tests.sh 50.5 KB
Newer Older
1 2
#!/bin/sh
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 9 10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
11 12 13 14

SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh

Evan Hunt's avatar
Evan Hunt committed
15 16
DIGOPTS="+tcp +dnssec -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
17

18 19 20 21 22 23
wait_for_serial() (
    $DIG $DIGOPTS "@$1" "$2" SOA > "$4"
    serial=$(awk '$4 == "SOA" { print $7 }' "$4")
    [ "$3" -eq "${serial:--1}" ]
)

24 25 26
status=0
n=0

Evan Hunt's avatar
Evan Hunt committed
27
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
28 29 30

for i in 1 2 3 4 5 6 7 8 9 0
do
Evan Hunt's avatar
Evan Hunt committed
31
	nsec3param=`$DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.`
32
	test "$nsec3param" = "1 0 0 -" && break
33 34 35
	sleep 1
done

36 37 38 39 40 41 42
n=`expr $n + 1`
echo_i "checking that an unsupported algorithm is not used for signing ($n)"
ret=0
grep -q "algorithm is unsupported" ns3/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

43
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
44
echo_i "checking that rrsigs are replaced with ksk only ($n)"
45
ret=0
Evan Hunt's avatar
Evan Hunt committed
46
$DIG $DIGOPTS @10.53.0.3 axfr nsec3. |
47
	awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
Evan Hunt's avatar
Evan Hunt committed
48
if [ $ret != 0 ]; then echo_i "failed"; fi
49 50
status=`expr $status + $ret`

51
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
52
echo_i "checking that the zone is signed on initial transfer ($n)"
53
ret=0
54
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
55 56
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
57
	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
58 59
	keys=`grep '^Done signing' signing.out.test$n | wc -l`
	[ $keys = 2 ] || ret=1
60 61 62
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
63
if [ $ret != 0 ]; then echo_i "failed"; fi
64 65
status=`expr $status + $ret`

66
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
67
echo_i "checking expired signatures are updated on load ($n)"
68
ret=0
Evan Hunt's avatar
Evan Hunt committed
69
$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
70 71
expiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n`
[ "$expiry" = "20110101000000" ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
72
if [ $ret != 0 ]; then echo_i "failed"; fi
73 74
status=`expr $status + $ret`

75
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
76
echo_i "checking removal of private type record via 'rndc signing -clear' ($n)"
77
ret=0
Evan Hunt's avatar
Evan Hunt committed
78
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
79 80
keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
for key in $keys; do
Evan Hunt's avatar
Evan Hunt committed
81
	$RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1
82
	break;	# We only want to remove 1 record for now.
Evan Hunt's avatar
Evan Hunt committed
83
done 2>&1 |sed 's/^/ns3 /' | cat_i
84 85 86 87

for i in 1 2 3 4 5 6 7 8 9 10
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
88
	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
89 90
        num=`grep "Done signing with" signing.out.test$n | wc -l`
	[ $num = 1 ] && break
91 92 93 94
	sleep 1
done
[ $ans = 0 ] || ret=1

Evan Hunt's avatar
Evan Hunt committed
95
if [ $ret != 0 ]; then echo_i "failed"; fi
96 97 98
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
99
echo_i "checking private type was properly signed ($n)"
100
ret=0
Evan Hunt's avatar
Evan Hunt committed
101
$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
102 103 104
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1

Evan Hunt's avatar
Evan Hunt committed
105
if [ $ret != 0 ]; then echo_i "failed"; fi
106 107 108
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
109
echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
110
ret=0
Evan Hunt's avatar
Evan Hunt committed
111
$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
112 113 114 115

for i in 1 2 3 4 5 6 7 8 9 10
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
116
	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
117
	grep "No signing records found" signing.out.test$n > /dev/null || ans=1
118 119 120 121 122
	[ $ans = 1 ] || break
	sleep 1
done
[ $ans = 0 ] || ret=1

Evan Hunt's avatar
Evan Hunt committed
123
if [ $ret != 0 ]; then echo_i "failed"; fi
124 125 126
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
127
echo_i "checking negative private type response was properly signed ($n)"
128
ret=0
129
sleep 1
Evan Hunt's avatar
Evan Hunt committed
130
$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
131 132 133 134
grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1

