system/autosign/tests.sh

*00b67f09SDavid van Moolenbroek#!/bin/sh
*00b67f09SDavid van Moolenbroek#
*00b67f09SDavid van Moolenbroek# Copyright (C) 2009-2014  Internet Systems Consortium, Inc. ("ISC")
*00b67f09SDavid van Moolenbroek#
*00b67f09SDavid van Moolenbroek# Permission to use, copy, modify, and/or distribute this software for any
*00b67f09SDavid van Moolenbroek# purpose with or without fee is hereby granted, provided that the above
*00b67f09SDavid van Moolenbroek# copyright notice and this permission notice appear in all copies.
*00b67f09SDavid van Moolenbroek#
*00b67f09SDavid van Moolenbroek# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
*00b67f09SDavid van Moolenbroek# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
*00b67f09SDavid van Moolenbroek# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
*00b67f09SDavid van Moolenbroek# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
*00b67f09SDavid van Moolenbroek# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
*00b67f09SDavid van Moolenbroek# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
*00b67f09SDavid van Moolenbroek# PERFORMANCE OF THIS SOFTWARE.
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van MoolenbroekSYSTEMTESTTOP=..
*00b67f09SDavid van Moolenbroek. $SYSTEMTESTTOP/conf.sh
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekstatus=0
*00b67f09SDavid van Moolenbroekn=0
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van MoolenbroekDIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# convert private-type records to readable form
*00b67f09SDavid van Moolenbroekshowprivate () {
*00b67f09SDavid van Moolenbroek    echo "-- $@ --"
*00b67f09SDavid van Moolenbroek    $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
*00b67f09SDavid van Moolenbroek        while read record; do
*00b67f09SDavid van Moolenbroek            $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
*00b67f09SDavid van Moolenbroek                die "invalid record" unless length($rdata) == 5;
*00b67f09SDavid van Moolenbroek                my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
*00b67f09SDavid van Moolenbroek                my $action = "signing";
*00b67f09SDavid van Moolenbroek                $action = "removing" if $remove;
*00b67f09SDavid van Moolenbroek                my $state = " (incomplete)";
*00b67f09SDavid van Moolenbroek                $state = " (complete)" if $complete;
*00b67f09SDavid van Moolenbroek                print ("$action: alg: $alg, key: $key$state\n");' $record
*00b67f09SDavid van Moolenbroek        done
*00b67f09SDavid van Moolenbroek}
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# check that signing records are marked as complete
*00b67f09SDavid van Moolenbroekcheckprivate () {
*00b67f09SDavid van Moolenbroek    _ret=0
*00b67f09SDavid van Moolenbroek    expected="${3:-0}"
*00b67f09SDavid van Moolenbroek    x=`showprivate "$@"`
*00b67f09SDavid van Moolenbroek    echo $x | grep incomplete > /dev/null && _ret=1
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek    if [ $_ret = $expected ]; then
*00b67f09SDavid van Moolenbroek        return 0
*00b67f09SDavid van Moolenbroek    fi
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek    echo "$x"
*00b67f09SDavid van Moolenbroek    echo "I:failed"
*00b67f09SDavid van Moolenbroek    return 1
*00b67f09SDavid van Moolenbroek}
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek#
*00b67f09SDavid van Moolenbroek#  The NSEC record at the apex of the zone and its RRSIG records are
*00b67f09SDavid van Moolenbroek#  added as part of the last step in signing a zone.  We wait for the
*00b67f09SDavid van Moolenbroek#  NSEC records to appear before proceeding with a counter to prevent
*00b67f09SDavid van Moolenbroek#  infinite loops if there is a error.
*00b67f09SDavid van Moolenbroek#
*00b67f09SDavid van Moolenbroekecho "I:waiting for autosign changes to take effect"
*00b67f09SDavid van Moolenbroeki=0
*00b67f09SDavid van Moolenbroekwhile [ $i -lt 30 ]
*00b67f09SDavid van Moolenbroekdo
*00b67f09SDavid van Moolenbroek	ret=0
*00b67f09SDavid van Moolenbroek	#
*00b67f09SDavid van Moolenbroek	# Wait for the root DNSKEY RRset to be fully signed.
*00b67f09SDavid van Moolenbroek	#
*00b67f09SDavid van Moolenbroek	$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroek	grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek	for z in .
*00b67f09SDavid van Moolenbroek	do
*00b67f09SDavid van Moolenbroek		$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroek		grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek	done
*00b67f09SDavid van Moolenbroek	for z in bar. example. private.secure.example.
