tests.sh 152 KB
Newer Older
Michael Sawyer's avatar
Michael Sawyer committed
1
#!/bin/sh
Michael Sawyer's avatar
Michael Sawyer committed
2
#
3
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
4
#
5 6 7
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 9 10
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
Mark Andrews's avatar
Mark Andrews committed
11

12
# shellcheck source=conf.sh
13
SYSTEMTESTTOP=..
14
. "$SYSTEMTESTTOP/conf.sh"
15

16 17
set -e

18
status=0
19
n=1
Michael Sawyer's avatar
Michael Sawyer committed
20

21
rm -f dig.out.*
Michael Sawyer's avatar
Michael Sawyer committed
22

23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
dig_with_opts() {
    "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}

dig_with_additionalopts() {
    "$DIG" +noall +additional +dnssec -p "$PORT" "$@"
}

dig_with_answeropts() {
    "$DIG" +noall +answer +dnssec -p "$PORT" "$@"
}

delv_with_opts() {
    "$DELV" -a ns1/trusted.conf -p "$PORT" "$@"
}

rndccmd() {
    "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@"
}
42

43
# TODO: Move loadkeys_on to conf.sh.common
44 45 46 47 48
dnssec_loadkeys_on() {
	nsidx=$1
	zone=$2
	nextpart ns${nsidx}/named.run > /dev/null
	rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i
49
	wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1
50 51
}

52 53
# convert private-type records to readable form
showprivate () {
54 55 56 57
    echo "-- $* --"
    dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' |
        while read -r record; do
	    # shellcheck disable=SC2016
Mark Andrews's avatar
Mark Andrews committed
58
            $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
59 60 61 62 63 64
                die "invalid record" unless length($rdata) == 5;
                my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
                my $action = "signing";
                $action = "removing" if $remove;
                my $state = " (incomplete)";
                $state = " (complete)" if $complete;
65
                print ("$action: alg: $alg, key: $key$state\n");' "$record"
66 67 68 69
        done
}

# check that signing records are marked as complete
70
checkprivate () {
Evan Hunt's avatar
Evan Hunt committed
71
    for i in 1 2 3 4 5 6 7 8 9 10; do
72 73
        showprivate "$@" | grep -q incomplete || return 0
	sleep 1
Evan Hunt's avatar
Evan Hunt committed
74
    done
75 76 77
    echo_d "$1 signing incomplete"
    return 1
}
78

79 80
# check that a zone file is raw format, version 0
israw0 () {
81 82 83 84 85
    # shellcheck disable=SC2016
    < "$1" $PERL -e 'binmode STDIN;
	             read(STDIN, $input, 8);
	             ($style, $version) = unpack("NN", $input);
	             exit 1 if ($style != 2 || $version != 0);'
86 87 88 89 90
    return $?
}

# check that a zone file is raw format, version 1
israw1 () {
91 92 93 94 95
    # shellcheck disable=SC2016
    < "$1" $PERL -e 'binmode STDIN;
		     read(STDIN, $input, 8);
                     ($style, $version) = unpack("NN", $input);
                     exit 1 if ($style != 2 || $version != 1);'
96 97 98
    return $?
}

99 100
# strip NS and RRSIG NS from input
stripns () {
101
    awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1"
102 103
}

104 105 106 107 108 109 110
#
# Ensure there is not multiple consecutive blank lines.
# Ensure there is a blank line before "Start view" and
# "Negative trust anchors:".
# Ensure there is not a blank line before "Secure roots:".
#
check_secroots_layout () {
111
	tr -d '\r' < "$1" | \
112 113 114 115
	awk '$0 == "" { if (empty) exit(1); empty=1; next }
	     /Start view/ { if (!empty) exit(1) }
	     /Secure roots:/ { if (empty) exit(1) }
	     /Negative trust anchors:/ { if (!empty) exit(1) }
116
	     { empty=0 }'
117 118 119
	return $?
}

