tests.sh revision 5095e72ac3c0f1e16c246b56e8277614571bf132
#
# Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.83 2011/03/21 01:02:39 marka Exp $
status=0
n=1
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
# Check the example. domain
echo "I:checking that zone transfer worked ($n)"
ret=0
n=`expr $n + 1`
# test AD bit:
# - dig +adflag asks for authentication (ad in response)
echo "I:checking AD bit asking for validation ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
n=`expr $n + 1`
echo "I:checking for AD in authoritative answer ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation OPTOUT ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive wildcard validation NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive wildcard validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive wildcard validation OPTOUT ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NXDOMAIN NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NXDOMAIN NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NXDOMAIN OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking negative validation NODATA NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NODATA NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation NODATA OPTOUT ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative wildcard validation NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative wildcard validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative wildcard validation OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check the insecure.example domain
echo "I:checking 1-server insecurity proof NSEC ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server insecurity proof NSEC3 ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server insecurity proof OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof NSEC ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof NSEC3 ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check the secure.example domain
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
ret=0
n=`expr $n + 1`
echo "I:checking empty NODATA OPTOUT ($n)"
ret=0
#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
# Check the bogus domain
echo "I:checking failed validation ($n)"
ret=0
n=`expr $n + 1`
# Try validating with a bad trusted key.
# This should fail.
echo "I:checking that validation fails with a misconfigured trusted key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that negative validation fails with a misconfigured trusted key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that insecurity proofs fail with a misconfigured trusted key ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that validation fails when key record is missing ($n)"
ret=0
n=`expr $n + 1`
echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
ret=0
#prime
#check: requery with +CD. pending data should be returned even if it's bogus
10.0.0.1"
#check: requery without +CD. bogus cached data should be rejected.
n=`expr $n + 1`
echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)"
ret=0
#prime
#check: requery with +CD. pending data should be returned even if it's bogus
expect="example.
10.0.0.1"
#check: requery without +CD. bogus cached data should be rejected.
n=`expr $n + 1`
# Check the insecure.secure.example domain (insecurity proof)
echo "I:checking 2-server insecurity proof ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check a negative response in insecure.secure.example
echo "I:checking 2-server insecurity proof with a negative answer ($n)"
ret=0
|| ret=1
|| ret=1
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)"
ret=0
|| ret=1
|| ret=1
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
# Check that the query for a security root is successful and has ad set
echo "I:checking security root query ($n)"
ret=0
n=`expr $n + 1`
# Check that the setting the cd bit works
echo "I:checking cd bit on a positive answer ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking cd bit on a negative answer ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking positive validation RSASHA256 NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation RSASHA512 NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation with KSK-only DNSKEY signature ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking cd bit on a query that should fail ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking cd bit on an insecurity proof ($n)"
ret=0
# Note - these are looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking cd bit on a negative insecurity proof ($n)"
ret=0
# Note - these are looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking that validation of an ANY query works ($n)"
ret=0
# 2 records in the zone, 1 NXT, 3 SIGs
n=`expr $n + 1`
echo "I:checking that validation of a query returning a CNAME works ($n)"
ret=0
# the CNAME & its sig, the TXT and its SIG
n=`expr $n + 1`
echo "I:checking that validation of a query returning a DNAME works ($n)"
ret=0
# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME.
# It would be nice to test that the CNAME is being synthesized by the
# recursive server and not cached, but I don't know how.
n=`expr $n + 1`
echo "I:checking that validation of an ANY query returning a CNAME works ($n)"
ret=0
# The CNAME, NXT, and their SIGs
n=`expr $n + 1`
echo "I:checking that validation of an ANY query returning a DNAME works ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that positive validation in a privately secure zone works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking that negative validation in a privately secure zone works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking that lookups succeed after disabling a algorithm works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking privately secure wildcard to nxdomain works ($n)"
ret=0
# Note - this is looking for failure, hence the &&
n=`expr $n + 1`
echo "I:checking a non-cachable NODATA works ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking a non-cachable NXDOMAIN works ($n)"
