#
# Copyright (C) 2000-2002, 2004-2017 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
status=0
n=1
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
DELVOPTS="-a ns1/trusted.conf -p 5300"
# convert private-type records to readable form
echo "-- $@ --"
while read record; do
$PERL -e 'my $rdata = pack("H*", @ARGV[0]);
die "invalid record" unless length($rdata) == 5;
my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
my $action = "signing";
$action = "removing" if $remove;
my $state = " (incomplete)";
$state = " (complete)" if $complete;
print ("$action: alg: $alg, key: $key$state\n");' $record
done
}
# check that signing records are marked as complete
ret=0
echo $x | grep incomplete >&- 2>&- && ret=1
[ $ret = 1 ] && {
echo "$x"
echo "I:failed"
}
return $ret
}
# check that a zone file is raw format, version 0
read(STDIN, $input, 8);
($style, $version) = unpack("NN", $input);
exit 1 if ($style != 2 || $version != 0);'
return $?
}
# check that a zone file is raw format, version 1
read(STDIN, $input, 8);
($style, $version) = unpack("NN", $input);
exit 1 if ($style != 2 || $version != 1);'
return $?
}
# strip NS and RRSIG NS from input
}
# Check the example. domain
echo "I:checking that zone transfer worked ($n)"
do
ret=0
[ $ret = 0 ] && break
sleep 1
done
n=`expr $n + 1`
# test AD bit:
# - dig +adflag asks for authentication (ad in response)
echo "I:checking AD bit asking for validation ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
n=`expr $n + 1`
# test AD bit:
# - dig +noadflag
echo "I:checking that AD is not set without +adflag or +dnssec ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
n=`expr $n + 1`
echo "I:checking for AD in authoritative answer ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation NSEC ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking postive validation NSEC using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking positive validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking positive validation NSEC3 using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking positive validation OPTOUT ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking positive validation OPTOUT using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking positive wildcard validation NSEC ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking positive wildcard validation NSEC using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking positive wildcard answer NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive wildcard answer NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive wildcard validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking positive wildcard validation NSEC3 using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking positive wildcard validation OPTOUT ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking positive wildcard validation OPTOUT using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative validation NXDOMAIN NSEC ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative validation NXDOMAIN NSEC using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative validation NXDOMAIN NSEC3 ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative validation NXDOMAIN NSEC3 using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative validation NXDOMAIN OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative validation NXDOMAIN OPTOUT using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative validation NODATA NSEC ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative validation NODATA NSEC3 ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative validation NODATA NSEC3 using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative validation NODATA OPTOUT ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative wildcard validation NSEC ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative wildcard validation NSEC using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative wildcard validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative wildcard validation NSEC3 using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking negative wildcard validation OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking negative wildcard validation OPTOUT using dns_client ($n)"
n=`expr $n + 1`
fi
# Check the insecure.example domain
echo "I:checking 1-server insecurity proof NSEC ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking 1-server insecurity proof NSEC using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking 1-server insecurity proof NSEC3 ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking 1-server insecurity proof NSEC3 using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking 1-server insecurity proof OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking 1-server insecurity proof OPTOUT using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking 1-server negative insecurity proof NSEC ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking 1-server negative insecurity proof NSEC using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking 1-server negative insecurity proof NSEC3 ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking 1-server negative insecurity proof NSEC3 using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking 1-server negative insecurity proof OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking 1-server negative insecurity proof OPTOUT using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check the secure.example domain
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
echo "I:checking empty NODATA OPTOUT ($n)"
ret=0
#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
# Check the bogus domain
echo "I:checking failed validation ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking failed validation using dns_client ($n)"
n=`expr $n + 1`
fi
# Try validating with a bad trusted key.
# This should fail.
echo "I:checking that validation fails with a misconfigured trusted key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that negative validation fails with a misconfigured trusted key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that insecurity proofs fail with a misconfigured trusted key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that validation fails when key record is missing ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking that validation fails when key record is missing using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:checking that validation succeeds when a revoked key is encountered ($n)"
ret=0
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking that validation succeeds when a revoked key is encountered using dns_client ($n)"
n=`expr $n + 1`
fi
echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
ret=0
#prime
#check: requery with +CD. pending data should be returned even if it's bogus
10.0.0.1"
#check: requery without +CD. bogus cached data should be rejected.
n=`expr $n + 1`
echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)"
ret=0
#prime
#check: requery with +CD. pending data should be returned even if it's bogus
expect="example.