Mukund Sivaraman's avatar
Mukund Sivaraman committed
120 121 122 123 124
# Check that for a query against a validating resolver where the
# authoritative zone is unsigned (insecure delegation), glue is returned
# in the additional section
echo_i "checking that additional glue is returned for unsigned delegation ($n)"
ret=0
125
$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Mukund Sivaraman's avatar
Mukund Sivaraman committed
126
grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1
127 128 129 130
grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
Mukund Sivaraman's avatar
Mukund Sivaraman committed
131

Michael Sawyer's avatar
Michael Sawyer committed
132
# Check the example. domain
133

Evan Hunt's avatar
Evan Hunt committed
134
echo_i "checking that zone transfer worked ($n)"
135 136 137
for i in 1 2 3 4 5 6 7 8 9
do
	ret=0
138 139
	dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
	dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
140
	$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
141
	[ "$ret" -eq 0 ] && break
142 143
	sleep 1
done
Evan Hunt's avatar
Evan Hunt committed
144
digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
145 146 147
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
148

149 150
# test AD bit:
#  - dig +adflag asks for authentication (ad in response)
Evan Hunt's avatar
Evan Hunt committed
151
echo_i "checking AD bit asking for validation ($n)"
152
ret=0
153 154
dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
155
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
156
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
157 158 159
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
160

161
# test AD bit:
Evan Hunt's avatar
Evan Hunt committed
162 163
#  - dig +noadflag
echo_i "checking that AD is not set without +adflag or +dnssec ($n)"
164
ret=0
165 166
dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
167
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
168
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
169 170 171
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
172

Evan Hunt's avatar
Evan Hunt committed
173
echo_i "checking for AD in authoritative answer ($n)"
174
ret=0
175
dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
176
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
177 178 179
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
180

Evan Hunt's avatar
Evan Hunt committed
181
echo_i "checking positive validation NSEC ($n)"
182
ret=0
183 184
dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
185
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
186
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
187 188 189
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
190

191 192 193 194 195 196 197 198 199
echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)"
ret=0
grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1
grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1
grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))

200
if [ -x ${DELV} ] ; then
201
   ret=0
202
   echo_i "checking positive validation NSEC using dns_client ($n)"
203
   delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1
204
   grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
205 206 207 208
   grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
209 210
fi

Evan Hunt's avatar
Evan Hunt committed
211
echo_i "checking positive validation NSEC3 ($n)"
212
ret=0
213
dig_with_opts +noauth a.nsec3.example. \
214
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
215
dig_with_opts +noauth a.nsec3.example. \
216
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
217
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
218
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
219 220 221
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
222

223
if [ -x ${DELV} ] ; then
224
   ret=0
Evan Hunt's avatar
Evan Hunt committed
225
   echo_i "checking positive validation NSEC3 using dns_client ($n)"
226
   delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1
227
   grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
228 229 230 231
   grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
232 233
fi

Evan Hunt's avatar
Evan Hunt committed
234
echo_i "checking positive validation OPTOUT ($n)"
235
ret=0
236
dig_with_opts +noauth a.optout.example. \
237
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
238
dig_with_opts +noauth a.optout.example. \
239
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
240
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
241
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
242 243 244 245 246
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))

SP="[[:space:]]+"
247

248
if [ -x ${DELV} ] ; then
249
   ret=0
Evan Hunt's avatar
Evan Hunt committed
250
   echo_i "checking positive validation OPTOUT using dns_client ($n)"
251 252 253 254 255 256
   delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1
   grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1
   grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
257 258
fi

Evan Hunt's avatar
Evan Hunt committed
259
echo_i "checking positive wildcard validation NSEC ($n)"
260
ret=0
261 262
dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
263 264
stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
Evan Hunt's avatar
Evan Hunt committed
265
digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
266 267
grep "\\*\\.wild\\.example\\..*RRSIG	NSEC" dig.out.ns4.test$n > /dev/null || ret=1
grep "\\*\\.wild\\.example\\..*NSEC	z\\.example" dig.out.ns4.test$n > /dev/null || ret=1
268
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
269
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
270 271 272
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
273

