tests.sh 134 KB
Newer Older
Michael Sawyer's avatar
Michael Sawyer committed
1
#!/bin/sh
Michael Sawyer's avatar
Michael Sawyer committed
2
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5
6
7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8
9
10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
Mark Andrews's avatar
Mark Andrews committed
11

12
# shellcheck source=conf.sh
13
SYSTEMTESTTOP=..
14
. "$SYSTEMTESTTOP/conf.sh"
15

16
17
set -e

18
status=0
19
n=1
Michael Sawyer's avatar
Michael Sawyer committed
20

21
rm -f dig.out.*
Michael Sawyer's avatar
Michael Sawyer committed
22

23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
dig_with_opts() {
    "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}

dig_with_additionalopts() {
    "$DIG" +noall +additional +dnssec -p "$PORT" "$@"
}

dig_with_answeropts() {
    "$DIG" +noall +answer +dnssec -p "$PORT" "$@"
}

delv_with_opts() {
    "$DELV" -a ns1/trusted.conf -p "$PORT" "$@"
}

rndccmd() {
    "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@"
}
Andreas Gustafsson's avatar
Andreas Gustafsson committed
42

43
44
# convert private-type records to readable form
showprivate () {
45
46
47
48
    echo "-- $* --"
    dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' |
        while read -r record; do
	    # shellcheck disable=SC2016
Mark Andrews's avatar
Mark Andrews committed
49
            $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
50
51
52
53
54
55
                die "invalid record" unless length($rdata) == 5;
                my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
                my $action = "signing";
                $action = "removing" if $remove;
                my $state = " (incomplete)";
                $state = " (complete)" if $complete;
56
                print ("$action: alg: $alg, key: $key$state\n");' "$record"
57
58
59
60
        done
}

# check that signing records are marked as complete
61
checkprivate () {
Evan Hunt's avatar
Evan Hunt committed
62
    for i in 1 2 3 4 5 6 7 8 9 10; do
63
64
        showprivate "$@" | grep -q incomplete || return 0
	sleep 1
Evan Hunt's avatar
Evan Hunt committed
65
    done
66
67
68
    echo_d "$1 signing incomplete"
    return 1
}
69

70
71
# check that a zone file is raw format, version 0
israw0 () {
72
73
74
75
76
    # shellcheck disable=SC2016
    < "$1" $PERL -e 'binmode STDIN;
	             read(STDIN, $input, 8);
	             ($style, $version) = unpack("NN", $input);
	             exit 1 if ($style != 2 || $version != 0);'
77
78
79
80
81
    return $?
}

# check that a zone file is raw format, version 1
israw1 () {
82
83
84
85
86
    # shellcheck disable=SC2016
    < "$1" $PERL -e 'binmode STDIN;
		     read(STDIN, $input, 8);
                     ($style, $version) = unpack("NN", $input);
                     exit 1 if ($style != 2 || $version != 1);'
87
88
89
    return $?
}

90
91
# strip NS and RRSIG NS from input
stripns () {
92
    awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1"
93
94
}

Mukund Sivaraman's avatar
Mukund Sivaraman committed
95
96
97
98
99
# Check that for a query against a validating resolver where the
# authoritative zone is unsigned (insecure delegation), glue is returned
# in the additional section
echo_i "checking that additional glue is returned for unsigned delegation ($n)"
ret=0
100
$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Mukund Sivaraman's avatar
Mukund Sivaraman committed
101
grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1
102
103
104
105
grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
Mukund Sivaraman's avatar
Mukund Sivaraman committed
106

Michael Sawyer's avatar
Michael Sawyer committed
107
# Check the example. domain
108

Evan Hunt's avatar
Evan Hunt committed
109
echo_i "checking that zone transfer worked ($n)"
110
111
112
for i in 1 2 3 4 5 6 7 8 9
do
	ret=0
113
114
	dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
	dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
115
	$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
116
	[ "$ret" -eq 0 ] && break
117
118
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
119
digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
120
121
122
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
123

124
125
# test AD bit:
#  - dig +adflag asks for authentication (ad in response)
Evan Hunt's avatar
Evan Hunt committed
126
echo_i "checking AD bit asking for validation ($n)"
127
ret=0
128
129
dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
130
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
131
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
132
133
134
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
135

136
# test AD bit:
Evan Hunt's avatar
Evan Hunt committed
137
138
#  - dig +noadflag
echo_i "checking that AD is not set without +adflag or +dnssec ($n)"
139
ret=0
140
141
dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
142
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
143
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
144
145
146
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
147