10.0.0.1"
#check: requery without +CD. bogus cached data should be rejected.
n=`expr $n + 1`
# Check the insecure.secure.example domain (insecurity proof)
echo "I:checking 2-server insecurity proof ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check a negative response in insecure.secure.example
echo "I:checking 2-server insecurity proof with a negative answer ($n)"
ret=0
|| ret=1
|| ret=1
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)"
ret=0
|| ret=1
|| ret=1
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check that the query for a security root is successful and has ad set
echo "I:checking security root query ($n)"
ret=0
n=`expr $n + 1`
# Check that the setting the cd bit works
echo "I:checking cd bit on a positive answer ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking cd bit on a negative answer ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking positive validation RSASHA256 NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation RSASHA512 NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation with KSK-only DNSKEY signature ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking cd bit on a query that should fail ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking cd bit on an insecurity proof ($n)"
ret=0
# Note - these are looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking cd bit on a negative insecurity proof ($n)"
ret=0
# Note - these are looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking that validation of an ANY query works ($n)"
ret=0
# 2 records in the zone, 1 NXT, 3 SIGs
n=`expr $n + 1`
echo "I:checking that validation of a query returning a CNAME works ($n)"
ret=0
# the CNAME & its sig, the TXT and its SIG
n=`expr $n + 1`
echo "I:checking that validation of a query returning a DNAME works ($n)"
ret=0
# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME.
# It would be nice to test that the CNAME is being synthesized by the
# recursive server and not cached, but I don't know how.
n=`expr $n + 1`
echo "I:checking that validation of an ANY query returning a CNAME works ($n)"
ret=0
# The CNAME, NXT, and their SIGs
n=`expr $n + 1`
echo "I:checking that validation of an ANY query returning a DNAME works ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that positive validation in a privately secure zone works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking that negative validation in a privately secure zone works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking that lookups succeed after disabling a algorithm works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking privately secure wildcard to nxdomain works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking a non-cachable NODATA works ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking a non-cachable NXDOMAIN works ($n)"
ret=0
n=`expr $n + 1`
#
# private.secure.example is served by the same server as its
# grand parent and there is not a secure delegation from secure.example
# to private.secure.example. In addition secure.example is using a
# algorithm which the validation does not support.
#
echo "I:checking dnssec-lookaside-validation works ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that we can load a rfc2535 signed zone ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that we can transfer a rfc2535 signed zone ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that we can sign a zone with out-of-zone records ($n)"
ret=0
(
cd signer
$SIGNER -o example -f example.db example.db > /dev/null 2>&1
n=`expr $n + 1`
echo "I:checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
ret=0
(
cd signer
$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1
awk '/^IQF9LQTLK/ {
printf("%s", $0);
while (!index($0, ")")) {
if (getline <= 0)
break;
printf (" %s", $0);
}
printf("\n");
grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
n=`expr $n + 1`
echo "I:checking NSEC3 signing with empty nonterminals above a delegation ($n)"
ret=0
(
cd signer
$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1
awk '/^IQF9LQTLK/ {
printf("%s", $0);
while (!index($0, ")")) {
if (getline <= 0)
break;
printf (" %s", $0);
}
printf("\n");
grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
n=`expr $n + 1`
echo "I:checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
ret=0
(
cd signer
$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1
$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1
)
n=`expr $n + 1`
echo "I:checking dnssec-signzone keeps valid signatures from removed keys ($n)"
ret=0
(
cd signer
$SIGNER -D -o example example.db > /dev/null 2>&1
# now switch out key2 for key3 and resign the zone
$SIGNER -D -o example example.db > /dev/null 2>&1
n=`expr $n + 1`
echo "I:checking dnssec-signzone -R purges signatures from removed keys ($n)"
ret=0
(
cd signer
n=`expr $n + 1`
echo "I:checking dnssec-signzone keeps valid signatures from inactive keys ($n)"
ret=0
(
cd signer
# now retire key2 and resign the zone
n=`expr $n + 1`
echo "I:checking dnssec-signzone -Q purges signatures from inactive keys ($n)"
ret=0
(
cd signer
n=`expr $n + 1`
echo "I:checking dnssec-signzone retains unexpired signatures ($n)"
ret=0
(
cd signer
$SIGNER -Sxt -o example example.db > signer.out.1 2>&1
$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1
n=`expr $n + 1`
echo "I:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)"
ret=0
(
cd signer
# remove NSEC-only keys
cat << EOF >> example2.db
sub1.example. IN A 10.53.0.1
ns.sub2.example. IN A 10.53.0.2
EOF
$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
(
cd signer
cat << EOF >> example2.db
sub1.example. IN NS sub1.example.