*00b67f09SDavid van Moolenbroek	do
*00b67f09SDavid van Moolenbroek		$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
*00b67f09SDavid van Moolenbroek		grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek	done
*00b67f09SDavid van Moolenbroek	for z in bar. example.
*00b67f09SDavid van Moolenbroek	do
*00b67f09SDavid van Moolenbroek		$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek		grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek	done
*00b67f09SDavid van Moolenbroek	i=`expr $i + 1`
*00b67f09SDavid van Moolenbroek	if [ $ret = 0 ]; then break; fi
*00b67f09SDavid van Moolenbroek	echo "I:waiting ... ($i)"
*00b67f09SDavid van Moolenbroek	sleep 2
*00b67f09SDavid van Moolenbroekdone
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; else echo "I:done"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek# these commands should result in an empty file:
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking NSEC3->NSEC conversion prerequisites ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:converting zones from nsec to nsec3"
*00b67f09SDavid van Moolenbroek$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
*00b67f09SDavid van Moolenbroekserver 10.53.0.3 5300
*00b67f09SDavid van Moolenbroekzone nsec3.nsec3.example.
*00b67f09SDavid van Moolenbroekupdate add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van Moolenbroekzone optout.nsec3.example.
*00b67f09SDavid van Moolenbroekupdate add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van Moolenbroekzone nsec3.example.
*00b67f09SDavid van Moolenbroekupdate add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van Moolenbroekzone autonsec3.example.
*00b67f09SDavid van Moolenbroekupdate add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van Moolenbroekzone nsec3.optout.example.
*00b67f09SDavid van Moolenbroekupdate add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van Moolenbroekzone optout.optout.example.
*00b67f09SDavid van Moolenbroekupdate add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van Moolenbroekzone optout.example.
*00b67f09SDavid van Moolenbroekupdate add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van MoolenbroekEND
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# try to convert nsec.example; this should fail due to non-NSEC key
*00b67f09SDavid van Moolenbroekecho "I:preset nsec3param in unsigned zone via nsupdate ($n)"
*00b67f09SDavid van Moolenbroek$NSUPDATE > nsupdate.out 2>&1 <<END
*00b67f09SDavid van Moolenbroekserver 10.53.0.3 5300
*00b67f09SDavid van Moolenbroekzone nsec.example.
*00b67f09SDavid van Moolenbroekupdate add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van MoolenbroekEND
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking for nsec3param in unsigned zone ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking for nsec3param signing record ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list autonsec3.example. > signing.out.test$n 2>&1
*00b67f09SDavid van Moolenbroekgrep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:resetting nsec3param via rndc signing ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -clear all autonsec3.example. > /dev/null 2>&1
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
*00b67f09SDavid van Moolenbroekfor i in 0 1 2 3 4 5 6 7 8 9; do
*00b67f09SDavid van Moolenbroek	ret=0
*00b67f09SDavid van Moolenbroek	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list autonsec3.example. > signing.out.test$n 2>&1
*00b67f09SDavid van Moolenbroek	grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek	num=`grep "Pending " signing.out.test$n | wc -l`
*00b67f09SDavid van Moolenbroek	[ $num -eq 1 ] || ret=1
*00b67f09SDavid van Moolenbroek	[ $ret -eq 0 ] && break
*00b67f09SDavid van Moolenbroek	echo "I:waiting ... ($i)"
*00b67f09SDavid van Moolenbroek	sleep 2
*00b67f09SDavid van Moolenbroekdone
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:signing preset nsec3 zone"
*00b67f09SDavid van Moolenbroekzsk=`cat autozsk.key`
*00b67f09SDavid van Moolenbroekksk=`cat autoksk.key`
*00b67f09SDavid van Moolenbroek$SETTIME -K ns3 -P now -A now $zsk > /dev/null 2>&1
*00b67f09SDavid van Moolenbroek$SETTIME -K ns3 -P now -A now $ksk > /dev/null 2>&1
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys autonsec3.example. 2>&1 | sed 's/^/I:ns3 /'
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:waiting for changes to take effect"
*00b67f09SDavid van Moolenbroeksleep 3
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:converting zone from nsec3 to nsec"
*00b67f09SDavid van Moolenbroek$NSUPDATE > /dev/null 2>&1 << END	|| status=1
*00b67f09SDavid van Moolenbroekserver 10.53.0.3 5300
*00b67f09SDavid van Moolenbroekzone nsec3-to-nsec.example.