Evan Hunt's avatar
Evan Hunt committed
148
echo_i "checking for AD in authoritative answer ($n)"
149
ret=0
150
dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
151
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
152
153
154
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
155

Evan Hunt's avatar
Evan Hunt committed
156
echo_i "checking positive validation NSEC ($n)"
157
ret=0
158
159
dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
160
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
161
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
162
163
164
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
165

166
if [ -x ${DELV} ] ; then
167
   ret=0
168
   echo_i "checking positive validation NSEC using dns_client ($n)"
169
   delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1
170
   grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
171
172
173
174
   grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
175
176
fi

Evan Hunt's avatar
Evan Hunt committed
177
echo_i "checking positive validation NSEC3 ($n)"
178
ret=0
179
dig_with_opts +noauth a.nsec3.example. \
180
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
181
dig_with_opts +noauth a.nsec3.example. \
182
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
183
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
184
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
185
186
187
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
188

189
if [ -x ${DELV} ] ; then
190
   ret=0
Evan Hunt's avatar
Evan Hunt committed
191
   echo_i "checking positive validation NSEC3 using dns_client ($n)"
192
   delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1
193
   grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
194
195
196
197
   grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
198
199
fi

Evan Hunt's avatar
Evan Hunt committed
200
echo_i "checking positive validation OPTOUT ($n)"
201
ret=0
202
dig_with_opts +noauth a.optout.example. \
203
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
204
dig_with_opts +noauth a.optout.example. \
205
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
206
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
207
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
208
209
210
211
212
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))

SP="[[:space:]]+"
213

214
if [ -x ${DELV} ] ; then
215
   ret=0
Evan Hunt's avatar
Evan Hunt committed
216
   echo_i "checking positive validation OPTOUT using dns_client ($n)"
217
218
219
220
221
222
   delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1
   grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1
   grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
223
224
fi

Evan Hunt's avatar
Evan Hunt committed
225
echo_i "checking positive wildcard validation NSEC ($n)"
226
ret=0
227
228
dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
229
230
stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
Evan Hunt's avatar
Evan Hunt committed
231
digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
232
233
grep "\\*\\.wild\\.example\\..*RRSIG	NSEC" dig.out.ns4.test$n > /dev/null || ret=1
grep "\\*\\.wild\\.example\\..*NSEC	z\\.example" dig.out.ns4.test$n > /dev/null || ret=1
234
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
235
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
236
237
238
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
239

240
if [ -x ${DELV} ] ; then
241
   ret=0
Evan Hunt's avatar
Evan Hunt committed
242
   echo_i "checking positive wildcard validation NSEC using dns_client ($n)"
243
   delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1
244
   grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1
245
   grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1
246
247
248
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
249
250
fi

Evan Hunt's avatar
Evan Hunt committed
251
echo_i "checking positive wildcard answer NSEC3 ($n)"
252
ret=0
253
dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
254
255
grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
256
257
258
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
259

Evan Hunt's avatar
Evan Hunt committed
260
echo_i "checking positive wildcard answer NSEC3 ($n)"
261
ret=0
262
dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
263
264
grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
265
266
267
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
268

Evan Hunt's avatar
Evan Hunt committed
269
echo_i "checking positive wildcard validation NSEC3 ($n)"
270
ret=0
271
272
dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
273
274
stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
Evan Hunt's avatar
Evan Hunt committed
275
digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
276
277
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
278
279
280
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
281

282
if [ -x ${DELV} ] ; then
283
   ret=0
Evan Hunt's avatar
Evan Hunt committed
284
   echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)"
285
286
287
288
289
290
   delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1
   grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
   grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
291
292
fi

Evan Hunt's avatar
Evan Hunt committed
293
echo_i "checking positive wildcard validation OPTOUT ($n)"
294
ret=0
295
dig_with_opts a.wild.optout.example. \
296
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
297
dig_with_opts a.wild.optout.example. \
298
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
299
300
stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
Evan Hunt's avatar
Evan Hunt committed
301
digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
302
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
303
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
304
305
306
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
307

308
if [ -x ${DELV} ] ; then
309
   ret=0
Evan Hunt's avatar
Evan Hunt committed
310
   echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)"
311
   delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1
312
   grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
313
314
315
316
   grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
317
318
fi

Evan Hunt's avatar
Evan Hunt committed
319
echo_i "checking negative validation NXDOMAIN NSEC ($n)"
320
ret=0
321
322
dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
323
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
324
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
325
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
326
327
328
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
329

