system/inline/tests.sh

4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt#!/bin/sh
b68401ccae92ee0e92c699a10d28ce44badbc4aaTinderbox User#
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt# Copyright (C) 2011-2014, 2016-2018  Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews#
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# License, v. 2.0. If a copy of the MPL was not distributed with this
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt# file, You can obtain one at http://mozilla.org/MPL/2.0/.
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan HuntSYSTEMTESTTOP=..
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt. $SYSTEMTESTTOP/conf.sh
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan HuntDIGOPTS="+tcp +dnssec"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntstatus=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntn=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntfor i in 1 2 3 4 5 6 7 8 9 0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdo
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param nsec3.`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    test "$nsec3param" = "1 0 0 -" && break
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    sleep 1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdone
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt# Loop until retransfer3 has been transferred.
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntfor i in 1 2 3 4 5 6 7 8 9 0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdo
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt        ans=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt        $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ans=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    [ $ans = 0 ] && break
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdone
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntfor i in 1 2 3 4 5 6 7 8 9 0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdo
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param retransfer3.`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    test "$nsec3param" = "1 0 0 -" && break
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    sleep 1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdone
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntn=`expr $n + 1`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking that rrsigs are replaced with ksk only ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$DIG @10.53.0.3 -p 5300 axfr nsec3. |
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt#$DIG @10.53.0.3 -p 5300 axfr nsec3. | grep -w NSEC | grep -v "IN.RRSIG.NSEC"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntif [ $ret != 0 ]; then echo "I:failed"; fi
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntstatus=`expr $status + $ret`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntn=`expr $n + 1`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking that the zone is signed on initial transfer ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntfor i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdo
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    ret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    keys=`grep '^Done signing' signing.out.test$n | wc -l`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    [ $keys = 2 ] || ret=1
b454c0319685041db3f3e8fd7671e1b364fd20c5Evan Hunt    if [ $ret = 0 ]; then break; fi
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    sleep 1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdone
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntif [ $ret != 0 ]; then echo "I:failed"; fi
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntstatus=`expr $status + $ret`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntn=`expr $n + 1`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking expired signatures are updated on load ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$DIG $DIGOPTS @10.53.0.3 -p 5300 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntexpiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt[ "$expiry" = "20110101000000" ] && ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntif [ $ret != 0 ]; then echo "I:failed"; fi
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntstatus=`expr $status + $ret`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntn=`expr $n + 1`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking removal of private type record via 'rndc signing -clear' ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntkeys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntfor key in $keys; do
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} bits > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    break;  # We only want to remove 1 record for now.
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdone 2>&1 |sed 's/^/I:ns3 /'
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntfor i in 1 2 3 4 5 6 7 8 9 10
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdo
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    ans=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt        num=`grep "Done signing with" signing.out.test$n | wc -l`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    [ $num = 1 ] && break
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    sleep 1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdone
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt[ $ans = 0 ] || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntif [ $ret != 0 ]; then echo "I:failed"; fi
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntstatus=`expr $status + $ret`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntn=`expr $n + 1`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking private type was properly signed ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntif [ $ret != 0 ]; then echo "I:failed"; fi
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntstatus=`expr $status + $ret`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntn=`expr $n + 1`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all bits > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntfor i in 1 2 3 4 5 6 7 8 9 10
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdo
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    ans=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list bits > signing.out.test$n 2>&1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    grep "No signing records found" signing.out.test$n > /dev/null || ans=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    [ $ans = 1 ] || break
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    sleep 1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdone
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt[ $ans = 0 ] || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntif [ $ret != 0 ]; then echo "I:failed"; fi
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntstatus=`expr $status + $ret`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntn=`expr $n + 1`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking negative private type response was properly signed ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntsleep 1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntgrep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntif [ $ret != 0 ]; then echo "I:failed"; fi
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntstatus=`expr $status + $ret`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$NSUPDATE << EOF
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntzone bits
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntserver 10.53.0.2 5300
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsupdate add added.bits 0 A 1.2.3.4
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewssend
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan HuntEOF
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsn=`expr $n + 1`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking that the record is added on the hidden master ($n)"
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$DIG $DIGOPTS @10.53.0.2 -p 5300 added.bits A > dig.out.ns2.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsstatus=`expr $status + $ret`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsn=`expr $n + 1`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking that update has been transfered and has been signed ($n)"
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor i in 1 2 3 4 5 6 7 8 9 10
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdo
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    ret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    $DIG $DIGOPTS @10.53.0.3 -p 5300 added.bits A > dig.out.ns3.test$n
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrews    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    if [ $ret = 0 ]; then break; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    sleep 1
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrewsdone
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsstatus=`expr $status + $ret`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$NSUPDATE << EOF
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewszone bits
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsserver 10.53.0.2 5300
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsupdate add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewssend
35c014cb1d151983c455ad1ac99093591cbda97aMark AndrewsEOF
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntn=`expr $n + 1`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking YYYYMMDDVV (2011072400) serial on hidden master ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsstatus=`expr $status + $ret`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsn=`expr $n + 1`
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntecho "I:checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntfor i in 1 2 3 4 5 6 7 8 9 10
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdo
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    ret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews    if [ $ret = 0 ]; then break; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    sleep 1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdone
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsstatus=`expr $status + $ret`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsn=`expr $n + 1`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking that the zone is signed on initial transfer, noixfr ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdo
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews    ret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list noixfr > signing.out.test$n 2>&1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    keys=`grep '^Done signing' signing.out.test$n | wc -l`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    [ $keys = 2 ] || ret=1
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews    if [ $ret = 0 ]; then break; fi
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews    sleep 1
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsdone
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsstatus=`expr $status + $ret`
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews$NSUPDATE << EOF
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewszone noixfr
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsserver 10.53.0.4 5300
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsupdate add added.noixfr 0 A 1.2.3.4
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewssend
35c014cb1d151983c455ad1ac99093591cbda97aMark AndrewsEOF
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsn=`expr $n + 1`
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsecho "I:checking that the record is added on the hidden master, noixfr ($n)"
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsret=0
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews$DIG $DIGOPTS @10.53.0.4 -p 5300 added.noixfr A > dig.out.ns4.test$n
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsgrep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsstatus=`expr $status + $ret`
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrews
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsn=`expr $n + 1`
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsecho "I:checking that update has been transfered and has been signed, noixfr ($n)"
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdo
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    ret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    $DIG $DIGOPTS @10.53.0.3 -p 5300 added.noixfr A > dig.out.ns3.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    if [ $ret = 0 ]; then break; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    sleep 1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdone
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntif [ $ret != 0 ]; then echo "I:failed"; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsstatus=`expr $status + $ret`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$NSUPDATE << EOF
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewszone noixfr
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsserver 10.53.0.4 5300
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsupdate add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewssend
35c014cb1d151983c455ad1ac99093591cbda97aMark AndrewsEOF
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsn=`expr $n + 1`
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsecho "I:checking YYYYMMDDVV (2011072400) serial on hidden master, noixfr ($n)"
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsstatus=`expr $status + $ret`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsn=`expr $n + 1`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor i in 1 2 3 4 5 6 7 8 9 10
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdo
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    ret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    if [ $ret = 0 ]; then break; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    sleep 1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdone
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsstatus=`expr $status + $ret`
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsn=`expr $n + 1`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking that the master zone signed on initial load ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor i in 1 2 3 4 5 6 7 8 9 10
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntdo
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    ret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master  > signing.out.test$n 2>&1
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt    keys=`grep '^Done signing' signing.out.test$n | wc -l`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    [ $keys = 2 ] || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    if [ $ret = 0 ]; then break; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    sleep 1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdone
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntstatus=`expr $status + $ret`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsn=`expr $n + 1`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking removal of private type record via 'rndc signing -clear' (master) ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewskeys=`sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor key in $keys; do
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear ${key} master > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    break;  # We only want to remove 1 record for now.
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdone 2>&1 |sed 's/^/I:ns3 /'
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsfor i in 1 2 3 4 5 6 7 8 9
02ceed9f83f82f0de35c7bd73c27a33d4f0fe9cbMark Andrewsdo
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    ans=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews        num=`grep "Done signing with" signing.out.test$n | wc -l`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    [ $num = 1 ] && break
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    sleep 1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsdone
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews[ $ans = 0 ] || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsstatus=`expr $status + $ret`
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Huntn=`expr $n + 1`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsecho "I:checking private type was properly signed (master) ($n)"
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsret=0
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews$DIG $DIGOPTS @10.53.0.6 -p 5300 master TYPE65534 > dig.out.ns6.test$n
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsgrep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsif [ $ret != 0 ]; then echo "I:failed"; fi
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsstatus=`expr $status + $ret`
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrewsn=`expr $n + 1`
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntecho "I:checking removal of remaining private type record via 'rndc signing -clear' (master) ($n)"
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntret=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all master > /dev/null || ret=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntfor i in 1 2 3 4 5 6 7 8 9 10
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Huntdo
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    ans=0
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list master > signing.out.test$n 2>&1
35c014cb1d151983c455ad1ac99093591cbda97aMark Andrews    grep "No signing records found" signing.out.test$n > /dev/null || ans=1
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    [ $ans = 1 ] || break
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    sleep 1
done
[ $ans = 0 ] || ret=1