*00b67f09SDavid van Moolenbroekupdate delete nsec3-to-nsec.example. NSEC3PARAM
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van MoolenbroekEND
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:waiting for change to take effect"
*00b67f09SDavid van Moolenbroeksleep 3
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that expired RRSIGs from missing key are not deleted ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekmissing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
*00b67f09SDavid van Moolenbroek$JOURNALPRINT ns3/nozsk.example.db.jnl | \
*00b67f09SDavid van Moolenbroek   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that expired RRSIGs from inactive key are not deleted ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekinactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
*00b67f09SDavid van Moolenbroek$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
*00b67f09SDavid van Moolenbroek   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekloglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
*00b67f09SDavid van Moolenbroek[ "$loglines" -eq 1 ] || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekloglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
*00b67f09SDavid van Moolenbroek[ "$loglines" -eq 1 ] || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# Send rndc sync command to ns1, ns2 and ns3, to force the dynamically
*00b67f09SDavid van Moolenbroek# signed zones to be dumped to their zone files
*00b67f09SDavid van Moolenbroekecho "I:dumping zone files"
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sync 2>&1 | sed 's/^/I:ns1 /'
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 sync 2>&1 | sed 's/^/I:ns2 /'
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sync 2>&1 | sed 's/^/I:ns3 /'
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking expired signatures were updated ($n)"
*00b67f09SDavid van Moolenbroekfor i in 1 2 3 4 5 6 7 8 9
*00b67f09SDavid van Moolenbroekdo
*00b67f09SDavid van Moolenbroek	ret=0
*00b67f09SDavid van Moolenbroek	$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek	$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek	$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n > digcomp.out.test$n || ret=1
*00b67f09SDavid van Moolenbroek	grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek	[ $ret = 0 ] && break
*00b67f09SDavid van Moolenbroek	sleep 1
*00b67f09SDavid van Moolenbroekdone
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then cat digcomp.out.test$n; echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking NSEC->NSEC3 conversion succeeded ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking direct NSEC3 autosigning succeeded ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
*00b67f09SDavid van Moolenbroek[ -s  dig.out.ns3.ok.test$n ] || ret=1
*00b67f09SDavid van Moolenbroekgrep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekgrep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking NSEC3->NSEC conversion succeeded ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek# this command should result in an empty file:
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
*00b67f09SDavid van Moolenbroeksleep 2
*00b67f09SDavid van Moolenbroek# this command should result in an empty file:
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking TTLs of imported DNSKEYs (no default) ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek[ -s dig.out.ns3.test$n ] || ret=1
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=0} $2 != 300 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking TTLs of imported DNSKEYs (with default) ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek[ -s dig.out.ns3.test$n ] || ret=1
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=0} $2 != 60 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking TTLs of imported DNSKEYs (mismatched) ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek[ -s dig.out.ns3.test$n ] || ret=1
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking TTLs of imported DNSKEYs (existing RRset) ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek[ -s dig.out.ns3.test$n ] || ret=1
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking positive validation NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking positive validation NSEC3 ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking positive validation OPTOUT ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking negative validation NXDOMAIN NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking negative validation NXDOMAIN NSEC3 ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking negative validation NXDOMAIN OPTOUT ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek# Note - this is looking for failure, hence the &&
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking negative validation NODATA NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking negative validation NODATA NSEC3 ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking negative validation NODATA OPTOUT ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# Check the insecure.example domain
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking 1-server insecurity proof NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek# Note - this is looking for failure, hence the &&
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking 1-server negative insecurity proof NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
*00b67f09SDavid van Moolenbroek	> dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
*00b67f09SDavid van Moolenbroek	> dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek# Note - this is looking for failure, hence the &&
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# Check the secure.example domain
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation NSEC/NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.secure.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.secure.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation NSEC/NSEC3 ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation NSEC/OPTOUT ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation NSEC3/NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation OPTOUT/NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.secure.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.secure.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.optout.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking empty NODATA OPTOUT ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth empty.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth empty.optout.example. \
*00b67f09SDavid van Moolenbroek	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# Check the insecure.secure.example domain (insecurity proof)
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking 2-server insecurity proof ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
*00b67f09SDavid van Moolenbroek	> dig.out.ns2.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
*00b67f09SDavid van Moolenbroek	> dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek# Note - this is looking for failure, hence the &&
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# Check a negative response in insecure.secure.example
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking 2-server insecurity proof with a negative answer ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
*00b67f09SDavid van Moolenbroek	|| ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
*00b67f09SDavid van Moolenbroek	|| ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek# Note - this is looking for failure, hence the &&
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking security root query ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking positive validation RSASHA256 NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking positive validation RSASHA512 NSEC ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that positive validation in a privately secure zone works ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
*00b67f09SDavid van Moolenbroek	> dig.out.ns2.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
*00b67f09SDavid van Moolenbroek	> dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek# Note - this is looking for failure, hence the &&
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that negative validation in a privately secure zone works ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
*00b67f09SDavid van Moolenbroek	> dig.out.ns2.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
*00b67f09SDavid van Moolenbroek	> dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroek# Note - this is looking for failure, hence the &&
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking privately secure to nxdomain works ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
*00b67f09SDavid van Moolenbroek	> dig.out.ns2.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
*00b67f09SDavid van Moolenbroek	> dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
*00b67f09SDavid van Moolenbroek# Note - this is looking for failure, hence the &&
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# Try validating with a revoked trusted key.