sub1.example. IN A 10.53.0.1
sub2.example. IN NS ns.sub2.example.
ns.sub2.example. IN A 10.53.0.2
EOF
$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
n=`expr $n + 1`
echo "I:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)"
ret=0
(
cd signer
cat << EOF >> example2.db
sub1.example. IN A 10.53.0.1
ns.sub2.example. IN A 10.53.0.2
EOF
$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
(
cd signer
cat << EOF >> example2.db
sub1.example. IN NS sub1.example.
sub1.example. IN A 10.53.0.1
sub2.example. IN NS ns.sub2.example.
ns.sub2.example. IN A 10.53.0.2
EOF
$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
n=`expr $n + 1`
echo "I:checking dnssec-signzone output format ($n)"
ret=0
(
cd signer
$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null
$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null
$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1
$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1
$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null
echo "I:checking dnssec-signzone output format ($n)"
ret=0
(
cd signer
$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2>&1
$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2>&1
echo "I:checking TTLs are capped by dnssec-signzone -M ($n)"
ret=0
(
cd signer
$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1
echo "I:checking dnssec-signzone -N date ($n)"
ret=0
(
cd signer
$SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null 2>&1
echo "I:checking validated data are not cached longer than originalttl ($n)"
ret=0
n=`expr $n + 1`
# Test that "rndc secroots" is able to dump trusted keys
echo "I:checking rndc secroots ($n)"
ret=0
linecount=`cat named.secroots.test$n | wc -l`
n=`expr $n + 1`
# Check direct query for RRSIG. If we first ask for normal (non RRSIG)
# record, the corresponding RRSIG should be cached and subsequent query
# for RRSIG will be returned with the cached record.
echo "I:checking RRSIG query from cache ($n)"
ret=0
expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1
# also check that RA is set
n=`expr $n + 1`
# Check direct query for RRSIG: If it's not cached with other records,
# it should result in an empty response.
echo "I:checking RRSIG query not in cache ($n)"
ret=0
# also check that RA is cleared
n=`expr $n + 1`
#
# RT21868 regression test.
#
echo "I:checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)"
ret=0
n=`expr $n + 1`
#
# RT22007 regression test.
#
echo "I:checking optout NSEC3 referral with only insecure delegations ($n)"
ret=0
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)"
ret=0
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking optout NSEC3 nodata with only insecure delegations ($n)"
ret=0
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive and negative validation with negative trust anchors ($n)"
ret=0
#
# check correct initial behavior
#
ret=0
#
# add negative trust anchors
#
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 20s bogus.example 2>&1 | sed 's/^/I:ns4 /'
lines=`wc -l < rndc.out.ns4.test$n.1`
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta fakenode.secure.example 2>&1 | sed 's/^/I:ns4 /'
lines=`wc -l < rndc.out.ns4.test$n.2`
ret=0
#
# check behavior with NTA's in place
#
echo "I: dumping secroots"
ret=0
echo "I: waiting for NTA rechecks/expirations"
