tests.sh 55.3 KB
Newer Older
1 2
#!/bin/sh
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 9 10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
11 12 13 14 15 16 17

SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh

status=0
n=0

Evan Hunt's avatar
Evan Hunt committed
18 19
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
20

21 22 23 24 25
# convert private-type records to readable form
showprivate () {
    echo "-- $@ --"
    $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
        while read record; do
Mark Andrews's avatar
Mark Andrews committed
26
            $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
27 28 29 30 31 32 33 34 35 36 37 38
                die "invalid record" unless length($rdata) == 5;
                my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
                my $action = "signing";
                $action = "removing" if $remove;
                my $state = " (incomplete)";
                $state = " (complete)" if $complete;
                print ("$action: alg: $alg, key: $key$state\n");' $record
        done
}

# check that signing records are marked as complete
checkprivate () {
39 40
    _ret=0
    expected="${3:-0}"
41
    x=`showprivate "$@"`
42 43 44 45 46 47 48
    echo $x | grep incomplete > /dev/null && _ret=1

    if [ $_ret = $expected ]; then
        return 0
    fi

    echo "$x"
Evan Hunt's avatar
Evan Hunt committed
49
    echo_i "failed"
50
    return 1
51 52
}

53 54 55 56 57 58
#
#  The NSEC record at the apex of the zone and its RRSIG records are
#  added as part of the last step in signing a zone.  We wait for the
#  NSEC records to appear before proceeding with a counter to prevent
#  infinite loops if there is a error.
#
Evan Hunt's avatar
Evan Hunt committed
59
echo_i "waiting for autosign changes to take effect"
60 61 62 63
i=0
while [ $i -lt 30 ]
do
	ret=0
64 65 66 67 68 69
	#
	# Wait for the root DNSKEY RRset to be fully signed.
	#
	$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
	grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
	for z in .
70
	do
71 72 73 74 75 76
		$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
		grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
	done
	for z in bar. example. private.secure.example.
	do
		$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
77 78
		grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
	done
79 80
	for z in bar. example. inacksk2.example. inacksk3.example \
		 inaczsk2.example. inaczsk3.example
81
	do
82
		$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
83 84 85 86
		grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
	done
	i=`expr $i + 1`
	if [ $ret = 0 ]; then break; fi
Evan Hunt's avatar
Evan Hunt committed
87
	echo_i "waiting ... ($i)"
88 89
	sleep 2
done
90
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
91
if [ $ret != 0 ]; then echo_i "done"; fi
92 93
status=`expr $status + $ret`

94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
for z in .
do
	echo_i zone $z
	$DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done
for z in bar. example. private.secure.example.
do
	echo_i zone $z
	$DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done
for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example
do
	echo_i zone $z
	$DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done

111 112 113
#
# Check that DNSKEY is initially signed with a KSK and not a ZSK.
#
Evan Hunt's avatar
Evan Hunt committed
114 115 116
echo_i "check that zone with active and inactive KSK and active ZSK is properly"
echo_i "  resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
echo_i "  is initially signed with a KSK and not a ZSK. ($n)"
117 118
ret=0

Evan Hunt's avatar
Evan Hunt committed
119
$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
120 121

zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
Evan Hunt's avatar
Evan Hunt committed
122
       $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'`
123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140
grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1

pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1

count=`awk 'BEGIN { count = 0 }
	    $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
	    END {print count}' dig.out.ns3.test$n`
test $count -eq 1 || ret=1

count=`awk 'BEGIN { count = 0 }
       $4 == "DNSKEY" { count++ }
       END {print count}' dig.out.ns3.test$n`
test $count -eq 3 || ret=1

awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
id=`awk "${awk}" dig.out.ns3.test$n`

Evan Hunt's avatar
Evan Hunt committed
141 142
$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > /dev/null 2>&1
$RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i
143 144

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
145
if [ $ret != 0 ]; then echo_i "failed"; fi
146 147
status=`expr $status + $ret`