*00b67f09SDavid van Moolenbroek# This should fail.
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that validation returns insecure due to revoked trusted key ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that revoked key is present ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`cat rev.key`
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that revoked key self-signs ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`cat rev.key`
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking for unpublished key ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key`
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking for activated but unpublished key ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < activate-now-publish-1day.key`
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that standby key does not sign records ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that deactivated key does not sign records  ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key`
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking insertion of public-only key ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key`
*00b67f09SDavid van Moolenbroekfile="ns1/`cat nopriv.key`.key"
*00b67f09SDavid van Moolenbroekkeydata=`grep DNSKEY $file`
*00b67f09SDavid van Moolenbroek$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
*00b67f09SDavid van Moolenbroekserver 10.53.0.1 5300
*00b67f09SDavid van Moolenbroekzone .
*00b67f09SDavid van Moolenbroekttl 3600
*00b67f09SDavid van Moolenbroekupdate add $keydata
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van MoolenbroekEND
*00b67f09SDavid van Moolenbroeksleep 1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking key deletion ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < del.key`
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking secure-to-insecure transition, nsupdate ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
*00b67f09SDavid van Moolenbroekserver 10.53.0.3 5300
*00b67f09SDavid van Moolenbroekzone secure-to-insecure.example
*00b67f09SDavid van Moolenbroekupdate delete secure-to-insecure.example dnskey
*00b67f09SDavid van Moolenbroeksend
*00b67f09SDavid van MoolenbroekEND
*00b67f09SDavid van Moolenbroekfor i in 0 1 2 3 4 5 6 7 8 9; do
*00b67f09SDavid van Moolenbroek	ret=0
*00b67f09SDavid van Moolenbroek	$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek	egrep '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroek	[ $ret -eq 0 ] && break
*00b67f09SDavid van Moolenbroek	echo "I:waiting ... ($i)"
*00b67f09SDavid van Moolenbroek	sleep 2
*00b67f09SDavid van Moolenbroekdone
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking secure-to-insecure transition, scheduled ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekfile="ns3/`cat del1.key`.key"
*00b67f09SDavid van Moolenbroek$SETTIME -I now -D now $file > /dev/null
*00b67f09SDavid van Moolenbroekfile="ns3/`cat del2.key`.key"
*00b67f09SDavid van Moolenbroek$SETTIME -I now -D now $file > /dev/null
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign secure-to-insecure2.example. 2>&1 | sed 's/^/I:ns3 /'
*00b67f09SDavid van Moolenbroekfor i in 0 1 2 3 4 5 6 7 8 9; do
*00b67f09SDavid van Moolenbroek	ret=0
*00b67f09SDavid van Moolenbroek	$DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek	egrep '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroek	[ $ret -eq 0 ] && break
*00b67f09SDavid van Moolenbroek	echo "I:waiting ... ($i)"
*00b67f09SDavid van Moolenbroek	sleep 2
*00b67f09SDavid van Moolenbroekdone
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that serial number and RRSIGs are both updated (rt21045) ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekoldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
*00b67f09SDavid van Moolenbroekoldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek$KEYGEN -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign prepub.example 2>&1 | sed 's/^/I:ns1 /'
*00b67f09SDavid van Moolenbroeknewserial=$oldserial
*00b67f09SDavid van Moolenbroektry=0
*00b67f09SDavid van Moolenbroekwhile [ $oldserial -eq $newserial -a $try -lt 42 ]
*00b67f09SDavid van Moolenbroekdo
*00b67f09SDavid van Moolenbroek	newserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 |
*00b67f09SDavid van Moolenbroek		 awk '$0 !~ /SOA/ {print $3}'`
*00b67f09SDavid van Moolenbroek	sleep 1
*00b67f09SDavid van Moolenbroek	try=`expr $try + 1`
*00b67f09SDavid van Moolenbroekdone
*00b67f09SDavid van Moolenbroeknewinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
*00b67f09SDavid van Moolenbroek#echo "$oldserial : $newserial"
*00b67f09SDavid van Moolenbroek#echo "$oldinception : $newinception"
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek[ "$oldserial" = "$newserial" ] && ret=1
*00b67f09SDavid van Moolenbroek[ "$oldinception" = "$newinception" ] && ret=1
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:preparing to test key change corner cases"
*00b67f09SDavid van Moolenbroekecho "I:removing a private key file"
*00b67f09SDavid van Moolenbroekfile="ns1/`cat vanishing.key`.private"
*00b67f09SDavid van Moolenbroekrm -f $file
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:preparing ZSK roll"
*00b67f09SDavid van Moolenbroekstarttime=`$PERL -e 'print time(), "\n";'`
*00b67f09SDavid van Moolenbroekoldfile=`cat active.key`
*00b67f09SDavid van Moolenbroekoldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key`
*00b67f09SDavid van Moolenbroeknewfile=`cat standby.key`
*00b67f09SDavid van Moolenbroeknewid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
*00b67f09SDavid van Moolenbroek$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null
*00b67f09SDavid van Moolenbroek$SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# note previous zone serial number