#
# secure.example and badds.example used default nta-duration
# (configured as 10s in ns4/named1.conf), but nta recheck interval
# is configured to 7s, so at t=8 the NTAs for secure.example and
# fakenode.secure.example should both be lifted, but badds.example
# should still be going.
#
ret=0
#
# bogus.example was set to expire in 20s, so at t=11
# it should still be NTA'd, but badds.example used the default
# lifetime of 10s, so it should revert to SERVFAIL now.
#
# check nta table
lines=`wc -l < rndc.out.ns4.test$n._11`
if [ $ret != 0 ]; then echo "I:failed - checking that default nta's were lifted due to lifetime"; fi
ret=0
#
# at t=21, all the NTAs should have expired.
#
# check correct behavior after bogus.example expiry
# check nta table has been cleaned up now
lines=`wc -l < rndc.out.ns4.test$n.3`
n=`expr $n + 1`
ret=0
echo "I: testing NTA removals ($n)"
grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1
ret=0
echo "I: remove non-existent NTA three times"
ret=0
n=`expr $n + 1`
echo "I: testing NTA with bogus lifetimes ($n)"
echo "I:check with no nta lifetime specified"
ret=0
echo "I:check with bad nta lifetime"
ret=0
echo "I:check with too long nta lifetime"
ret=0
#
# check NTA persistence across restarts
#
n=`expr $n + 1`
echo "I: testing NTA persistence across restarts ($n)"
lines=`wc -l < rndc.out.ns4.test$n.1`
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 30s bogus.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 10s badds.example 2>&1 | sed 's/^/I:ns4 /'
lines=`wc -l < rndc.out.ns4.test$n.2`
ret=0
echo "I:killing ns4 with SIGTERM"
cd ns4
cd ..
#
# ns4 has now shutdown. wait until t=14 when badds.example's NTA
# (lifetime=10s) would have expired, and then restart ns4.
#
echo "I:waiting till 14s have passed since NTAs were added before restarting ns4"
if
then
echo "I:restarted server ns4"
else
echo "I:could not restart server ns4"
exit 1
fi
echo "I:sleeping for an additional 4 seconds for ns4 to fully startup"
sleep 4
#
# ns4 should be back up now. The NTA for bogus.example should still be
# valid, whereas badds.example should not have been added during named
# startup (as it had already expired), the fact that it's ignored should
# be logged.
#
lines=`wc -l < rndc.out.ns4.test$n.3`
# cleanup
ret=0
#
# check "regular" attribute in NTA file works as expected at named
# startup.
#
n=`expr $n + 1`
echo "I: testing loading regular attribute from NTA file ($n)"
lines=`wc -l < rndc.out.ns4.test$n.1`
# initially, secure.example. validates with AD=1
echo "I:killing ns4 with SIGTERM"
cd ns4
cd ..
echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
sleep 4
#
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with the regular attribute and some future timestamp.
#
if
then
echo "I:restarted server ns4"
else
echo "I:could not restart server ns4"
exit 1
fi
# nta-recheck is configured as 7s, so at t=10 the NTAs for
# secure.example. should be lifted as it is not a forced NTA.
echo "I:waiting till 10s have passed after ns4 was restarted"
# secure.example. should now return an AD=1 answer (still validates) as
# the NTA has been lifted.
# cleanup
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
ret=0
#
# check "forced" attribute in NTA file works as expected at named
# startup.
#
n=`expr $n + 1`
echo "I: testing loading forced attribute from NTA file ($n)"
lines=`wc -l < rndc.out.ns4.test$n.1`
# initially, secure.example. validates with AD=1
echo "I:killing ns4 with SIGTERM"
cd ns4
cd ..
echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
sleep 4
#
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with the forced attribute and some future timestamp.
#
if
then
echo "I:restarted server ns4"
else
echo "I:could not restart server ns4"
exit 1
fi
# nta-recheck is configured as 7s, but even at t=10 the NTAs for
# secure.example. should not be lifted as it is a forced NTA.
echo "I:waiting till 10s have passed after ns4 was restarted"
# secure.example. should now return an AD=0 answer (non-authenticated)
# as the NTA is still there.
# cleanup
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
ret=0
#
# check that NTA lifetime read from file is clamped to 1 week.
#
n=`expr $n + 1`
echo "I: testing loading out of bounds lifetime from NTA file ($n)"
echo "I:killing ns4 with SIGTERM"
cd ns4
cd ..
echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
sleep 4
#
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with a lifetime well into the future.
