Commit 427e9ca3 authored by Evan Hunt's avatar Evan Hunt
Browse files

clear AD flag when altering response messages

- the AD flag was not being cleared correctly when filtering
- enabled dnssec valdiation in the filter-aaaa test to confirm this
  works correctly now
parent 055bf266
......@@ -11,16 +11,6 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_PRODUCT@
@BIND9_DESCRIPTION@
@BIND9_SRCID@
@BIND9_CONFIGARGS@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
......@@ -40,8 +30,6 @@ TARGETS = @SO_TARGETS@
SO_OBJS = filter-aaaa.@O@
SO_SRCS = filter-aaaa.c
OBJS =
CFLAGS = @CFLAGS@ @SO_CFLAGS@
SO_LDFLAGS = @LDFLAGS@ @SO_LDFLAGS@
......
......@@ -13,29 +13,45 @@
#include <config.h>
#include <inttypes.h>
#include <stdbool.h>
#include <string.h>
#include <isc/buffer.h>
#include <isc/hash.h>
#include <isc/lib.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/result.h>
#include <isc/types.h>
#include <isc/util.h>
#include <isccfg/aclconf.h>
#include <isccfg/cfg.h>
#include <isccfg/grammar.h>
#include <isccfg/namedconf.h>
#include <dns/acl.h>
#include <dns/result.h>
#include <ns/client.h>
#include <ns/hooks.h>
#include <ns/log.h>
#include <ns/query.h>
#include <ns/types.h>
#define CHECK(r) \
do { \
result = (r); \
if (result != ISC_R_SUCCESS) \
goto cleanup; \
#include <dns/acl.h>
#include <dns/db.h>
#include <dns/enumtype.h>
#include <dns/log.h>
#include <dns/message.h>
#include <dns/rdataset.h>
#include <dns/result.h>
#include <dns/types.h>
#define CHECK(op) \
do { \
result = (op); \
if (result != ISC_R_SUCCESS) { \
goto cleanup; \
} \
} while (0)
/*
......@@ -228,23 +244,20 @@ parse_parameters(const char *parameters, const void *cfg,
}
/**
** Mandatory hook API functions.
** Mandatory hook API functions:
**
** - hook_destroy
** - hook_register
** - hook_version
**/
/*
* Prototypes for the hook module API functions defined below.
*/
ns_hook_destroy_t hook_destroy;
ns_hook_register_t hook_register;
ns_hook_version_t hook_version;
/*
* Called by ns_hookmodule_load() to register hook functions into
* a hook table.
*/
isc_result_t
hook_register(const unsigned int modid, const char *parameters,
const char *file, unsigned long line,
const char *cfg_file, unsigned long cfg_line,
const void *cfg, void *actx,
ns_hookctx_t *hctx, ns_hooktable_t *hooktable, void **instp)
{
......@@ -254,20 +267,14 @@ hook_register(const unsigned int modid, const char *parameters,
module_id = modid;
if (parameters != NULL) {
isc_log_write(hctx->lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_HOOKS, ISC_LOG_INFO,
"loading params for 'filter-aaaa' "
"module from %s:%lu",
file, line);
isc_log_write(hctx->lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_HOOKS, ISC_LOG_INFO,
"loading 'filter-aaaa' "
"module from %s:%lu, %s parameters",
cfg_file, cfg_line, parameters != NULL ? "with" : "no");
if (parameters != NULL) {
CHECK(parse_parameters(parameters, cfg, actx, hctx));
} else {
isc_log_write(hctx->lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_HOOKS, ISC_LOG_INFO,
"loading 'filter-aaaa' "
"module from %s:%lu, no parameters",
file, line);
}
ns_hook_add(hooktable, NS_QUERY_QCTX_INITIALIZED, &filter_init);
......@@ -304,7 +311,7 @@ hook_register(const unsigned int modid, const char *parameters,
}
/*
* Called by ns_hookmodule_cleanup(); frees memory allocated by
* Called by ns_hookmodule_unload_all(); frees memory allocated by
* the module when it was registered.
*/
void
......@@ -325,18 +332,16 @@ hook_destroy(void **instp) {
* Returns hook module API version for compatibility checks.
*/
int
hook_version(unsigned int *flags) {
UNUSED(flags);
hook_version(void) {
return (NS_HOOK_VERSION);
}
/**
** "filter-aaaa" feature implementation begins here
** "filter-aaaa" feature implementation begins here.
**/
/*
* Check whether this is a V4 client.
* Check whether this is an IPv4 client.
*/
static bool
is_v4_client(ns_client_t *client) {
......@@ -352,7 +357,7 @@ is_v4_client(ns_client_t *client) {
}
/*
* Check whether this is a V6 client.
* Check whether this is an IPv6 client.