if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check adding of record to unsigned master ($n)"
ret=0
cp ns3/master2.db.in ns3/master.db
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1
for i in 1 2 3 4 5 6 7 8 9
do
    ans=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns3.test$n
    grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
    [ $ans = 1 ] || break
    sleep 1
done
[ $ans = 0 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check adding record fails when SOA serial not changed ($n)"
ret=0
echo "c A 10.0.0.3" >> ns3/master.db
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload || ret=1
sleep 1
$DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n
grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check adding record works after updating SOA serial ($n)"
ret=0
cp ns3/master3.db.in ns3/master.db
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1
for i in 1 2 3 4 5 6 7 8 9
do
    ans=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n
    grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
    [ $ans = 1 ] || break
    sleep 1
done
[ $ans = 0 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check the added record was properly signed ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns6.test$n
grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1

if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking that the dynamic master zone signed on initial load ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
    ret=0
    $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic > signing.out.test$n 2>&1
    keys=`grep '^Done signing' signing.out.test$n | wc -l`
    [ $keys = 2 ] || ret=1
    if [ $ret = 0 ]; then break; fi
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking master zone that was updated while offline is correct ($n)"
ret=0
serial=`$DIG $DIGOPTS +short @10.53.0.3 -p 5300 updated SOA | awk '{print $3}'`
# serial should have changed
[ "$serial" = "2000042407" ] && ret=1
# e.updated should exist and should be signed
$DIG $DIGOPTS @10.53.0.3 -p 5300 e.updated A > dig.out.ns3.test$n
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
# updated.db.signed.jnl should exist, should have the source serial
# of master2.db, and should show a minimal diff: no more than 8 added
# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
# (SOA/RRSIG, NSEC/RRSIG).
serial=`$JOURNALPRINT ns3/updated.db.signed.jnl | head -1 | awk '{print $4}'`
[ "$serial" = "2000042408" ] || ret=1
diffsize=`$JOURNALPRINT ns3/updated.db.signed.jnl | wc -l`
[ "$diffsize" -le 13 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking adding of record to unsigned master using UPDATE ($n)"
ret=0

[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo "I:journal exists (pretest)" ; }

$NSUPDATE << EOF
zone dynamic
server 10.53.0.3 5300
update add e.dynamic 0 A 1.2.3.4
send
EOF

[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo "I:journal does not exist (posttest)" ; }

for i in 1 2 3 4 5 6 7 8 9 10
do
    ans=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 e.dynamic > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
    grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
    [ $ans = 0 ] && break
    sleep 1
done
[ $ans = 0 ] || { ret=1; echo "I:signed record not found"; cat dig.out.ns3.test$n ; }

if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:stop bump in the wire signer server ($n)"
ret=0
$PERL ../stop.pl . ns3 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:restart bump in the wire signer server ($n)"
ret=0
$PERL ../start.pl --noclean --restart . ns3 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

$NSUPDATE << EOF
zone bits
server 10.53.0.2 5300
update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
    ret=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
    if [ $ret = 0 ]; then break; fi
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
server 10.53.0.4 5300
update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master, noixfr ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
    ret=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
    if [ $ret = 0 ]; then break; fi
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

$NSUPDATE << EOF
zone bits
server 10.53.0.3 5300
update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
echo "I:checking forwarded update on hidden master ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking forwarded update on signed zone ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
    ret=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
    if [ $ret = 0 ]; then break; fi
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