Evan Hunt's avatar
Evan Hunt committed
135
if [ $ret != 0 ]; then echo_i "failed"; fi
136 137
status=`expr $status + $ret`

138 139
$NSUPDATE << EOF
zone bits
Evan Hunt's avatar
Evan Hunt committed
140
server 10.53.0.2 ${PORT}
141 142 143 144 145
update add added.bits 0 A 1.2.3.4
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
146
echo_i "checking that the record is added on the hidden master ($n)"
147
ret=0
Evan Hunt's avatar
Evan Hunt committed
148
$DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n
149 150
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
151
if [ $ret != 0 ]; then echo_i "failed"; fi
152 153 154
status=`expr $status + $ret`

n=`expr $n + 1`
155
echo_i "checking that update has been transferred and has been signed ($n)"
156 157 158 159
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
160
	$DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n
161 162 163 164 165
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
166
if [ $ret != 0 ]; then echo_i "failed"; fi
167 168 169 170
status=`expr $status + $ret`

$NSUPDATE << EOF
zone bits
Evan Hunt's avatar
Evan Hunt committed
171
server 10.53.0.2 ${PORT}
172 173 174 175 176
update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
177
echo_i "checking YYYYMMDDVV (2011072400) serial on hidden master ($n)"
178
ret=0
Evan Hunt's avatar
Evan Hunt committed
179
$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
180 181 182
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
183
if [ $ret != 0 ]; then echo_i "failed"; fi
184 185 186
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
187
echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
188 189 190
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
191
	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
192 193 194 195 196 197
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
198
if [ $ret != 0 ]; then echo_i "failed"; fi
199 200
status=`expr $status + $ret`

201
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
202
echo_i "checking that the zone is signed on initial transfer, noixfr ($n)"
203 204 205 206
ret=0
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
207
	$RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1
208 209
	keys=`grep '^Done signing' signing.out.test$n | wc -l`
	[ $keys = 2 ] || ret=1
210 211 212
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
213
if [ $ret != 0 ]; then echo_i "failed"; fi
214 215 216 217
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
Evan Hunt's avatar
Evan Hunt committed
218
server 10.53.0.4 ${PORT}
219 220 221 222 223
update add added.noixfr 0 A 1.2.3.4
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
224
echo_i "checking that the record is added on the hidden master, noixfr ($n)"
225
ret=0
Evan Hunt's avatar
Evan Hunt committed
226
$DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n
227 228
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
229
if [ $ret != 0 ]; then echo_i "failed"; fi
230 231 232
status=`expr $status + $ret`

n=`expr $n + 1`
233
echo_i "checking that update has been transferred and has been signed, noixfr ($n)"
234 235 236 237
ret=0
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
238
	$DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n
239 240 241 242 243
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
244
if [ $ret != 0 ]; then echo_i "failed"; fi
245 246 247 248
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
Evan Hunt's avatar
Evan Hunt committed
249
server 10.53.0.4 ${PORT}
250 251 252 253 254
update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
255
echo_i "checking YYYYMMDDVV (2011072400) serial on hidden master, noixfr ($n)"
256
ret=0
Evan Hunt's avatar
Evan Hunt committed
257
$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
258 259 260
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
261
if [ $ret != 0 ]; then echo_i "failed"; fi
262 263 264
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
265
echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
266 267 268
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
269
	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
270 271 272 273 274 275
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
276
if [ $ret != 0 ]; then echo_i "failed"; fi
277 278
status=`expr $status + $ret`

279
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
280
echo_i "checking that the master zone signed on initial load ($n)"
281 282 283 284
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
285
	$RNDCCMD 10.53.0.3 signing -list master  > signing.out.test$n 2>&1
286 287
	keys=`grep '^Done signing' signing.out.test$n | wc -l`
	[ $keys = 2 ] || ret=1
288 289 290
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
291
if [ $ret != 0 ]; then echo_i "failed"; fi
292
status=`expr $status + $ret`
293 294