ret=0
n=`expr $n + 1`
#
# private.secure.example is served by the same server as its
# grand parent and there is not a secure delegation from secure.example
# to private.secure.example. In addition secure.example is using a
# algorithm which the validation does not support.
#
echo "I:checking dnssec-lookaside-validation works ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that we can load a rfc2535 signed zone ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that we can transfer a rfc2535 signed zone ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that we can sign a zone with out-of-zone records ($n)"
ret=0
(
cd signer
$SIGNER -o example -f example.db example.db > /dev/null 2>&1
n=`expr $n + 1`
echo "I:checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
ret=0
(
cd signer
$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1
awk '/^IQF9LQTLK/ {
printf("%s ", $0);
getline;
printf ("%s ", $0);
getline;
print;
grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
n=`expr $n + 1`
echo "I:checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
ret=0
(
cd signer
$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1
$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1
)
n=`expr $n + 1`
echo "I:checking validated data are not cached longer than originalttl ($n)"
ret=0
n=`expr $n + 1`
# Test that "rndc secroots" is able to dump trusted keys
echo "I:checking rndc secroots ($n)"
ret=0
linecount=`cat ns4/named.secroots | wc -l`
n=`expr $n + 1`
# Check direct query for RRSIG. If we first ask for normal (non RRSIG)
# record, the corresponding RRSIG should be cached and subsequent query
# for RRSIG will be returned with the cached record.
echo "I:checking RRSIG query from cache ($n)"
ret=0
expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1
n=`expr $n + 1`
# Check direct query for RRSIG: If it's not cached with other records,
# it should result in an empty response.
echo "I:checking RRSIG query not in cache ($n)"
ret=0
n=`expr $n + 1`
#
# RT21868 regression test.
#
echo "I:checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)"
ret=0
n=`expr $n + 1`
#
# RT22007 regression test.
#
echo "I:checking optout NSEC3 referral with only insecure delegations ($n)"
ret=0
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)"
ret=0
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking optout NSEC3 nodata with only insecure delegations ($n)"
ret=0
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)"
ret=0
# Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added.
then
echo "I:running DNSSEC update test"
else
echo "I:The DNSSEC update test requires the Net::DNS library." >&2
fi
# Reconfigure caching server to use "dnssec-validation auto", and repeat
# some of the DNSSEC validation tests to ensure that it works correctly.
echo "I:switching to automatic root key configuration"
sleep 5
echo "I:checking positive validation NSEC ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation NSEC3 ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking positive validation OPTOUT ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking negative validation ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)"
ret=0
(
cd ns3
kskname=`$KEYGEN -q -3 -r ../random.data -fk update-nsec3.example`
(
echo zone update-nsec3.example
echo server 10.53.0.3 5300
echo send
) | $NSUPDATE
)
n=`expr $n + 1`
echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that a insecure zone beneath a cname resolves ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking that a secure zone beneath a cname resolves ($n)"
ret=0
n=`expr $n + 1`
echo "I:checking dnskey query with no data still gets put in cache ($n)"
ret=0
myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 @10.53.0.4"
sleep 1
then
sleep 1
then
echo "I: cannot confirm query answer still in cache"
ret=1
fi
fi
n=`expr $n + 1`
echo "I:check that a split dnssec dnssec-signzone work ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that a smart split dnssec dnssec-signzone work ($n)"
ret=0
n=`expr $n + 1`
echo "I:check that NOTIFY is sent at the end of NSEC3 chain generation ($n)"
ret=0
(
echo zone nsec3chain-test
echo server 10.53.0.2 5300
grep DNSKEY ns2/Knsec3chain-test.*.key |
echo update add nsec3chain-test. 0 nsec3param 1 0 1 -
echo send
) | $NSUPDATE
do
then
break;
fi
echo "I:sleeping ...."
sleep 3
done;
sleep 3
n=`expr $n + 1`
echo "I:exit status: $status"
exit $status