148 149 150
#
# Check that zone is initially signed with a ZSK and not a KSK.
#
Evan Hunt's avatar
Evan Hunt committed
151 152 153
echo_i "check that zone with active and inactive ZSK and active KSK is properly"
echo_i "  resigned after the active ZSK is deleted - stage 1: Verify that zone"
echo_i "  is initially signed with a ZSK and not a KSK. ($n)"
154
ret=0
Evan Hunt's avatar
Evan Hunt committed
155
$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
156 157 158 159 160 161 162 163 164 165 166 167
kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
       $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1
grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
count=`awk 'BEGIN { count = 0 }
	    $4 == "RRSIG" && $5 == "CNAME" { count++ }
	    END {print count}' dig.out.ns3.test$n`
test $count -eq 1 || ret=1
count=`awk 'BEGIN { count = 0 }
       $4 == "DNSKEY" { count++ }
       END {print count}' dig.out.ns3.test$n`
test $count -eq 3 || ret=1
168
id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n`
Evan Hunt's avatar
Evan Hunt committed
169 170
$SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > /dev/null 2>&1
$RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i
171
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
172
if [ $ret != 0 ]; then echo_i "failed"; fi
173 174
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
175
echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)"
176
ret=0
177 178 179 180 181
# these commands should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
182
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
183
if [ $ret != 0 ]; then echo_i "failed"; fi
184 185
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
186
echo_i "checking NSEC3->NSEC conversion prerequisites ($n)"
187 188 189 190
ret=0
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
191
if [ $ret != 0 ]; then echo_i "failed"; fi
192 193
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
194
echo_i "converting zones from nsec to nsec3"
195
$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
Evan Hunt's avatar
Evan Hunt committed
196
server 10.53.0.3 ${PORT}
197 198 199 200 201 202 203 204 205
zone nsec3.nsec3.example.
update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
zone optout.nsec3.example.
update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
zone nsec3.example.
update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
206
zone autonsec3.example.
207
update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF
208
send
209 210 211 212 213 214 215 216 217 218 219
zone nsec3.optout.example.
update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
zone optout.optout.example.
update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
zone optout.example.
update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
END

220
# try to convert nsec.example; this should fail due to non-NSEC key
Evan Hunt's avatar
Evan Hunt committed
221
echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
222
$NSUPDATE > nsupdate.out 2>&1 <<END
Evan Hunt's avatar
Evan Hunt committed
223
server 10.53.0.3 ${PORT}
224 225 226 227 228
zone nsec.example.
update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END

Evan Hunt's avatar
Evan Hunt committed
229
echo_i "checking for nsec3param in unsigned zone ($n)"
230 231 232 233
ret=0
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
234
if [ $ret != 0 ]; then echo_i "failed"; fi
235 236
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
237
echo_i "checking for nsec3param signing record ($n)"
238
ret=0
239
$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
240 241
grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
242
if [ $ret != 0 ]; then echo_i "failed"; fi
243 244
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
245
echo_i "resetting nsec3param via rndc signing ($n)"
246
ret=0
Evan Hunt's avatar
Evan Hunt committed
247 248
$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1
$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
249 250
for i in 0 1 2 3 4 5 6 7 8 9; do
	ret=0
Evan Hunt's avatar
Evan Hunt committed
251
	$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
252 253 254 255
	grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
	num=`grep "Pending " signing.out.test$n | wc -l`
	[ $num -eq 1 ] || ret=1
	[ $ret -eq 0 ] && break
Evan Hunt's avatar
Evan Hunt committed
256
	echo_i "waiting ... ($i)"
257 258
	sleep 2
done
259
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
260
if [ $ret != 0 ]; then echo_i "failed"; fi
261 262
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
263
echo_i "signing preset nsec3 zone"
264 265 266 267
zsk=`cat autozsk.key`
ksk=`cat autoksk.key`
$SETTIME -K ns3 -P now -A now $zsk > /dev/null 2>&1
$SETTIME -K ns3 -P now -A now $ksk > /dev/null 2>&1
Evan Hunt's avatar
Evan Hunt committed
268
$RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
269

Evan Hunt's avatar
Evan Hunt committed
270
echo_i "waiting for changes to take effect"
271 272
sleep 3