#
if
then
echo "I:restarted server ns4"
else
echo "I:could not restart server ns4"
exit 1
fi
echo "I:sleeping for an additional 4 seconds for ns4 to fully startup"
sleep 4
# dump the NTA to a file
lines=`wc -l < rndc.out.ns4.test$n.1`
# rndc nta outputs localtime, so append the timezone
then
# ntadiff.pl computes $ts_with_zone - ($added + 1week)
# diff from $added(now) + 1week to the clamped NTA lifetime should be
# less than a few seconds (handle daylight saving changes by adding 3600).
else
echo "I: skipped ntadiff test; install PERL module Time::Piece"
fi
# cleanup
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null
ret=0
echo "I:completed NTA tests"
# Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added.
then
echo "I:running DNSSEC update test"
else
echo "I:The DNSSEC update test requires the Net::DNS library." >&2
fi
n=`expr $n + 1`
echo "I:checking managed key maintenance has not started yet ($n)"
ret=0
n=`expr $n + 1`
# Reconfigure caching server to use "dnssec-validation auto", and repeat
# some of the DNSSEC validation tests to ensure that it works correctly.
echo "I:switching to automatic root key configuration"
sleep 5
echo "I:checking managed key maintenance timer has now started ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation OPTOUT ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that root DS queries validate ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that DS at a RFC 1918 empty zone lookup succeeds ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking expired signatures do not validate ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)"
ret=0
(
cd ns3
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk update-nsec3.example`
(
echo zone update-nsec3.example
echo server 10.53.0.3 5300
echo send
) | $NSUPDATE
)
n=`expr $n + 1`
echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that signing records have been marked as complete ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that 'rndc signing' without arguments is handled ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that 'rndc signing -list' without zone is handled ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that 'rndc signing -clear' without additional arguments is handled ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that 'rndc signing -clear all' without zone is handled ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param' without additional arguments is handled ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param none' without zone is handled ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param' works with salt ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1
if [ "$salt" = "FFFF" ]; then
break;
fi
echo "I:sleeping ...."
sleep 1
done;
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param' works without salt ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1
if [ "$salt" = "-" ]; then
break;
fi
echo "I:sleeping ...."
sleep 1
done;
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
echo "I:sleeping ...."
sleep 1
done;
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
echo "I:sleeping ...."
sleep 1
done;
n=`expr $n + 1`
echo "I:check rndc signing -list output ($n)"
ret=0
ret=1
}
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out
ret=1
}
n=`expr $n + 1`
echo "I:clear signing records ($n)"
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all update-nsec3.example > /dev/null || ret=1
sleep 1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out
ret=1
}
n=`expr $n + 1`
echo "I:checking that a insecure zone beneath a cname resolves ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that a secure zone beneath a cname resolves ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking dnskey query with no data still gets put in cache ($n)"
ret=0
myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 @10.53.0.4"
sleep 1
then
sleep 1
then
echo "I: cannot confirm query answer still in cache"
ret=1
fi
fi
n=`expr $n + 1`
echo "I:check that a split dnssec dnssec-signzone work ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that a smart split dnssec dnssec-signzone work ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that NOTIFY is sent at the end of NSEC3 chain generation ($n)"
ret=0
(
echo zone nsec3chain-test
echo server 10.53.0.2 5300
echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456
echo send
) | $NSUPDATE
do
then
break;
fi
echo "I:sleeping ...."