330
if [ -x ${DELV} ] ; then
331
   ret=0
Evan Hunt's avatar
Evan Hunt committed
332
   echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)"
333
   delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1
334
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
335
336
337
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
338
339
fi

Evan Hunt's avatar
Evan Hunt committed
340
echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
341
ret=0
342
dig_with_opts +noauth q.nsec3.example. \
343
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
344
dig_with_opts +noauth q.nsec3.example. \
345
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
346
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
347
348
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
349
350
351
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
352

353
if [ -x ${DELV} ] ; then
354
   ret=0
Evan Hunt's avatar
Evan Hunt committed
355
   echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)"
356
   delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1
357
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
358
359
360
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
361
362
fi

Evan Hunt's avatar
Evan Hunt committed
363
echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
364
ret=0
365
dig_with_opts +noauth q.optout.example. \
366
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
367
dig_with_opts +noauth q.optout.example. \
368
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
369
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
370
371
372
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
373
374
375
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
376

377
if [ -x ${DELV} ] ; then
378
   ret=0
Evan Hunt's avatar
Evan Hunt committed
379
   echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)"
380
   delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1
381
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
382
383
384
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
385
386
fi

Evan Hunt's avatar
Evan Hunt committed
387
echo_i "checking negative validation NODATA NSEC ($n)"
388
ret=0
389
390
dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
391
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
392
393
394
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
395
396
397
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
398

399
if [ -x ${DELV} ] ; then
400
   ret=0
Evan Hunt's avatar
Evan Hunt committed
401
   echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)"
402
   delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1
403
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
404
405
406
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
407
408
fi

Evan Hunt's avatar
Evan Hunt committed
409
echo_i "checking negative validation NODATA NSEC3 ($n)"
410
ret=0
411
dig_with_opts +noauth a.nsec3.example. \
412
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
413
dig_with_opts +noauth a.nsec3.example. \
414
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
415
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
416
417
418
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
419
420
421
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
422

423
if [ -x ${DELV} ] ; then
424
   ret=0
Evan Hunt's avatar
Evan Hunt committed
425
   echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)"
426
   delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1
427
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
428
429
430
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
431
432
fi

Evan Hunt's avatar
Evan Hunt committed
433
echo_i "checking negative validation NODATA OPTOUT ($n)"
434
ret=0
435
dig_with_opts +noauth a.optout.example. \
436
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
437
dig_with_opts +noauth a.optout.example. \
438
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
439
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
440
441
442
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
443
444
445
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
446

447
if [ -x ${DELV} ] ; then
448
   ret=0
Evan Hunt's avatar
Evan Hunt committed
449
   echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)"
450
   delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1
451
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
452
453
454
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
455
456
fi

Evan Hunt's avatar
Evan Hunt committed
457
echo_i "checking negative wildcard validation NSEC ($n)"
458
ret=0
459
460
dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
461
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
462
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
463
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
464
465
466
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
467

468
if [ -x ${DELV} ] ; then
469
   ret=0
Evan Hunt's avatar
Evan Hunt committed
470
   echo_i "checking negative wildcard validation NSEC using dns_client ($n)"
471
   delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1
472
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
473
474
475
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
476
477
fi

Evan Hunt's avatar
Evan Hunt committed
478
echo_i "checking negative wildcard validation NSEC3 ($n)"
479
ret=0
480
481
dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
482
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
483
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
484
485
486
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
487

488
if [ -x ${DELV} ] ; then
489
   ret=0
Evan Hunt's avatar
Evan Hunt committed
490
   echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)"
491
   delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1
492
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
493
494
495
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
496
497
fi

Evan Hunt's avatar
Evan Hunt committed
498
echo_i "checking negative wildcard validation OPTOUT ($n)"
499
ret=0
500
dig_with_opts b.wild.optout.example. \
501
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
502
dig_with_opts b.wild.optout.example. \
503
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
504
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
505
506
507
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
508
509
510
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
511

512
if [ -x ${DELV} ] ; then
513
   ret=0
Evan Hunt's avatar
Evan Hunt committed
514
   echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)"
515
   delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1
516
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
517
518
519
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
520
521
fi

522
523
# Check the insecure.example domain

Evan Hunt's avatar
Evan Hunt committed
524
echo_i "checking 1-server insecurity proof NSEC ($n)"
525
ret=0
526
527
dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
528
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
529
530
531
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
532
533
534
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
535