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
295
echo_i "checking removal of private type record via 'rndc signing -clear' (master) ($n)"
296
ret=0
Evan Hunt's avatar
Evan Hunt committed
297
$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
298 299
keys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
for key in $keys; do
Evan Hunt's avatar
Evan Hunt committed
300
	$RNDCCMD 10.53.0.3 signing -clear ${key} master > /dev/null || ret=1
301
	break;	# We only want to remove 1 record for now.
Evan Hunt's avatar
Evan Hunt committed
302
done 2>&1 |sed 's/^/ns3 /' | cat_i
303 304 305 306

for i in 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
307
	$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
308 309
        num=`grep "Done signing with" signing.out.test$n | wc -l`
	[ $num = 1 ] && break
310 311 312 313
	sleep 1
done
[ $ans = 0 ] || ret=1

Evan Hunt's avatar
Evan Hunt committed
314
if [ $ret != 0 ]; then echo_i "failed"; fi
315 316 317
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
318
echo_i "checking private type was properly signed (master) ($n)"
319
ret=0
Evan Hunt's avatar
Evan Hunt committed
320
$DIG $DIGOPTS @10.53.0.6 master TYPE65534 > dig.out.ns6.test$n
321 322 323
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1

Evan Hunt's avatar
Evan Hunt committed
324
if [ $ret != 0 ]; then echo_i "failed"; fi
325 326 327
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
328
echo_i "checking removal of remaining private type record via 'rndc signing -clear' (master) ($n)"
329
ret=0
Evan Hunt's avatar
Evan Hunt committed
330
$RNDCCMD 10.53.0.3 signing -clear all master > /dev/null || ret=1
331
for i in 1 2 3 4 5 6 7 8 9 10
332 333
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
334
	$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
335
	grep "No signing records found" signing.out.test$n > /dev/null || ans=1
336 337 338 339 340
	[ $ans = 1 ] || break
	sleep 1
done
[ $ans = 0 ] || ret=1

Evan Hunt's avatar
Evan Hunt committed
341
if [ $ret != 0 ]; then echo_i "failed"; fi
342 343 344
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
345
echo_i "check adding of record to unsigned master ($n)"
346 347
ret=0
cp ns3/master2.db.in ns3/master.db
348
rndc_reload ns3 10.53.0.3 master
349 350 351
for i in 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
352
	$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n
353 354 355 356 357 358
	grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
	[ $ans = 1 ] || break
	sleep 1
done
[ $ans = 0 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
359
if [ $ret != 0 ]; then echo_i "failed"; fi
360
status=`expr $status + $ret`
361

362
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
363
echo_i "check adding record fails when SOA serial not changed ($n)"
364 365
ret=0
echo "c A 10.0.0.3" >> ns3/master.db
366
rndc_reload ns3 10.53.0.3
367
sleep 1
Evan Hunt's avatar
Evan Hunt committed
368
$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
369
grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
370
if [ $ret != 0 ]; then echo_i "failed"; fi
371 372 373
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
374
echo_i "check adding record works after updating SOA serial ($n)"
375 376
ret=0
cp ns3/master3.db.in ns3/master.db
Evan Hunt's avatar
Evan Hunt committed
377
$RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i
378 379 380
for i in 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
381
	$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
382 383 384 385 386 387
	grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
	[ $ans = 1 ] || break
	sleep 1
done
[ $ans = 0 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
388
if [ $ret != 0 ]; then echo_i "failed"; fi
389 390 391
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
392
echo_i "check the added record was properly signed ($n)"
393
ret=0
Evan Hunt's avatar
Evan Hunt committed
394
$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns6.test$n
395 396 397
grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1
Evan Hunt's avatar
Evan Hunt committed
398
if [ $ret != 0 ]; then echo_i "failed"; fi
399 400 401
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
402
echo_i "checking that the dynamic master zone signed on initial load ($n)"
403 404 405 406
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
407
	$RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1
408 409
	keys=`grep '^Done signing' signing.out.test$n | wc -l`
	[ $keys = 2 ] || ret=1
410 411 412
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
413
if [ $ret != 0 ]; then echo_i "failed"; fi
414
status=`expr $status + $ret`
415