274
if [ -x ${DELV} ] ; then
275
   ret=0
Evan Hunt's avatar
Evan Hunt committed
276
   echo_i "checking positive wildcard validation NSEC using dns_client ($n)"
277
   delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1
278
   grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1
279
   grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1
280 281 282
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
283 284
fi

Evan Hunt's avatar
Evan Hunt committed
285
echo_i "checking positive wildcard answer NSEC3 ($n)"
286
ret=0
287
dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
288 289
grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
290 291 292
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
293

Evan Hunt's avatar
Evan Hunt committed
294
echo_i "checking positive wildcard answer NSEC3 ($n)"
295
ret=0
296
dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
297 298
grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
299 300 301
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
302

Evan Hunt's avatar
Evan Hunt committed
303
echo_i "checking positive wildcard validation NSEC3 ($n)"
304
ret=0
305 306
dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
307 308
stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
Evan Hunt's avatar
Evan Hunt committed
309
digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
310 311
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
312 313 314
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
315

316
if [ -x ${DELV} ] ; then
317
   ret=0
Evan Hunt's avatar
Evan Hunt committed
318
   echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)"
319 320 321 322 323 324
   delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1
   grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
   grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
325 326
fi

Evan Hunt's avatar
Evan Hunt committed
327
echo_i "checking positive wildcard validation OPTOUT ($n)"
328
ret=0
329
dig_with_opts a.wild.optout.example. \
330
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
331
dig_with_opts a.wild.optout.example. \
332
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
333 334
stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
Evan Hunt's avatar
Evan Hunt committed
335
digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
336
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
337
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
338 339 340
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
341

342
if [ -x ${DELV} ] ; then
343
   ret=0
Evan Hunt's avatar
Evan Hunt committed
344
   echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)"
345
   delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1
346
   grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
347 348 349 350
   grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
351 352
fi

Evan Hunt's avatar
Evan Hunt committed
353
echo_i "checking negative validation NXDOMAIN NSEC ($n)"
354
ret=0
355 356
dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
357
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
358
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
359
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
360 361 362
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
363

364
if [ -x ${DELV} ] ; then
365
   ret=0
Evan Hunt's avatar
Evan Hunt committed
366
   echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)"
367
   delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1
368
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
369 370 371
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
372 373
fi

Evan Hunt's avatar
Evan Hunt committed
374
echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
375
ret=0
376
dig_with_opts +noauth q.nsec3.example. \
377
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
378
dig_with_opts +noauth q.nsec3.example. \
379
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
380
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
381 382
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
383 384 385
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
386

387
if [ -x ${DELV} ] ; then
388
   ret=0
Evan Hunt's avatar
Evan Hunt committed
389
   echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)"
390
   delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1
391
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
392 393 394
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
395 396
fi

Evan Hunt's avatar
Evan Hunt committed
397
echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
398
ret=0
399
dig_with_opts +noauth q.optout.example. \
400
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
401
dig_with_opts +noauth q.optout.example. \
402
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
403
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
404 405 406
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
407 408 409
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
410

411
if [ -x ${DELV} ] ; then
412
   ret=0
Evan Hunt's avatar
Evan Hunt committed
413
   echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)"
414
   delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1
415
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
416 417 418
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
419 420
fi

Evan Hunt's avatar
Evan Hunt committed
421
echo_i "checking negative validation NODATA NSEC ($n)"
422
ret=0
423 424
dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
425
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
426 427 428
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
429 430 431
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
432

433
if [ -x ${DELV} ] ; then
434
   ret=0
Evan Hunt's avatar
Evan Hunt committed
435
   echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)"
436
   delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1
437
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
438 439 440
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
441 442
fi