Evan Hunt's avatar
Evan Hunt committed
273
echo_i "converting zone from nsec3 to nsec"
274
$NSUPDATE > /dev/null 2>&1 << END	|| status=1
Evan Hunt's avatar
Evan Hunt committed
275
server 10.53.0.3 ${PORT}
276 277 278 279 280
zone nsec3-to-nsec.example.
update delete nsec3-to-nsec.example. NSEC3PARAM
send
END

Evan Hunt's avatar
Evan Hunt committed
281
echo_i "waiting for change to take effect"
282
sleep 3
283

Evan Hunt's avatar
Evan Hunt committed
284
echo_i "checking that expired RRSIGs from missing key are not deleted ($n)"
285 286 287 288
ret=0
missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
$JOURNALPRINT ns3/nozsk.example.db.jnl | \
   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
289
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
290
if [ $ret != 0 ]; then echo_i "failed"; fi
291 292
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
293
echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)"
294 295 296 297
ret=0
inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
298
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
299
if [ $ret != 0 ]; then echo_i "failed"; fi
300 301
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
302
echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)"
303 304 305
ret=0
loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
[ "$loglines" -eq 1 ] || ret=1
306
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
307
if [ $ret != 0 ]; then echo_i "failed"; fi
308 309
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
310
echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)"
311
ret=0
312 313 314
loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
[ "$loglines" -eq 1 ] || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
315
if [ $ret != 0 ]; then echo_i "failed"; fi
316 317
status=`expr $status + $ret`

318
# Send rndc sync command to ns1, ns2 and ns3, to force the dynamically
319
# signed zones to be dumped to their zone files
Evan Hunt's avatar
Evan Hunt committed
320
echo_i "dumping zone files"
Evan Hunt's avatar
Evan Hunt committed
321 322 323
$RNDCCMD 10.53.0.1 sync 2>&1 | sed 's/^/ns1 /' | cat_i
$RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i
$RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i
324

Evan Hunt's avatar
Evan Hunt committed
325
echo_i "checking expired signatures were updated ($n)"
326 327 328 329 330
for i in 1 2 3 4 5 6 7 8 9
do
	ret=0
	$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
	$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
331
        digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
332 333 334 335
	grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
	[ $ret = 0 ] && break
	sleep 1
done
336 337
n=`expr $n + 1`
status=`expr $status + $ret`
338

