
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
705
if [ $ret != 0 ]; then echo_i "failed"; fi
706
707
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
708
echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
709
710
711
712
713
ret=0
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
714
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
715
716
717
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
718
if [ $ret != 0 ]; then echo_i "failed"; fi
719
720
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
721
echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)"
722
723
724
725
726
ret=0
$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
727
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
728
729
730
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
731
if [ $ret != 0 ]; then echo_i "failed"; fi
732
733
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
734
echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)"
735
736
737
738
739
ret=0
$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
740
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
741
742
743
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
744
if [ $ret != 0 ]; then echo_i "failed"; fi
745
746
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
747
echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)"
748
749
750
751
752
ret=0
$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
753
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
754
755
756
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
757
if [ $ret != 0 ]; then echo_i "failed"; fi
758
759
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
760
echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)"
761
762
763
764
765
ret=0
$DIG $DIGOPTS +noauth a.secure.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.secure.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
766
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
767
768
769
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
770
if [ $ret != 0 ]; then echo_i "failed"; fi
771
772
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
773
echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
774
775
776
777
778
ret=0
$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
779
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
780
781
782
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
783
if [ $ret != 0 ]; then echo_i "failed"; fi
784
785
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
786
echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
787
788
789
790
791
ret=0
$DIG $DIGOPTS +noauth a.optout.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
792
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
793
794
795
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
796
if [ $ret != 0 ]; then echo_i "failed"; fi
797
798
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
799
echo_i "checking empty NODATA OPTOUT ($n)"
800
801
802
803
804
ret=0
$DIG $DIGOPTS +noauth empty.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth empty.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
805
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
806
807
808
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
809
if [ $ret != 0 ]; then echo_i "failed"; fi
810
811
812
813
status=`expr $status + $ret`

# Check the insecure.secure.example domain (insecurity proof)

Evan Hunt's avatar
Evan Hunt committed
814
echo_i "checking 2-server insecurity proof ($n)"
815
816
817
818
819
ret=0
$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
	> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
820
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
821
822
823
824
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
825
if [ $ret != 0 ]; then echo_i "failed"; fi
826
827
828
829
status=`expr $status + $ret`

# Check a negative response in insecure.secure.example

Evan Hunt's avatar
Evan Hunt committed
830
echo_i "checking 2-server insecurity proof with a negative answer ($n)"
831
832
833
834
835
ret=0
$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
	|| ret=1
$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
	|| ret=1
Evan Hunt's avatar
Evan Hunt committed
836
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
837
838
839
840
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
841
if [ $ret != 0 ]; then echo_i "failed"; fi
842
843
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
844
echo_i "checking security root query ($n)"
845
846
847
848
849
ret=0
$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
850
if [ $ret != 0 ]; then echo_i "failed"; fi
851
852
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
853
echo_i "checking positive validation RSASHA256 NSEC ($n)"
854
855
856
ret=0
$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
857
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
858
859
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
860
if [ $ret != 0 ]; then echo_i "failed"; fi
861
862
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
863
echo_i "checking positive validation RSASHA512 NSEC ($n)"
864
865
866
ret=0
$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
867
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
868
869
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
870
if [ $ret != 0 ]; then echo_i "failed"; fi
871
872
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
873
echo_i "checking that positive validation in a privately secure zone works ($n)"
874
875
876
877
878
ret=0
$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
	> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
879
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
880
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
881
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
882
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
883
if [ $ret != 0 ]; then echo_i "failed"; fi
884
885
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
886
echo_i "checking that negative validation in a privately secure zone works ($n)"
887
888
889
890
891
ret=0
$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
	> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
892
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
893
894
895
896
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
897
if [ $ret != 0 ]; then echo_i "failed"; fi
898
899
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
900
echo_i "checking privately secure to nxdomain works ($n)"
901
ret=0
902
903
904
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
905
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
906
if [ $ret != 0 ]; then echo_i "failed"; fi
907
908
909
910
911
status=`expr $status + $ret`

# Try validating with a revoked trusted key.
# This should fail.

Evan Hunt's avatar
Evan Hunt committed
912
echo_i "checking that validation returns insecure due to revoked trusted key ($n)"
913
914
ret=0
$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
915
916
grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
917
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
918
if [ $ret != 0 ]; then echo_i "failed"; fi
919
920
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
921
echo_i "checking that revoked key is present ($n)"
922
ret=0
923
id=`cat rev.key`
924
925
926
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
927
if [ $ret != 0 ]; then echo_i "failed"; fi
928
929
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
930
echo_i "checking that revoked key self-signs ($n)"
931
ret=0
932
id=`cat rev.key`
933
934
935
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
936
if [ $ret != 0 ]; then echo_i "failed"; fi
937
938
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
939
echo_i "checking for unpublished key ($n)"
940
ret=0
941
id=$(keyfile_to_key_id "$(cat unpub.key)")
942
943
944
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
945
if [ $ret != 0 ]; then echo_i "failed"; fi
946
947
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
948
echo_i "checking for activated but unpublished key ($n)"
949
ret=0
950
id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)")
951
952
953
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
954
if [ $ret != 0 ]; then echo_i "failed"; fi
955
956
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
957
echo_i "checking that standby key does not sign records ($n)"
958
ret=0
959
id=$(keyfile_to_key_id "$(cat standby.key)")
960
961
962
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
963
if [ $ret != 0 ]; then echo_i "failed"; fi
964
965
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
966
echo_i "checking that deactivated key does not sign records  ($n)"
967
ret=0
968
id=$(keyfile_to_key_id "$(cat inact.key)")
969
970
971
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
972
if [ $ret != 0 ]; then echo_i "failed"; fi
973
974
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
975
echo_i "checking insertion of public-only key ($n)"
976
ret=0
977
id=$(keyfile_to_key_id "$(cat nopriv.key)")
978
979
980
file="ns1/`cat nopriv.key`.key"
keydata=`grep DNSKEY $file`
$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
Evan Hunt's avatar