Evan Hunt's avatar
Evan Hunt committed
443
echo_i "checking negative validation NODATA NSEC3 ($n)"
444
ret=0
445
dig_with_opts +noauth a.nsec3.example. \
446
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
447
dig_with_opts +noauth a.nsec3.example. \
448
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
449
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
450 451 452
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
453 454 455
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
456

457
if [ -x ${DELV} ] ; then
458
   ret=0
Evan Hunt's avatar
Evan Hunt committed
459
   echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)"
460
   delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1
461
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
462 463 464
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
465 466
fi

Evan Hunt's avatar
Evan Hunt committed
467
echo_i "checking negative validation NODATA OPTOUT ($n)"
468
ret=0
469
dig_with_opts +noauth a.optout.example. \
470
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
471
dig_with_opts +noauth a.optout.example. \
472
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
473
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
474 475 476
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
477 478 479
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
480

481
if [ -x ${DELV} ] ; then
482
   ret=0
Evan Hunt's avatar
Evan Hunt committed
483
   echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)"
484
   delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1
485
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
486 487 488
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
489 490
fi

Evan Hunt's avatar
Evan Hunt committed
491
echo_i "checking negative wildcard validation NSEC ($n)"
492
ret=0
493 494
dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
495
digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
496
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
497
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
498 499 500
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
501

502
if [ -x ${DELV} ] ; then
503
   ret=0
Evan Hunt's avatar
Evan Hunt committed
504
   echo_i "checking negative wildcard validation NSEC using dns_client ($n)"
505
   delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1
506
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
507 508 509
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
510 511
fi

Evan Hunt's avatar
Evan Hunt committed
512
echo_i "checking negative wildcard validation NSEC3 ($n)"
513
ret=0
514 515
dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
516
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
517
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
518 519 520
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
521

522
if [ -x ${DELV} ] ; then
523
   ret=0
Evan Hunt's avatar
Evan Hunt committed
524
   echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)"
525
   delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1
526
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
527 528 529
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
530 531
fi

Evan Hunt's avatar
Evan Hunt committed
532
echo_i "checking negative wildcard validation OPTOUT ($n)"
533
ret=0
534
dig_with_opts b.wild.optout.example. \
535
	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
536
dig_with_opts b.wild.optout.example. \
537
	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
538
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
539 540 541
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
542 543 544
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
545

546
if [ -x ${DELV} ] ; then
547
   ret=0
Evan Hunt's avatar
Evan Hunt committed
548
   echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)"
549
   delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1
550
   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
551 552 553
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
554 555
fi

556 557
# Check the insecure.example domain

Evan Hunt's avatar
Evan Hunt committed
558
echo_i "checking 1-server insecurity proof NSEC ($n)"
559
ret=0
560 561
dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
562
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
563 564 565
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
566 567 568
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
569

570
if [ -x ${DELV} ] ; then
571
   ret=0
Evan Hunt's avatar
Evan Hunt committed
572
   echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)"
573
   delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1
574
   grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
575 576 577
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
578 579
fi

Evan Hunt's avatar
Evan Hunt committed
580
echo_i "checking 1-server insecurity proof NSEC3 ($n)"
581
ret=0
582 583
dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
584
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
585 586 587
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
588 589 590
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
591

592
if [ -x ${DELV} ] ; then
593
   ret=0
Evan Hunt's avatar
Evan Hunt committed
594
   echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)"
595
   delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1
596
   grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
597 598 599
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
600 601
fi

Evan Hunt's avatar
Evan Hunt committed
602
echo_i "checking 1-server insecurity proof OPTOUT ($n)"
603
ret=0
604 605
dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
606
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
607 608 609
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
610 611 612
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
613

614
if [ -x ${DELV} ] ; then
615
   ret=0
Evan Hunt's avatar
Evan Hunt committed
616
   echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)"
617
   delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1
618
   grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
619 620 621
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
622 623
fi