*/
static bool
is_v6_client(ns_client_t *client) {
......@@ -389,7 +394,7 @@ filter_qctx_initialize(void *hookdata, void *cbdata, isc_result_t *resp) {
}
/*
* Determine whether this client should have AAAA filtered nor not,
* Determine whether this client should have AAAA filtered or not,
* based on the client address family and the settings of
* filter-aaaa-on-v4 and filter-aaaa-on-v6.
*/
......@@ -474,6 +479,7 @@ filter_respond_begin(void *hookdata, void *cbdata, isc_result_t *resp) {
* cached an A if it existed.
*/
if (result == ISC_R_SUCCESS) {
qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
qctx->rdataset->attributes |= DNS_RDATASETATTR_RENDERED;
if (qctx->sigrdataset != NULL &&
dns_rdataset_isassociated(qctx->sigrdataset))
......@@ -511,7 +517,6 @@ filter_respond_begin(void *hookdata, void *cbdata, isc_result_t *resp) {
((qctx->client->hookflags[module_id] &
FILTER_AAAA_RECURSING) != 0))
{
dns_rdataset_t *mrdataset = NULL;
dns_rdataset_t *sigrdataset = NULL;
......@@ -520,6 +525,7 @@ filter_respond_begin(void *hookdata, void *cbdata, isc_result_t *resp) {
dns_rdatatype_aaaa, 0,
NULL, &mrdataset);
if (result == ISC_R_SUCCESS) {
qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
mrdataset->attributes |= DNS_RDATASETATTR_RENDERED;
}
......@@ -529,6 +535,7 @@ filter_respond_begin(void *hookdata, void *cbdata, isc_result_t *resp) {
dns_rdatatype_aaaa,
NULL, &sigrdataset);
if (result == ISC_R_SUCCESS) {
qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
sigrdataset->attributes |= DNS_RDATASETATTR_RENDERED;
}
......@@ -593,6 +600,7 @@ filter_respond_any_found(void *hookdata, void *cbdata, isc_result_t *resp) {
(aaaa_sig == NULL || !WANTDNSSEC(qctx->client) ||
**mode == BREAK_DNSSEC))
{
qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
aaaa->attributes |= DNS_RDATASETATTR_RENDERED;
if (aaaa_sig != NULL) {
aaaa_sig->attributes |= DNS_RDATASETATTR_RENDERED;
......@@ -605,7 +613,7 @@ filter_respond_any_found(void *hookdata, void *cbdata, isc_result_t *resp) {
/*
* Hide AAAA rrsets in the additional section if there is a matching A,
* and hide NS in the additional section if AAAA was filtered in the answer
* and hide NS in the authority section if AAAA was filtered in the answer
* section.
*/
static bool
......@@ -674,6 +682,8 @@ filter_query_done_send(void *hookdata, void *cbdata, isc_result_t *resp) {
result = dns_message_findtype(name, dns_rdatatype_ns,
0, &ns);
if (result == ISC_R_SUCCESS) {
qctx->client->message->flags &=
~DNS_MESSAGEFLAG_AD;
ns->attributes |= DNS_RDATASETATTR_RENDERED;
}
......
......@@ -50,7 +50,7 @@
to omit some IPv6 addresses when responding to clients.
</para>
<para>
Until BIND 9.12, this feature was impleented natively in
Until BIND 9.12, this feature was implemented natively in
<command>named</command> and enabled with the
<command>filter-aaaa</command> ACL and the
<command>filter-aaaa-on-v4</command> and
......
......@@ -1544,6 +1544,7 @@ configure_hook(ns_hooktable_t *hooktable, const unsigned int modid,
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *obj;
const char *type, *library;
const char *parameters = NULL;
/* Get the path to the hook module. */
obj = cfg_tuple_get(hook, "type");
......@@ -1560,22 +1561,12 @@ configure_hook(ns_hooktable_t *hooktable, const unsigned int modid,
obj = cfg_tuple_get(hook, "parameters");
if (obj != NULL && cfg_obj_isstring(obj)) {
result = ns_hookmodule_load(library, modid,
cfg_obj_asstring(obj),
cfg_obj_file(obj),
cfg_obj_line(obj),
config,
named_g_aclconfctx,
hctx, hooktable);
} else {
result = ns_hookmodule_load(library, modid, NULL,
cfg_obj_file(hook),
cfg_obj_line(hook),
config,
named_g_aclconfctx,
hctx, hooktable);
parameters = cfg_obj_asstring(obj);
}
result = ns_hookmodule_load(library, modid, parameters,
cfg_obj_file(obj), cfg_obj_line(obj),
config, named_g_aclconfctx,
hctx, hooktable);
if (result != ISC_R_SUCCESS) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
......@@ -5318,6 +5309,16 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
}
#ifdef HAVE_DLOPEN
if (hook_list != NULL) {
const void *hashinit = isc_hash_get_initializer();
CHECK(ns_hook_createctx(mctx, hashinit, &hctx));
INSIST(view->hooktable == NULL);
CHECK(ns_hooktable_create(view->mctx,
(ns_hooktable_t **) &view->hooktable));
view->hooktable_free = ns_hooktable_free;
}
for (element = cfg_list_first(hook_list);
element != NULL;
element = cfg_list_next(element))
......@@ -5325,8 +5326,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
const cfg_obj_t *hook = cfg_listelt_value(element);
if (view->hooktable == NULL) {
ns_hooktable_create(view->mctx,
(ns_hooktable_t **) &view->hooktable);
CHECK(ns_hooktable_create(view->mctx,
(ns_hooktable_t **) &view->hooktable));
view->hooktable_free = ns_hooktable_free;
}
......@@ -8080,7 +8081,7 @@ load_configuration(const char *filename, named_server_t *server,
* Shut down all dyndb and hook module instances.