$NSUPDATE << EOF
zone noixfr
server 10.53.0.3 5300
update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600
send
EOF

n=`expr $n + 1`
echo "I:checking forwarded update on hidden master, noixfr ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking forwarded update on signed zone, noixfr ($n)"
for i in 1 2 3 4 5 6 7 8 9 10
do
    ret=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
    if [ $ret = 0 ]; then break; fi
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

ret=0
n=`expr $n + 1`
echo "I:checking turning on of inline signing in a slave zone via reload ($n)"
$DIG $DIGOPTS @10.53.0.5 -p 5300 +dnssec bits SOA > dig.out.ns5.test$n
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:setup broken"; fi
status=`expr $status + $ret`
cp ns5/named.conf.post ns5/named.conf
(cd ns5; $KEYGEN -q -r $RANDFILE bits) > /dev/null 2>&1
(cd ns5; $KEYGEN -q -r $RANDFILE -f KSK bits) > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /'
for i in 1 2 3 4 5 6 7 8 9 10
do
    ret=0
    $DIG $DIGOPTS @10.53.0.5 -p 5300 bits SOA > dig.out.ns5.test$n
    grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
    if [ $ret = 0 ]; then break; fi
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking rndc freeze/thaw of dynamic inline zone no change ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || { echo "I: rndc freeze dynamic failed" ; sed 's/^/I:/' < freeze.test$n ; ret=1;  }
sleep 1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || { echo "I: rndc thaw dynamic failed" ; ret=1; }
sleep 1
grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null ||  ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`


n=`expr $n + 1`
echo "I:checking rndc freeze/thaw of dynamic inline zone ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || ret=1
sleep 1
awk '$2 == ";" && $3 == "serial" { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
     { print; }
     END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new
mv ns3/dynamic.db.new ns3/dynamic.db
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw dynamic > thaw.test$n 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check added record freeze1.dynamic ($n)"
for i in 1 2 3 4 5 6 7 8 9
do
    ret=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 freeze1.dynamic TXT > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    test $ret = 0 && break
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

# allow 1 second so that file time stamps change
sleep 1

n=`expr $n + 1`
echo "I:checking rndc freeze/thaw of server ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze > freeze.test$n 2>&1 || ret=1
sleep 1
awk '$2 == ";" && $3 == "serial" { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
     { print; }
     END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new
mv ns3/dynamic.db.new ns3/dynamic.db
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw > thaw.test$n 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check added record freeze2.dynamic ($n)"
for i in 1 2 3 4 5 6 7 8 9
do
    ret=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 freeze2.dynamic TXT > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
    test $ret = 0 && break
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check rndc reload allows reuse of inline-signing zones ($n)"
ret=0
{ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 || ret=1 ; } |
sed 's/^/I:ns3 /'
grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check rndc sync removes both signed and unsigned journals ($n)"
ret=0
[ -f ns3/dynamic.db.jnl ] || ret=1
[ -f ns3/dynamic.db.signed.jnl ] || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sync -clean dynamic 2>&1 || ret=1
[ -f ns3/dynamic.db.jnl ] && ret=1
[ -f ns3/dynamic.db.signed.jnl ] && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

$NSUPDATE << EOF
zone retransfer
server 10.53.0.2 5300
update add added.retransfer 0 A 1.2.3.4
send

EOF

n=`expr $n + 1`
echo "I:checking that the retransfer record is added on the hidden master ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.2 -p 5300 added.retransfer A > dig.out.ns2.test$n
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:checking that the change has not been transfered due to notify ($n)"
ret=0
for i in 0 1 2 3 4 5 6 7 8 9
do
    ans=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 added.retransfer A > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
    [ $ans = 0 ] && break
    sleep 1
done
if [ $ans != 1 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check rndc retransfer of a inline slave zone works ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 retransfer retransfer 2>&1 || ret=1
for i in 0 1 2 3 4 5 6 7 8 9
do
    ans=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 added.retransfer A > dig.out.ns3.test$n
    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
    [ $ans = 0 ] && break
    sleep 1
done
[ $ans = 1 ] && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check rndc retransfer of a inline nsec3 slave retains nsec3 ($n)"
ret=0
for i in 0 1 2 3 4 5 6 7 8 9
do
    ans=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 nonexist.retransfer3 A > dig.out.ns3.pre.test$n
    grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
    grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
    [ $ans = 0 ] && break
    sleep 1
done
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 retransfer retransfer3 2>&1 || ret=1
for i in 0 1 2 3 4 5 6 7 8 9
do
    ans=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 nonexist.retransfer3 A > dig.out.ns3.post.test$n
    grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
    grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
    [ $ans = 0 ] && break
    sleep 1
done
[ $ans = 1 ] && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