536
if [ -x ${DELV} ] ; then
537
   ret=0
Evan Hunt's avatar
Evan Hunt committed
538
   echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)"
539
   delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1
540
   grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
541
542
543
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
544
545
fi

Evan Hunt's avatar
Evan Hunt committed
546
echo_i "checking 1-server insecurity proof NSEC3 ($n)"
547
ret=0
548
549
dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
550
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
551
552
553
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
554
555
556
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
557

558
if [ -x ${DELV} ] ; then
559
   ret=0
Evan Hunt's avatar
Evan Hunt committed
560
   echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)"
561
   delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1
562
   grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
563
564
565
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
566
567
fi

Evan Hunt's avatar
Evan Hunt committed
568
echo_i "checking 1-server insecurity proof OPTOUT ($n)"
569
ret=0
570
571
dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
572
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
573
574
575
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
576
577
578
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
579

580
if [ -x ${DELV} ] ; then
581
   ret=0
Evan Hunt's avatar
Evan Hunt committed
582
   echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)"
583
   delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1
584
   grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
585
586
587
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
588
589
fi

Evan Hunt's avatar
Evan Hunt committed
590
echo_i "checking 1-server negative insecurity proof NSEC ($n)"
591
ret=0
592
dig_with_opts q.insecure.example. a @10.53.0.3 \
593
	> dig.out.ns3.test$n || ret=1
594
dig_with_opts q.insecure.example. a @10.53.0.4 \
595
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
596
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
597
598
599
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
600
601
602
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
603

604
if [ -x ${DELV} ] ; then
605
   ret=0
Evan Hunt's avatar
Evan Hunt committed
606
   echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)"
607
   delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1
608
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
609
610
611
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
612
613
fi

Evan Hunt's avatar
Evan Hunt committed
614
echo_i "checking 1-server negative insecurity proof NSEC3 ($n)"
615
ret=0
616
dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \
617
	> dig.out.ns3.test$n || ret=1
618
dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \
619
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
620
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
621
622
623
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
624
625
626
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
627

628
if [ -x ${DELV} ] ; then
629
   ret=0
Evan Hunt's avatar
Evan Hunt committed
630
   echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)"
631
   delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1
632
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
633
634
635
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
636
637
fi

Evan Hunt's avatar
Evan Hunt committed
638
echo_i "checking 1-server negative insecurity proof OPTOUT ($n)"
639
ret=0
640
dig_with_opts q.insecure.optout.example. a @10.53.0.3 \
641
	> dig.out.ns3.test$n || ret=1
642
dig_with_opts q.insecure.optout.example. a @10.53.0.4 \
643
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
644
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
645
646
647
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
648
649
650
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
651

652
if [ -x ${DELV} ] ; then
653
   ret=0
Evan Hunt's avatar
Evan Hunt committed
654
   echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)"
655
   delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1
656
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
657
658
659
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
660
661
fi

Evan Hunt's avatar
Evan Hunt committed
662
echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
663
ret=0
664
dig_with_opts r.insecure.example. soa @10.53.0.3 \
665
	> dig.out.ns3.test$n || ret=1
666
dig_with_opts r.insecure.example. soa @10.53.0.4 \
667
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
668
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
669
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
670
671
672
grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
673
674
675
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
676

Evan Hunt's avatar
Evan Hunt committed
677
echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)"
678
ret=0
679
dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \
680
	> dig.out.ns3.test$n || ret=1
681
dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \
682
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
683
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
684
685
686
687
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
688
689
690
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
691

Evan Hunt's avatar
Evan Hunt committed
692
echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)"
693
ret=0
694
dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \
695
	> dig.out.ns3.test$n || ret=1
696
dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \
697
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
698
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
699
700
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
701
702
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
703
704
705
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
706

707
708
# Check the secure.example domain

Evan Hunt's avatar
Evan Hunt committed
709
echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
710
ret=0
711
dig_with_opts +noauth a.secure.example. \
712
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
713
dig_with_opts +noauth a.secure.example. \
714
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
715
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
716
717
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
718
719
720
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
721

Evan Hunt's avatar
Evan Hunt committed
722
echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
723
ret=0
724
dig_with_opts +noauth a.nsec3.example. \
725
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
726
dig_with_opts +noauth a.nsec3.example. \
727
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
728
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
729
730
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
731
732
733
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
734

Evan Hunt's avatar
Evan Hunt committed
735
echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
736
ret=0
737
dig_with_opts +noauth a.optout.example. \
738
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
739
dig_with_opts +noauth a.optout.example. \
740
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1