*/
dns_dyndb_cleanup(false);
ns_hookmodule_cleanup();
ns_hookmodule_unload_all();
/*
* Parse the global default pseudo-config file.
......@@ -9565,7 +9566,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
* Shut down all dyndb and hook module instances.
*/
dns_dyndb_cleanup(true);
ns_hookmodule_cleanup();
ns_hookmodule_unload_all();
while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
ISC_LIST_UNLINK(server->cachelist, nsc, link);
......
......@@ -26,3 +26,6 @@ rm -f ns4/dsset-*
rm -f dig.out.*
rm -f ns*/named.lock
rm -f ns*/managed-keys.bind*
rm -f ns*/trusted.conf
rm -f ns*/keygen.out
......@@ -21,10 +21,15 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i
keyname=`cat keygen.out`
rm -f keygen.out
cat $infile $keyname1.key $keyname2.key >$zonefile
keyfile_to_trusted_keys $keyname > trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns5/trusted.conf
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
echo_i "signed zone '$zone'"
......@@ -38,3 +38,5 @@ controls {
};
zone "." { type hint; file "hints"; };
include "trusted.conf";
......@@ -38,3 +38,5 @@ controls {
};
zone "." { type hint; file "hints"; };
include "trusted.conf";
......@@ -38,3 +38,5 @@ controls {
};
zone "." { type hint; file "hints"; };
include "trusted.conf";
......@@ -38,3 +38,5 @@ controls {
};
zone "." { type hint; file "hints"; };
include "trusted.conf";
......@@ -21,10 +21,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
echo_i "signed $zone"
$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
echo_i "signed zone '$zone'"
......@@ -43,3 +43,5 @@ controls {
};
zone "." { type hint; file "hints"; };
include "trusted.conf";
......@@ -199,7 +199,6 @@ else
echo_i "skipped."
fi
#
# Authoritative tests against:
# filter-aaaa-on-v4 break-dnssec;
......@@ -380,6 +379,7 @@ n=`expr $n + 1`
echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep ::2 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -397,6 +397,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -406,6 +407,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -414,6 +416,7 @@ n=`expr $n + 1`
echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -423,6 +426,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -461,6 +465,7 @@ echo_i "checking that both A and AAAA are returned when both AAAA and A records
ret=0
$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
......@@ -509,7 +514,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
......@@ -517,15 +522,21 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)"
echo_i "checking that AAAA is included in additional section, qtype=MX, signed, recursive ($n)"
ret=0
# we need to prime the cache with addresses for the MX, since additional
# section data won't be included unless it's validated, and that doesn't
# necessarily happen otherwise.
$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 > /dev/null
$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 > /dev/null
$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6 ($n)"
echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, recursive, over IPv6 ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::2
then
ret=0
......@@ -537,7 +548,6 @@ else
echo_i "skipped."
fi
#
# Recursive tests against:
# filter-aaaa-on-v4 break-dnssec;
......@@ -547,6 +557,7 @@ n=`expr $n + 1`
echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
grep ::2 dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -564,6 +575,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -573,6 +585,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -582,6 +595,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -590,6 +604,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -688,6 +703,7 @@ echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed,
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1047,6 +1063,7 @@ n=`expr $n + 1`
echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep ::2 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1064,6 +1081,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1073,6 +1091,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1081,6 +1100,7 @@ n=`expr $n + 1`
echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1090,6 +1110,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1128,6 +1149,7 @@ echo_i "checking that both A and AAAA are returned when both AAAA and A records
ret=0
$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
......@@ -1183,6 +1205,7 @@ echo_i "checking that AAAA is included in additional section, qtype=MX, signed (
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1204,6 +1227,7 @@ n=`expr $n + 1`
echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
grep ::2 dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1221,6 +1245,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1230,6 +1255,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -1239,6 +1265,7 @@ echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records ex
ret=0
$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status