sleep 3
done;
do
sleep 1
done
n=`expr $n + 1`
echo "I:check dnssec-dsfromkey from stdin ($n)"
ret=0
# make canonical
awk '{
for (i=1;i<7;i++) printf("%s ", $i);
for (i=7;i<=NF;i++) printf("%s", $i);
printf("\n");
awk '{
for (i=1;i<7;i++) printf("%s ", $i);
for (i=7;i<=NF;i++) printf("%s", $i);
printf("\n");
n=`expr $n + 1`
# Intentionally strip ".key" from keyfile name to ensure the error message
# includes it anyway to avoid confusion (RT #21731)
echo "I:check dnssec-dsfromkey error message when keyfile is not found ($n)"
ret=0
n=`expr $n + 1`
echo "I:testing soon-to-expire RRSIGs without a replacement private key ($n)"
ret=0
$DIG +noall +answer +dnssec +nottlid -p 5300 expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1
# there must be a signature here
n=`expr $n + 1`
echo "I:testing new records are signed with 'no-resign' ($n)"
ret=0
(
echo zone nosign.example
echo server 10.53.0.3 5300
echo update add new.nosign.example 300 in txt "hi there"
echo send
) | $NSUPDATE
sleep 1
n=`expr $n + 1`
echo "I:testing expiring records aren't resigned with 'no-resign' ($n)"
ret=0
# the NS RRSIG should not be changed
n=`expr $n + 1`
echo "I:testing updates fail with no private key ($n)"
ret=0
(
echo zone nosign.example
echo server 10.53.0.3 5300
echo update add fail.nosign.example 300 in txt "reject me"
echo send
n=`expr $n + 1`
echo "I:testing legacy upper case signer name validation ($n)"
ret=0
n=`expr $n + 1`
echo "I:testing that we lower case signer name ($n)"
ret=0
n=`expr $n + 1`
echo "I:testing TTL is capped at RRSIG expiry time ($n)"
ret=0
(
cd ns3
done
$SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1
done
done
n=`expr $n + 1`
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section ($n)"
ret=0
sleep 1
done
done
n=`expr $n + 1`
sleep 3
echo "I:testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)"
ret=0
done
done
n=`expr $n + 1`
echo "I:testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)"
ret=0
done
done
n=`expr $n + 1`
sleep 3
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
ret=0
done
done
n=`expr $n + 1`
sleep 3
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with acache off; ($n)"
ret=0
done
done
n=`expr $n + 1`
echo "I:testing DNSKEY lookup via CNAME ($n)"
ret=0
n=`expr $n + 1`
echo "I:testing KEY lookup at CNAME (present) ($n)"
ret=0
n=`expr $n + 1`
echo "I:testing KEY lookup at CNAME (not present) ($n)"
ret=0
n=`expr $n + 1`
echo "I:testing DNSKEY lookup via DNAME ($n)"
ret=0
n=`expr $n + 1`
echo "I:testing KEY lookup via DNAME ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that named doesn't loop when all private keys are not available ($n)"
ret=0
n=`expr $n + 1`
echo "I:check against against missing nearest provable proof ($n)"
n=`expr $n + 1`
echo "I:check that key id are logged when dumping the cache ($n)"
ret=0
sleep 1
n=`expr $n + 1`
echo "I:check KEYDATA records are printed in human readable form in key zone ($n)"
# force the managed-keys zone to be written out
do
ret=0
if test -f ns4/managed-keys.bind
then
break
fi
ret=1
sleep 1
done
n=`expr $n + 1`
echo "I:check dig's +nocrypto flag ($n)"
ret=0
n=`expr $n + 1`
echo "I:check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)"
ret=0
cnt=0
while :
do
sleep 1
done
sigs=`grep RRSIG dig.out.ns3.test$n | wc -l`
n=`expr $n + 1`
echo "I:check that increasing the sig-validity-interval resigning triggers re-signing"
ret=0
do
sleep 1
done
n=`expr $n + 1`
sleep 3
echo "I:check insecure delegation between static-stub zones ($n)"
ret=0
n=`expr $n + 1`
echo "I:check the acceptance of seconds as inception and expiration times ($n)"
ret=0
in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo="
exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo="
n=`expr $n + 1`
echo "I:check the correct resigning time is reported in zonestatus ($n)"
ret=0
# next resign node: secure.example/DNSKEY
# next resign time: Thu, 24 Apr 2014 10:38:16 GMT
time=`awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03";
m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06";
m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09";
m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";}
/next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g'`
$PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1
n=`expr $n + 1`
echo "I:check that split rrsigs are handled ($n)"
ret=0
awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1
n=`expr $n + 1`
echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
ret=0
alg=1
until test $alg = 256
do
size=
2) # Diffie Helman
continue;;
157|160|161|162|163|164|165) # private - non standard
continue;;
esac
then
continue
fi
if test -z "$key1"
then
ret=1
continue
fi
ret=1
echo "I: 'dnssec-keygen -S' failed for algorithm: $alg"
}
done
n=`expr $n + 1`
echo "I:check that CDS records are signed using KSK by dnssec-signzone ($n)"