*00b67f09SDavid van Moolenbroekoldserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . 2>&1 | sed 's/^/I:ns1 /'
*00b67f09SDavid van Moolenbroeksleep 4
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:revoking key to duplicated key ID"
*00b67f09SDavid van Moolenbroek$SETTIME -R now -K ns2 Kbar.+005+30676.key > /dev/null
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 loadkeys bar. 2>&1 | sed 's/^/I:ns2 /'
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:waiting for changes to take effect"
*00b67f09SDavid van Moolenbroeksleep 5
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking former standby key is now active ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking former standby key has only signed incrementally ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking that signing records have been marked as complete ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekcheckprivate . 10.53.0.1 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate bar 10.53.0.2 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate example 10.53.0.2 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate private.secure.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate nsec3.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate nsec3.nsec3.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate nsec3.optout.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate nsec3-to-nsec.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate nsec.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate oldsigs.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate optout.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate optout.nsec3.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate optout.optout.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate prepub.example 10.53.0.3 1 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate rsasha256.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate rsasha512.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate secure.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate secure.nsec3.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate secure.optout.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate secure-to-insecure2.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate secure-to-insecure.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate ttl1.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate ttl2.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate ttl3.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekcheckprivate ttl4.example 10.53.0.3 || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:forcing full sign"
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /'
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:waiting for change to take effect"
*00b67f09SDavid van Moolenbroeksleep 5
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking former standby key has now signed fully ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking SOA serial number has been incremented ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroeknewserial=`$DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}'`
*00b67f09SDavid van Moolenbroek[ "$newserial" != "$oldserial" ] || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking delayed key publication/activation ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekzsk=`cat delayzsk.key`
*00b67f09SDavid van Moolenbroekksk=`cat delayksk.key`
*00b67f09SDavid van Moolenbroek# publication and activation times should be unset
*00b67f09SDavid van Moolenbroek$SETTIME -K ns3 -pA -pP $zsk | grep -v UNSET > /dev/null 2>&1 && ret=1
*00b67f09SDavid van Moolenbroek$SETTIME -K ns3 -pA -pP $ksk | grep -v UNSET > /dev/null 2>&1 && ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek# DNSKEY not expected:
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking scheduled key publication, not activation ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$SETTIME -K ns3 -P now+3s -A none $zsk > /dev/null 2>&1
*00b67f09SDavid van Moolenbroek$SETTIME -K ns3 -P now+3s -A none $ksk > /dev/null 2>&1
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys delay.example. 2>&1 | sed 's/^/I:ns2 /'
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:waiting for changes to take effect"
*00b67f09SDavid van Moolenbroeksleep 5
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek# DNSKEY expected:
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1
*00b67f09SDavid van Moolenbroek# RRSIG not expected:
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking scheduled key activation ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$SETTIME -K ns3 -A now+3s $zsk > /dev/null 2>&1
*00b67f09SDavid van Moolenbroek$SETTIME -K ns3 -A now+3s $ksk > /dev/null 2>&1
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys delay.example. 2>&1 | sed 's/^/I:ns2 /'
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:waiting for changes to take effect"
*00b67f09SDavid van Moolenbroeksleep 5
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
*00b67f09SDavid van Moolenbroek# DNSKEY expected:
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
*00b67f09SDavid van Moolenbroek# RRSIG expected:
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || ret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
*00b67f09SDavid van Moolenbroek# A expected:
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
*00b67f09SDavid van Moolenbroek# RRSIG expected:
*00b67f09SDavid van Moolenbroekawk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking former active key was removed ($n)"
*00b67f09SDavid van Moolenbroek#
*00b67f09SDavid van Moolenbroek# Work out how long we need to sleep. Allow 4 seconds for the records
*00b67f09SDavid van Moolenbroek# to be removed.