Evan Hunt's avatar
Evan Hunt committed
339
echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
340
ret=0
341 342 343 344
$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
345
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
346 347 348
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
349
if [ $ret != 0 ]; then echo_i "failed"; fi
350 351
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
352
echo_i "checking direct NSEC3 autosigning succeeded ($n)"
353 354 355 356 357 358
ret=0
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
[ -s  dig.out.ns3.ok.test$n ] || ret=1
grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
359
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
360 361 362
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
363
if [ $ret != 0 ]; then echo_i "failed"; fi
364 365
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
366
echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
367 368 369
ret=0
grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
370
if [ $ret != 0 ]; then echo_i "failed"; fi
371 372
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
373
echo_i "checking NSEC3->NSEC conversion succeeded ($n)"
374 375 376 377 378 379
ret=0
# this command should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
380
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
381 382
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
383
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
384
if [ $ret != 0 ]; then echo_i "failed"; fi
385 386
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
387
echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
388
ret=0
Evan Hunt's avatar
Evan Hunt committed
389
$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
390 391 392 393 394 395
sleep 2
# this command should result in an empty file:
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
396
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
397 398 399
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
400
if [ $ret != 0 ]; then echo_i "failed"; fi
401 402
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
403
echo_i "checking TTLs of imported DNSKEYs (no default) ($n)"
404 405 406
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
407
awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
408
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
409
if [ $ret != 0 ]; then echo_i "failed"; fi
410 411
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
412
echo_i "checking TTLs of imported DNSKEYs (with default) ($n)"
413 414 415
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
416
awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
417
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
418
if [ $ret != 0 ]; then echo_i "failed"; fi
419 420
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
421
echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)"
422 423 424
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
425
awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
426
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
427
if [ $ret != 0 ]; then echo_i "failed"; fi
428 429
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
430
echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)"
431 432 433
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
434
awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 | cat_i
435
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
436
if [ $ret != 0 ]; then echo_i "failed"; fi
437 438
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
439
echo_i "checking positive validation NSEC ($n)"
440 441 442
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
443
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
444 445
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
446
if [ $ret != 0 ]; then echo_i "failed"; fi
447 448
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
449
echo_i "checking positive validation NSEC3 ($n)"
450 451 452 453 454
ret=0
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
455
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
456 457
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
458
if [ $ret != 0 ]; then echo_i "failed"; fi
459 460
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
461
echo_i "checking positive validation OPTOUT ($n)"
462 463 464 465 466
ret=0
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
467
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
468 469
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
470
if [ $ret != 0 ]; then echo_i "failed"; fi
471 472
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
473
echo_i "checking negative validation NXDOMAIN NSEC ($n)"
474 475 476
ret=0
$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
477
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
478 479 480
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
481
if [ $ret != 0 ]; then echo_i "failed"; fi
482 483
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
484
echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
485 486 487 488 489
ret=0
$DIG $DIGOPTS +noauth q.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
490
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
491 492 493
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
494
if [ $ret != 0 ]; then echo_i "failed"; fi
495 496
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
497
echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
498 499 500 501 502
ret=0
$DIG $DIGOPTS +noauth q.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
503
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
504 505 506 507
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
508
if [ $ret != 0 ]; then echo_i "failed"; fi
509 510
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
511
echo_i "checking negative validation NODATA NSEC ($n)"
512 513 514
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
515
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
516 517 518 519
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
520
if [ $ret != 0 ]; then echo_i "failed"; fi
521 522
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
523
echo_i "checking negative validation NODATA NSEC3 ($n)"
524 525 526 527 528
ret=0
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
529
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
530 531 532 533
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
534
if [ $ret != 0 ]; then echo_i "failed"; fi
535 536
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
537
echo_i "checking negative validation NODATA OPTOUT ($n)"
538 539 540 541 542
ret=0
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
543
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
544 545 546 547
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
548
if [ $ret != 0 ]; then echo_i "failed"; fi
549 550 551 552
status=`expr $status + $ret`

# Check the insecure.example domain

Evan Hunt's avatar
Evan Hunt committed
553
echo_i "checking 1-server insecurity proof NSEC ($n)"
554 555 556
ret=0
$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
557
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
558 559 560 561
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
562
if [ $ret != 0 ]; then echo_i "failed"; fi
563 564
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
565
echo_i "checking 1-server negative insecurity proof NSEC ($n)"
566 567 568 569 570
ret=0
$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
	> dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
571
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
572 573 574 575
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
576
if [ $ret != 0 ]; then echo_i "failed"; fi
577 578 579 580
status=`expr $status + $ret`

# Check the secure.example domain

Evan Hunt's avatar
Evan Hunt committed
581
echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
582 583 584 585 586
ret=0
$DIG $DIGOPTS +noauth a.secure.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.secure.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
587
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
588 589 590
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
591
if [ $ret != 0 ]; then echo_i "failed"; fi
592 593
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
594
echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
595 596 597 598 599
ret=0
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
600
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
601 602 603
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
604
if [ $ret != 0 ]; then echo_i "failed"; fi
605 606
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
607
echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
608 609 610 611 612
ret=0
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
613
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
614 615 616
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
617
if [ $ret != 0 ]; then echo_i "failed"; fi
618 619
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
620
echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)"
621 622 623 624 625
ret=0
$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
626
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
627 628 629
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
630
if [ $ret != 0 ]; then echo_i "failed"; fi
631 632
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
633
echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)"
634 635 636 637 638
ret=0
$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
639
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
640 641 642
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
643
if [ $ret != 0 ]; then echo_i "failed"; fi
644 645
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
646
echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)"
647 648 649 650 651
ret=0
$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
652
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
653 654 655
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
656
if [ $ret != 0 ]; then echo_i "failed"; fi
657 658
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
659
echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)"
660 661 662 663 664
ret=0
$DIG $DIGOPTS +noauth a.secure.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.secure.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
665
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
666 667 668
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
669
if [ $ret != 0 ]; then echo_i "failed"; fi
670 671
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
672
echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
673 674 675 676 677
ret=0
$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
678
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
679 680 681
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
682
if [ $ret != 0 ]; then echo_i "failed"; fi
683 684
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
685
echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
686 687 688 689 690
ret=0
$DIG $DIGOPTS +noauth a.optout.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.optout.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
691
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
692 693 694
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
695
if [ $ret != 0 ]; then echo_i "failed"; fi
696 697
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
698
echo_i "checking empty NODATA OPTOUT ($n)"
699 700 701 702 703
ret=0
$DIG $DIGOPTS +noauth empty.optout.example. \
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth empty.optout.example. \
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
704
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
705 706 707
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
708
if [ $ret != 0 ]; then echo_i "failed"; fi
709 710 711 712
status=`expr $status + $ret`