416
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
417
echo_i "checking master zone that was updated while offline is correct ($n)"
418
ret=0
419 420
$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n
serial=`awk '{print $3}' dig.out.ns2.soa.test$n`
421 422 423
# serial should have changed
[ "$serial" = "2000042407" ] && ret=1
# e.updated should exist and should be signed
Evan Hunt's avatar
Evan Hunt committed
424
$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n
425 426 427 428 429 430
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
# updated.db.signed.jnl should exist, should have the source serial
# of master2.db, and should show a minimal diff: no more than 8 added
# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
# (SOA/RRSIG, NSEC/RRSIG).
431 432
$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n
serial=`awk '/Source serial =/ {print $4}' journalprint.out.test$n`
433
[ "$serial" = "2000042408" ] || ret=1
434
diffsize=`wc -l < journalprint.out.test$n`
435
[ "$diffsize" -le 13 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
436
if [ $ret != 0 ]; then echo_i "failed"; fi
437 438
status=`expr $status + $ret`

439
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
440
echo_i "checking adding of record to unsigned master using UPDATE ($n)"
441 442
ret=0

Evan Hunt's avatar
Evan Hunt committed
443
[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo_i "journal exists (pretest)" ; }
444 445 446

$NSUPDATE << EOF
zone dynamic
Evan Hunt's avatar
Evan Hunt committed
447
server 10.53.0.3 ${PORT}
448 449 450 451
update add e.dynamic 0 A 1.2.3.4
send
EOF

Evan Hunt's avatar
Evan Hunt committed
452
[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo_i "journal does not exist (posttest)" ; }
453 454

for i in 1 2 3 4 5 6 7 8 9 10
455
do
456
	ans=0
Evan Hunt's avatar
Evan Hunt committed
457
	$DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n
458 459 460 461 462 463
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
	grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
	[ $ans = 0 ] && break
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
464
[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; }
465

Evan Hunt's avatar
Evan Hunt committed
466
if [ $ret != 0 ]; then echo_i "failed"; fi
467 468
status=`expr $status + $ret`

469
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
470
echo_i "stop bump in the wire signer server ($n)"
471
ret=0
472
$PERL ../stop.pl inline ns3 || ret=1
Evan Hunt's avatar
Evan Hunt committed
473
if [ $ret != 0 ]; then echo_i "failed"; fi
474 475 476
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
477
echo_i "restart bump in the wire signer server ($n)"
478
ret=0
479
$PERL ../start.pl --noclean --restart --port ${PORT} inline ns3 || ret=1
Evan Hunt's avatar
Evan Hunt committed
480
if [ $ret != 0 ]; then echo_i "failed"; fi
481 482 483 484
status=`expr $status + $ret`

$NSUPDATE << EOF
zone bits
Evan Hunt's avatar
Evan Hunt committed
485
server 10.53.0.2 ${PORT}
486 487 488 489 490
update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
491
echo_i "checking YYYYMMDDVV (2011072450) serial on hidden master ($n)"
492
ret=0
Evan Hunt's avatar
Evan Hunt committed
493
$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
494 495 496
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
497
if [ $ret != 0 ]; then echo_i "failed"; fi
498 499 500
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
501
echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
502 503 504
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
505
	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
506 507 508 509 510 511
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
512
if [ $ret != 0 ]; then echo_i "failed"; fi
513 514 515 516
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
Evan Hunt's avatar
Evan Hunt committed
517
server 10.53.0.4 ${PORT}
518 519 520 521 522
update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
523
echo_i "checking YYYYMMDDVV (2011072450) serial on hidden master, noixfr ($n)"
524
ret=0
Evan Hunt's avatar
Evan Hunt committed
525
$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
526 527 528
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
529
if [ $ret != 0 ]; then echo_i "failed"; fi
530 531 532
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
533
echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
534 535 536
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
537
	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
538 539 540 541 542 543
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
544
if [ $ret != 0 ]; then echo_i "failed"; fi
545 546 547 548
status=`expr $status + $ret`