Evan Hunt's avatar
Evan Hunt committed
624
echo_i "checking 1-server negative insecurity proof NSEC ($n)"
625
ret=0
626
dig_with_opts q.insecure.example. a @10.53.0.3 \
627
	> dig.out.ns3.test$n || ret=1
628
dig_with_opts q.insecure.example. a @10.53.0.4 \
629
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
630
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
631 632 633
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
634 635 636
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
637

638
if [ -x ${DELV} ] ; then
639
   ret=0
Evan Hunt's avatar
Evan Hunt committed
640
   echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)"
641
   delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1
642
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
643 644 645
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
646 647
fi

Evan Hunt's avatar
Evan Hunt committed
648
echo_i "checking 1-server negative insecurity proof NSEC3 ($n)"
649
ret=0
650
dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \
651
	> dig.out.ns3.test$n || ret=1
652
dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \
653
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
654
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
655 656 657
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
658 659 660
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
661

662
if [ -x ${DELV} ] ; then
663
   ret=0
Evan Hunt's avatar
Evan Hunt committed
664
   echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)"
665
   delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1
666
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
667 668 669
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
670 671
fi

Evan Hunt's avatar
Evan Hunt committed
672
echo_i "checking 1-server negative insecurity proof OPTOUT ($n)"
673
ret=0
674
dig_with_opts q.insecure.optout.example. a @10.53.0.3 \
675
	> dig.out.ns3.test$n || ret=1
676
dig_with_opts q.insecure.optout.example. a @10.53.0.4 \
677
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
678
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
679 680 681
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
682 683 684
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
685

686
if [ -x ${DELV} ] ; then
687
   ret=0
Evan Hunt's avatar
Evan Hunt committed
688
   echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)"
689
   delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1
690
   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
691 692 693
   n=$((n+1))
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status+ret))
694 695
fi

Evan Hunt's avatar
Evan Hunt committed
696
echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
697
ret=0
698
dig_with_opts r.insecure.example. soa @10.53.0.3 \
699
	> dig.out.ns3.test$n || ret=1
700
dig_with_opts r.insecure.example. soa @10.53.0.4 \
701
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
702
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
703
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
704 705 706
grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
707 708 709
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
710

Evan Hunt's avatar
Evan Hunt committed
711
echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)"
712
ret=0
713
dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \
714
	> dig.out.ns3.test$n || ret=1
715
dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \
716
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
717
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
718 719 720 721
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
722 723 724
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
725

Evan Hunt's avatar
Evan Hunt committed
726
echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)"
727
ret=0
728
dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \
729
	> dig.out.ns3.test$n || ret=1
730
dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \
731
	> dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
732
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
733 734
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
735 736
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
737 738 739
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
740

741 742
# Check the secure.example domain

Evan Hunt's avatar
Evan Hunt committed
743
echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
744
ret=0
745
dig_with_opts +noauth a.secure.example. \
746
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
747
dig_with_opts +noauth a.secure.example. \
748
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
749
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
750 751
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
752 753 754
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
755

Evan Hunt's avatar
Evan Hunt committed
756
echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
757
ret=0
758
dig_with_opts +noauth a.nsec3.example. \
759
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
760
dig_with_opts +noauth a.nsec3.example. \
761
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
762
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
763 764
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
765 766 767
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
768

Evan Hunt's avatar
Evan Hunt committed
769
echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
770
ret=0
771
dig_with_opts +noauth a.optout.example. \
772
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
773
dig_with_opts +noauth a.optout.example. \
774
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
775
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
776 777
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
778 779 780
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
781

Evan Hunt's avatar
Evan Hunt committed
782
echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)"
783
ret=0
784
dig_with_opts +noauth a.secure.nsec3.example. \
785
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
786
dig_with_opts +noauth a.secure.nsec3.example. \
787
	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
788
digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
789 790
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
791 792 793
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
794

Evan Hunt's avatar
Evan Hunt committed
795
echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)"
796
ret=0
797
dig_with_opts +noauth a.nsec3.nsec3.example. \
798
	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
799
dig_with_opts +noauth a.nsec3.nsec3.example. \