# Check the insecure.secure.example domain (insecurity proof)

Evan Hunt's avatar
Evan Hunt committed
713
echo_i "checking 2-server insecurity proof ($n)"
714 715 716 717 718
ret=0
$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
	> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
719
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
720 721 722 723
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
724
if [ $ret != 0 ]; then echo_i "failed"; fi
725 726 727 728
status=`expr $status + $ret`

# Check a negative response in insecure.secure.example

Evan Hunt's avatar
Evan Hunt committed
729
echo_i "checking 2-server insecurity proof with a negative answer ($n)"
730 731 732 733 734
ret=0
$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
	|| ret=1
$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
	|| ret=1
Evan Hunt's avatar
Evan Hunt committed
735
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
736 737 738 739
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
740
if [ $ret != 0 ]; then echo_i "failed"; fi
741 742
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
743
echo_i "checking security root query ($n)"
744 745 746 747 748
ret=0
$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
749
if [ $ret != 0 ]; then echo_i "failed"; fi
750 751
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
752
echo_i "checking positive validation RSASHA256 NSEC ($n)"
753 754 755
ret=0
$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
756
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
757 758
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
759
if [ $ret != 0 ]; then echo_i "failed"; fi
760 761
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
762
echo_i "checking positive validation RSASHA512 NSEC ($n)"
763 764 765
ret=0
$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
766
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
767 768
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
769
if [ $ret != 0 ]; then echo_i "failed"; fi
770 771
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
772
echo_i "checking that positive validation in a privately secure zone works ($n)"
773 774 775 776 777
ret=0
$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
	> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
778
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
779
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
780
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
781
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
782
if [ $ret != 0 ]; then echo_i "failed"; fi
783 784
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
785
echo_i "checking that negative validation in a privately secure zone works ($n)"
786 787 788 789 790
ret=0
$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
	> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
791
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
792 793 794 795
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
796
if [ $ret != 0 ]; then echo_i "failed"; fi
797 798
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
799
echo_i "checking privately secure to nxdomain works ($n)"
800
ret=0
801 802 803
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
804
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
805
if [ $ret != 0 ]; then echo_i "failed"; fi
806 807 808 809 810
status=`expr $status + $ret`

# Try validating with a revoked trusted key.
# This should fail.

Evan Hunt's avatar
Evan Hunt committed
811
echo_i "checking that validation returns insecure due to revoked trusted key ($n)"
812 813
ret=0
$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
814 815
grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
816
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
817
if [ $ret != 0 ]; then echo_i "failed"; fi
818 819
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
820
echo_i "checking that revoked key is present ($n)"
821
ret=0
822
id=`cat rev.key`
823 824 825
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
826
if [ $ret != 0 ]; then echo_i "failed"; fi
827 828
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
829
echo_i "checking that revoked key self-signs ($n)"
830
ret=0
831
id=`cat rev.key`
832 833 834
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
835
if [ $ret != 0 ]; then echo_i "failed"; fi
836 837
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
838
echo_i "checking for unpublished key ($n)"