$NSUPDATE << EOF
zone bits
Evan Hunt's avatar
Evan Hunt committed
549
server 10.53.0.3 ${PORT}
550 551 552 553 554
update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
555
echo_i "checking forwarded update on hidden master ($n)"
556
ret=0
Evan Hunt's avatar
Evan Hunt committed
557
$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
558 559 560
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
561
if [ $ret != 0 ]; then echo_i "failed"; fi
562 563 564
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
565
echo_i "checking forwarded update on signed zone ($n)"
566 567 568
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
569
	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
570 571 572 573 574 575
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
576
if [ $ret != 0 ]; then echo_i "failed"; fi
577 578 579 580
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
Evan Hunt's avatar
Evan Hunt committed
581
server 10.53.0.3 ${PORT}
582 583 584 585 586
update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
587
echo_i "checking forwarded update on hidden master, noixfr ($n)"
588
ret=0
Evan Hunt's avatar
Evan Hunt committed
589
$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
590 591 592
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
593
if [ $ret != 0 ]; then echo_i "failed"; fi
594 595 596
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
597
echo_i "checking forwarded update on signed zone, noixfr ($n)"
598 599 600
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
601
	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
602 603 604 605 606 607
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
608
if [ $ret != 0 ]; then echo_i "failed"; fi
609 610
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
611
ret=0
612
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
613 614
echo_i "checking turning on of inline signing in a slave zone via reload ($n)"
$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n
615 616
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
617
if [ $ret != 0 ]; then echo_i "setup broken"; fi
618
status=`expr $status + $ret`
Evan Hunt's avatar
Evan Hunt committed
619
copy_setports ns5/named.conf.post ns5/named.conf
620 621
(cd ns5; $KEYGEN -q -a rsasha256 bits) > /dev/null 2>&1
(cd ns5; $KEYGEN -q -a rsasha256 -f KSK bits) > /dev/null 2>&1
622
rndc_reload ns5 10.53.0.5
623 624 625
for i in 1 2 3 4 5 6 7 8 9 10
do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
626
	$DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n
627 628 629 630 631
	grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
	grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
	if [ $ret = 0 ]; then break; fi
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
632
if [ $ret != 0 ]; then echo_i "failed"; fi
633 634
status=`expr $status + $ret`

635
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
636
echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)"
637
ret=0
Evan Hunt's avatar
Evan Hunt committed
638
$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1;  }
639
sleep 1
Evan Hunt's avatar
Evan Hunt committed
640
$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; }
641 642
sleep 1
grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null ||  ret=1
Evan Hunt's avatar
Evan Hunt committed
643
if [ $ret != 0 ]; then echo_i "failed"; fi
644 645 646
status=`expr $status + $ret`


647
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
648
echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)"
649
ret=0
Evan Hunt's avatar
Evan Hunt committed
650
$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1
651
sleep 1
Evan Hunt's avatar
Evan Hunt committed
652
awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
653 654 655
     { print; }
     END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new
mv ns3/dynamic.db.new ns3/dynamic.db
Evan Hunt's avatar
Evan Hunt committed
656 657
$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
658 659 660
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
661
echo_i "check added record freeze1.dynamic ($n)"
662 663 664
for i in 1 2 3 4 5 6 7 8 9
do
    ret=0
Evan Hunt's avatar
Evan Hunt committed
665
    $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n
666 667 668 669 670
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    test $ret = 0 && break
    sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
671
if [ $ret != 0 ]; then echo_i "failed"; fi
672
status=`expr $status + $ret`
673 674 675 676 677

# allow 1 second so that file time stamps change
sleep 1

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
678
echo_i "checking rndc freeze/thaw of server ($n)"
679
ret=0
Evan Hunt's avatar
Evan Hunt committed
680
$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1
681
sleep 1
Evan Hunt's avatar
Evan Hunt committed
682
awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
683 684 685
     { print; }
     END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new
mv ns3/dynamic.db.new ns3/dynamic.db
Evan Hunt's avatar
Evan Hunt committed
686 687
$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
688 689 690
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
691
echo_i "check added record freeze2.dynamic ($n)"
692 693 694
for i in 1 2 3 4 5 6 7 8 9
do
    ret=0
Evan Hunt's avatar
Evan Hunt committed
695
    $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n
696 697 698 699 700
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    test $ret = 0 && break
    sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
701
if [ $ret != 0 ]; then echo_i "failed"; fi
702 703
status=`expr $status + $ret`

