tests.sh revision 832ab79d1f8bc4edf638780b306888da30ac3a1e
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# Copyright (C) 2000-2002 Internet Software Consortium.
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# Permission to use, copy, modify, and/or distribute this software for any
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# purpose with or without fee is hereby granted, provided that the above
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# copyright notice and this permission notice appear in all copies.
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt# PERFORMANCE OF THIS SOFTWARE.
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark AndrewsDIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# convert private-type records to readable form
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews while read record; do
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews die "invalid record" unless length($rdata) == 5;
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews my $action = "signing";
938440694b33cd752e9e4b71a526368b4811c177Tinderbox User $action = "removing" if $remove;
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews my $state = " (incomplete)";
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews $state = " (complete)" if $complete;
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews print ("$action: alg: $alg, key: $key$state\n");' $record
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# check that signing records are marked as complete
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt echo $x | grep incomplete >&- 2>&- && ret=1
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt# check that a zone file is raw format, version 0
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews read(STDIN, $input, 8);
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews ($style, $version) = unpack("NN", $input);
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews exit 1 if ($style != 2 || $version != 0);'
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# check that a zone file is raw format, version 1
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews read(STDIN, $input, 8);
f4bd7d27a6b3b4c732b0b8d585a9d3098480bbbfJeremy C. Reed ($style, $version) = unpack("NN", $input);
f4bd7d27a6b3b4c732b0b8d585a9d3098480bbbfJeremy C. Reed exit 1 if ($style != 2 || $version != 1);'
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews# strip NS and RRSIG NS from input
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' $1
f4bd7d27a6b3b4c732b0b8d585a9d3098480bbbfJeremy C. Reed# Check the example. domain
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrewsecho "I:checking that zone transfer worked ($n)"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews $DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
49c1e0d18d6f8b894ce2e6b485ef666599a83c21Mark Andrews$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
n=`expr $n + 1`
$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
# Check the insecure.example domain
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
# Check the secure.example domain
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
if [ -x ${DELV} ] ; then
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
# Check the insecure.secure.example domain (insecurity proof)
n=`expr $n + 1`
# Check a negative response in insecure.secure.example
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
# private.secure.example is served by the same server as its
# grand parent and there is not a secure delegation from secure.example
# to private.secure.example. In addition secure.example is using a
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
cd signer
$SIGNER -o example -f example.db example.db > /dev/null 2>&1
n=`expr $n + 1`
cd signer
$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1
grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
n=`expr $n + 1`
cd signer
$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1
grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
n=`expr $n + 1`
cd signer
$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1
$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1
n=`expr $n + 1`
cd signer
$SIGNER -D -o example example.db > /dev/null 2>&1
$SIGNER -D -o example example.db > /dev/null 2>&1
n=`expr $n + 1`
cd signer
n=`expr $n + 1`
cd signer
n=`expr $n + 1`
cd signer
n=`expr $n + 1`
cd signer
$SIGNER -Sxt -o example example.db > signer.out.1 2>&1
$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1
n=`expr $n + 1`
cd signer
$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
cd signer
$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
n=`expr $n + 1`
cd signer
$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
cd signer
$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1
n=`expr $n + 1`
cd signer
$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null
$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null
$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1
$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null 2>&1
$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null
cd signer
$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2>&1
$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2>&1
cd signer
$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1
cd signer
$SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null 2>&1
n=`expr $n + 1`
n=`expr $n + 1`
expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)"
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 20s bogus.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta fakenode.secure.example 2>&1 | sed 's/^/I:ns4 /'
echo "I: waiting for NTA rechecks/expirations"
# secure.example and badds.example used default nta-duration
# (configured as 10s in ns4/named1.conf), but nta recheck interval
# is configured to 7s, so at t=8 the NTAs for secure.example and
# fakenode.secure.example should both be lifted, but badds.example
# bogus.example was set to expire in 20s, so at t=11
# it should still be NTA'd, but badds.example used the default
if [ $ret != 0 ]; then echo "I:failed - checking that default nta's were lifted due to lifetime"; fi
# check correct behavior after bogus.example expiry
n=`expr $n + 1`
n=`expr $n + 1`
grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1
n=`expr $n + 1`
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 30s bogus.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 10s badds.example 2>&1 | sed 's/^/I:ns4 /'
cd ns4
# ns4 has now shutdown. wait until t=14 when badds.example's NTA
# ns4 should be back up now. The NTA for bogus.example should still be
# valid, whereas badds.example should not have been added during named
n=`expr $n + 1`
# initially, secure.example. validates with AD=1
cd ns4
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with the regular attribute and some future timestamp.