# NOTE: The test below should be considered fragile.  More details can be found
# in the comment inside ns7/named.conf.
n=`expr $n + 1`
echo "I:check rndc retransfer of a inline nsec3 slave does not trigger an infinite loop ($n)"
ret=0
zone=nsec3-loop
# Add slave zone using rndc
$RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 addzone $zone \
    '{ type slave; masters { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };'
# Wait until slave zone is fully signed using NSEC
for i in 1 2 3 4 5 6 7 8 9 0
do
    ret=1
    $RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 signing -list $zone > signing.out.test$n 2>&1
    keys=`grep '^Done signing' signing.out.test$n | wc -l`
    [ $keys -eq 3 ] && ret=0 && break
    sleep 1
done
# Switch slave zone to NSEC3
$RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1
# Wait until slave zone is fully signed using NSEC3
for i in 1 2 3 4 5 6 7 8 9 0
do
    ret=1
    nsec3param=`$DIG +short @10.53.0.7 -p 5300 nsec3param $zone`
    test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
    sleep 1
done
# Attempt to retransfer the slave zone from master
$RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 retransfer $zone
# Check whether the signer managed to fully sign the retransferred zone by
# waiting for a specific SOA serial number to appear in the logs; if this
# specific SOA serial number does not appear in the logs, it means the signer
# has either ran into an infinite loop or crashed; note that we check the logs
# instead of sending SOA queries to the signer as these may influence its
# behavior in a way which may prevent the desired scenario from being
# reproduced (see comment in ns7/named.conf)
for i in 1 2 3 4 5 6 7 8 9 0
do
    ret=1
    grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1
    [ $? -eq 0 ] && ret=0 && break
    sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:stop bump in the wire signer server ($n)"
ret=0
$PERL ../stop.pl . ns3 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:update SOA record while stopped"
cp ns3/master4.db.in ns3/master.db
rm ns3/master.db.jnl

n=`expr $n + 1`
echo "I:restart bump in the wire signer server ($n)"
ret=0
$PERL ../start.pl --noclean --restart . ns3 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9
do
    ans=0
    $DIG $DIGOPTS @10.53.0.3 -p 5300 master SOA > dig.out.ns3.test$n
    grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1
    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
    [ $ans = 1 ] || break
    sleep 1
done
[ $ans = 0 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:test add/del zone combinations ($n)"
ret=0
for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z
do
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 addzone test-$zone \
    '{ type master; file "bits.db.in"; allow-transfer { any; }; };'
$DIG $DIGOPTS @10.53.0.2 -p 5300 test-$zone SOA > dig.out.ns2.$zone.test$n
grep "status: NOERROR," dig.out.ns2.$zone.test$n  > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; }
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone test-$zone \
    '{ type slave; masters { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };'
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 delzone test-$zone > /dev/null 2>&1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing adding external keys to a inline zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 dnskey externalkey > dig.out.ns3.test$n
for alg in 3 7 12 13
do
   [ $alg = 3 -a ! -f checkdsa ] && continue;
   [ $alg = 12 -a ! -f checkgost ] && continue;
   [ $alg = 13 -a ! -f checkecdsa ] && continue;

   case $alg in
   3) echo "I: checking DSA";;
   7) echo "I: checking NSEC3RSASHA1";;
   12) echo "I: checking GOST";;
   13) echo "I: checking ECDSAP256SHA256";;
   *) echo "I: checking $alg";;
   esac

   dnskeys=`grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l`
   rrsigs=`grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l`
   test ${dnskeys:-0} -eq 3 || { echo "I: failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
   test ${rrsigs:-0} -eq 2 || { echo "I: failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing imported key won't overwrite a private key ($n)"
ret=0
key=`$KEYGEN -r $RANDFILE -q import.example`
cp ${key}.key import.key
# import should fail
$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
rm -f ${key}.private
# private key removed; import should now succeed
$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
# now that it's an external key, re-import should succeed
$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing updating inline secure serial via 'rndc signing -serial' ($n)"
ret=0
$DIG nsec3. SOA -p 5300 @10.53.0.3 > dig.out.n3.pre.test$n
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
sleep 1
$DIG nsec3. SOA -p 5300 @10.53.0.3 > dig.out.ns3.post.test$n
serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
[ ${newserial:-0} -eq ${serial:-1} ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)"
ret=0
$DIG nsec3. SOA -p 5300 @10.53.0.3 > dig.out.n3.pre.test$n
oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
sleep 1
$DIG nsec3. SOA -p 5300 @10.53.0.3 > dig.out.ns3.post.test$n
serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
[ ${oldserial:-0} -eq ${serial:-1} ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