704
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
705
echo_i "check rndc reload allows reuse of inline-signing zones ($n)"
706
ret=0
Evan Hunt's avatar
Evan Hunt committed
707
{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i
708
grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
709
if [ $ret != 0 ]; then echo_i "failed"; fi
710 711
status=`expr $status + $ret`

712
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
713
echo_i "check rndc sync removes both signed and unsigned journals ($n)"
714
ret=0
715 716
[ -f ns3/dynamic.db.jnl ] || ret=1
[ -f ns3/dynamic.db.signed.jnl ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
717
$RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1
718 719
[ -f ns3/dynamic.db.jnl ] && ret=1
[ -f ns3/dynamic.db.signed.jnl ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
720
if [ $ret != 0 ]; then echo_i "failed"; fi
721 722
status=`expr $status + $ret`

723 724
$NSUPDATE << EOF
zone retransfer
Evan Hunt's avatar
Evan Hunt committed
725
server 10.53.0.2 ${PORT}
726 727 728 729 730 731
update add added.retransfer 0 A 1.2.3.4
send

EOF

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
732
echo_i "checking that the retransfer record is added on the hidden master ($n)"
733
ret=0
Evan Hunt's avatar
Evan Hunt committed
734
$DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n
735 736
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
737
if [ $ret != 0 ]; then echo_i "failed"; fi
738 739 740
status=`expr $status + $ret`

n=`expr $n + 1`
741
echo_i "checking that the change has not been transferred due to notify ($n)"
742 743 744 745
ret=0
for i in 0 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
746
	$DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
747 748 749 750
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
	[ $ans = 0 ] && break
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
751
if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi
752 753
status=`expr $status + $ret`

754
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
755
echo_i "check rndc retransfer of a inline slave zone works ($n)"
756
ret=0
Evan Hunt's avatar
Evan Hunt committed
757
$RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1
758 759 760
for i in 0 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
761
	$DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
762 763 764 765 766 767
	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
	[ $ans = 0 ] && break
	sleep 1
done
[ $ans = 1 ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
768
if [ $ret != 0 ]; then echo_i "failed"; fi
769 770
status=`expr $status + $ret`

771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790
n=`expr $n + 1`
echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)"
ret=0
# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2,
# which means it should not yet be available on ns3.
$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n
grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1
# Switch the zone to NSEC3.  An "NSEC3 -> NSEC -> NSEC3" sequence is used purely
# to test that multiple queued "rndc signing -nsec3param" requests are handled
# properly.
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone.
sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new
mv ns2/named.conf.new ns2/named.conf
$RNDCCMD 10.53.0.2 reconfig || ret=1
# Request ns3 to retransfer the "retransfer3" zone.
$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
# Wait until ns3 finishes building the NSEC3 chain for "retransfer3".  There is
791 792 793
# no need to immediately set ret=1 if building the NSEC3 chain is not finished
# within the time limit because the query we will send shortly will detect any
# problems anyway.
794 795
for i in 0 1 2 3 4 5 6 7 8 9
do
796 797 798 799
	$RNDCCMD 10.53.0.3 signing -list retransfer3 > signing.out.test$n.$i 2>&1
	keys_done=`grep "Done signing" signing.out.test$n.$i | wc -l`
	nsec3_pending=`grep "NSEC3 chain" signing.out.test$n.$i | wc -l`
	test $keys_done -eq 2 -a $nsec3_pending -eq 0 && break
800 801 802 803 804 805 806 807 808
	sleep 1
done
# Check whether "retransfer3" uses NSEC3 as requested.
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ret=1
grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

809
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
810
echo_i "check rndc retransfer of a inline nsec3 slave retains nsec3 ($n)"
811
ret=0
812
$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
813 814 815
for i in 0 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
816
	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n
817 818 819 820 821
	grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
	grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
	[ $ans = 0 ] && break
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
822
$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1
823 824 825
for i in 0 1 2 3 4 5 6 7 8 9
do
	ans=0
Evan Hunt's avatar
Evan Hunt committed
826
	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
827 828 829 830 831 832
	grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
	grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
	[ $ans = 0 ] && break
	sleep 1
done
[ $ans = 1 ] && ret=1