ret=0
n=`expr $n + 1`
#
# Test for +sigchase with a null set of trusted keys.
#
then
echo "I:Skipping 'dig +sigchase' tests"
n=`expr $n + 1`
else
echo "I:checking that 'dig +sigchase' doesn't loop with future inception ($n)"
ret=0
pid=$!
sleep 1
wait $pid
grep ";; No DNSKEY is valid to check the RRSIG of the RRset: FAILED" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
fi
echo "I:checking that positive unknown NSEC3 hash algorithm does validate ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n
n=`expr $n + 1`
echo "I:check that CDS records are signed using KSK by with dnssec-auto ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that a lone non matching CDS record is rejected ($n)"
ret=0
(
echo zone cds-update.secure
echo server 10.53.0.2 5300
echo update delete cds-update.secure CDS
$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
sed "s/^/update add /"
echo send
n=`expr $n + 1`
echo "I:check that CDS records are signed using KSK when added by nsupdate ($n)"
ret=0
(
echo zone cds-update.secure
echo server 10.53.0.2 5300
echo update delete cds-update.secure CDS
echo send
$DSFROMKEY -C -f - -T 1 cds-update.secure |
sed "s/^/update add /"
echo send
) | $NSUPDATE
n=`expr $n + 1`
echo "I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n
n=`expr $n + 1`
echo "I:check that a non matching CDS record is accepted with a matching CDS record ($n)"
ret=0
(
echo zone cds-update.secure
echo server 10.53.0.2 5300
echo update delete cds-update.secure CDS
echo send
$DSFROMKEY -C -f - -T 1 cds-update.secure |
sed "s/^/update add /"
$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
sed "s/^/update add /"
echo send
) | $NSUPDATE
n=`expr $n + 1`
echo "I:checking that negative unknown NSEC3 hash algorithm does not validate ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n
n=`expr $n + 1`
echo "I:check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n
n=`expr $n + 1`
echo "I:check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that unknown DNSKEY algorithm validates as insecure ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n
n=`expr $n + 1`
echo "I:check that a lone non matching CDNSKEY record is rejected ($n)"
ret=0
(
echo server 10.53.0.2 5300
echo send
echo send
n=`expr $n + 1`
echo "I:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n
n=`expr $n + 1`
echo "I:check that CDNSKEY records are signed using KSK when added by nsupdate ($n)"
ret=0
(
echo server 10.53.0.2 5300
echo send
) | $NSUPDATE
n=`expr $n + 1`
echo "I:checking initialization with a revoked managed key ($n)"
ret=0
sleep 3
n=`expr $n + 1`
echo "I:check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)"
ret=0
(
echo server 10.53.0.2 5300
echo send
) | $NSUPDATE
n=`expr $n + 1`
echo "I:check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)"
ret=0
# generate signed zone with MX and AAAA records at apex.
(
cd signer
echo > remove.db.signed
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
)
}
# re-generate signed zone without MX and AAAA records at apex.
(
cd signer
$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1
)
}
n=`expr $n + 1`
echo "I:check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)"
ret=0
# generate signed zone with MX and AAAA records at apex.
(
cd signer
echo > remove.db.signed
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
)
}
# re-generate signed zone without MX and AAAA records at apex.
(
cd signer
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1
)
}
n=`expr $n + 1`
echo "I:check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that trust-anchor-telemetry queries are logged ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
ret=0
n=`expr $n + 1`
echo "I:exit status: $status"