#
# Freezing only operates on the raw zone.
#
n=`expr $n + 1`
echo "I:testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)"
ret=0
$DIG nsec3. SOA -p 5300 @10.53.0.3 > dig.out.n3.pre.test$n
oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze nsec3 > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw nsec3 > /dev/null 2>&1
sleep 1
$DIG nsec3. SOA -p 5300 @10.53.0.3 > dig.out.ns3.post.test$n
serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
[ ${newserial:-0} -eq ${serial:-1} ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing updating dynamic serial via 'rndc signing -serial' ($n)"
ret=0
$DIG bits. SOA -p 5300 @10.53.0.2 > dig.out.ns2.pre.test$n
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 signing -serial ${newserial:-0} bits > /dev/null 2>&1
sleep 1
$DIG bits. SOA -p 5300 @10.53.0.2 > dig.out.ns2.post.test$n
serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.post.test$n`
[ ${newserial:-0} -eq ${serial:-1} ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)"
ret=0
$DIG bits. SOA -p 5300 @10.53.0.2 > dig.out.ns2.pre.test$n
oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 signing -serial ${newserial:-0} bits > /dev/null 2>&1
sleep 1
$DIG bits. SOA -p 5300 @10.53.0.2 > dig.out.ns2.post.test$n
serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.post.test$n`
[ ${oldserial:-0} -eq ${serial:-1} ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)"
ret=0
$DIG bits. SOA -p 5300 @10.53.0.2 > dig.out.ns2.pre.test$n
oldserial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n`
newserial=`$PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n`
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 freeze bits > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 signing -serial ${newserial:-0} bits > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 thaw bits > /dev/null 2>&1
sleep 1
$DIG bits. SOA -p 5300 @10.53.0.2 > dig.out.ns2.post.test$n
serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.post.test$n`
[ ${oldserial:-0} -eq ${serial:-1} ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing that inline signing works with inactive ZSK and active KSK ($n)"
ret=0

$DIG $DIGOPTS @10.53.0.3 -p 5300 soa inactivezsk  > dig.out.ns3.pre.test$n || ret=1
soa1=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n`

$NSUPDATE << EOF
server 10.53.0.2 5300
update add added.inactivezsk 0 IN TXT added record
send
EOF

for i in 1 2 3 4 5 6 7 8 9 10
do
    $DIG $DIGOPTS @10.53.0.3 -p 5300 soa inactivezsk  > dig.out.ns3.post.test$n || ret=1
    soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
    test ${soa1:-0} -ne ${soa2:-0} && break
    sleep 1
done
test ${soa1:-0} -ne ${soa2:-0} || ret=1

$DIG $DIGOPTS @10.53.0.3 -p 5300 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
grep "TXT 7 2" dig.out.ns3.test$n > /dev/null || ret=1
grep "TXT 8 2" dig.out.ns3.test$n > /dev/null || ret=1

if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:testing that inline signing works with inactive KSK and active ZSK ($n)"
ret=0

$DIG $DIGOPTS @10.53.0.3 -p 5300 axfr inactiveksk > dig.out.ns3.test$n

#
#  check that DNSKEY is signed with ZSK for algorithm 7
#
awk='$4 == "DNSKEY" && $5 == 256 && $7 == 7 { print }'
zskid=`awk "${awk}" dig.out.ns3.test$n |
       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' `
grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
awk='$4 == "DNSKEY" && $5 == 257 && $7 == 7 { print }'
kskid=`awk "${awk}" dig.out.ns3.test$n |
       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' `
grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1

#
#  check that DNSKEY is signed with KSK for algorithm 8
#
awk='$4 == "DNSKEY" && $5 == 256 && $7 == 8 { print }'
zskid=`awk "${awk}" dig.out.ns3.test$n |
       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' `
grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
awk='$4 == "DNSKEY" && $5 == 257 && $7 == 8 { print }'
kskid=`awk "${awk}" dig.out.ns3.test$n |
       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' `
grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1

if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check that zonestatus reports 'type: master' for a inline master zone ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 zonestatus master > rndc.out.ns3.test$n
grep "type: master" rndc.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi

status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check that zonestatus reports 'type: slave' for a inline slave zone ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 zonestatus bits > rndc.out.ns3.test$n
grep "type: slave" rndc.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1