# secure.example. should be lifted as it is not a forced NTA.
# secure.example. should now return an AD=1 answer (still validates) as
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
n=`expr $n + 1`
# initially, secure.example. validates with AD=1
cd ns4
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with the forced attribute and some future timestamp.
# secure.example. should not be lifted as it is a forced NTA.
# secure.example. should now return an AD=0 answer (non-authenticated)
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
n=`expr $n + 1`
cd ns4
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with a lifetime well into the future.
# ntadiff.pl computes $ts_with_zone - ($added + 1week)
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
n=`expr $n + 1`
n=`expr $n + 1`
echo "I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)"
cd ns3
echo zone update-nsec3.example
echo server 10.53.0.3 5300
echo send
n=`expr $n + 1`
echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
n=`expr $n + 1`
echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
echo "I:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)"
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out
ret=1
n=`expr $n + 1`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all update-nsec3.example > /dev/null || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list update-nsec3.example 2>&1 > signing.out
ret=1
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
echo zone nsec3chain-test
echo server 10.53.0.2 5300
echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456
echo send
n=`expr $n + 1`
n=`expr $n + 1`
$DIG +noall +answer +dnssec +nottlid -p 5300 expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1
n=`expr $n + 1`
echo zone nosign.example
echo server 10.53.0.3 5300
echo send
n=`expr $n + 1`
n=`expr $n + 1`
echo zone nosign.example
echo server 10.53.0.3 5300
echo send
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
cd ns3
$SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo="
exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo="
n=`expr $n + 1`
# next resign node: secure.example/DNSKEY
/next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g'`
$PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1
n=`expr $n + 1`
awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1
n=`expr $n + 1`
size=
if test -z "$key1"
ret=1
n=`expr $n + 1`
n=`expr $n + 1`
n=`expr $n + 1`
pid=$!
wait $pid
grep ";; No DNSKEY is valid to check the RRSIG of the RRset: FAILED" dig.out.ns3.test$n > /dev/null || ret=1
n=`expr $n + 1`
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n
n=`expr $n + 1`
n=`expr $n + 1`
echo zone cds-update.secure
echo server 10.53.0.2 5300
echo update delete cds-update.secure CDS
$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
echo send
n=`expr $n + 1`
echo zone cds-update.secure
echo server 10.53.0.2 5300
echo update delete cds-update.secure CDS
echo send
$DSFROMKEY -C -f - -T 1 cds-update.secure |
echo send
n=`expr $n + 1`
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n
n=`expr $n + 1`
echo zone cds-update.secure
echo server 10.53.0.2 5300
echo update delete cds-update.secure CDS
echo send
$DSFROMKEY -C -f - -T 1 cds-update.secure |
$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
echo send
n=`expr $n + 1`
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n
n=`expr $n + 1`
n=`expr $n + 1`
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n
n=`expr $n + 1`
n=`expr $n + 1`
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n
n=`expr $n + 1`
echo server 10.53.0.2 5300
echo send
echo send
n=`expr $n + 1`
echo "I:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)"
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n
n=`expr $n + 1`
echo server 10.53.0.2 5300
echo send
n=`expr $n + 1`
n=`expr $n + 1`
echo server 10.53.0.2 5300
echo send
n=`expr $n + 1`
cd signer
echo > remove.db.signed
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
cd signer
$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1
n=`expr $n + 1`
cd signer
echo > remove.db.signed
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
cd signer
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1
n=`expr $n + 1`
echo "I:exit status: $status"
exit $status