*00b67f09SDavid van Moolenbroek#
*00b67f09SDavid van Moolenbroeknow=`$PERL -e 'print time(), "\n";'`
*00b67f09SDavid van Moolenbroeksleep=`expr $starttime + 29 - $now`
*00b67f09SDavid van Moolenbroekcase $sleep in
*00b67f09SDavid van Moolenbroek-*|0);;
*00b67f09SDavid van Moolenbroek*) echo "I:waiting for timer to have activated"; sleep $sleep;;
*00b67f09SDavid van Moolenbroekesac
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking private key file removal caused no immediate harm ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key`
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking revoked key with duplicate key ID (failure expected) ($n)"
*00b67f09SDavid van Moolenbroeklret=0
*00b67f09SDavid van Moolenbroekid=30676
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
*00b67f09SDavid van Moolenbroekgrep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
*00b67f09SDavid van Moolenbroekgrep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $lret != 0 ]; then echo "I:not yet implemented"; fi
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking key event timers are always set ($n)"
*00b67f09SDavid van Moolenbroek# this is a regression test for a bug in which the next key event could
*00b67f09SDavid van Moolenbroek# be scheduled for the present moment, and then never fire.  check for
*00b67f09SDavid van Moolenbroek# visible evidence of this error in the logs:
*00b67f09SDavid van Moolenbroekawk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroek# this confirms that key events are never scheduled more than
*00b67f09SDavid van Moolenbroek# 'dnssec-loadkeys-interval' minutes in the future, and that the
*00b67f09SDavid van Moolenbroek# event scheduled is within 10 seconds of expected interval.
*00b67f09SDavid van Moolenbroekcheck_interval () {
*00b67f09SDavid van Moolenbroek        awk '/next key event/ {print $2 ":" $9}' $1/named.run |
*00b67f09SDavid van Moolenbroek	sed 's/\.//g' |
*00b67f09SDavid van Moolenbroek            awk -F: '
*00b67f09SDavid van Moolenbroek                     {
*00b67f09SDavid van Moolenbroek                       x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000);
*00b67f09SDavid van Moolenbroek		       # abs(x) < 1000 ms treat as 'now'
*00b67f09SDavid van Moolenbroek		       if (x < 1000 && x > -1000)
*00b67f09SDavid van Moolenbroek                         x = 0;
*00b67f09SDavid van Moolenbroek		       # convert to seconds
*00b67f09SDavid van Moolenbroek		       x = x/1000;
*00b67f09SDavid van Moolenbroek		       # handle end of day roll over
*00b67f09SDavid van Moolenbroek		       if (x < 0)
*00b67f09SDavid van Moolenbroek			 x = x + 24*3600;
*00b67f09SDavid van Moolenbroek		       # handle log timestamp being a few milliseconds later
*00b67f09SDavid van Moolenbroek                       if (x != int(x))
*00b67f09SDavid van Moolenbroek                         x = int(x + 1);
*00b67f09SDavid van Moolenbroek                       if (int(x) > int(interval))
*00b67f09SDavid van Moolenbroek                         exit (1);
*00b67f09SDavid van Moolenbroek                     }
*00b67f09SDavid van Moolenbroek                     END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2
*00b67f09SDavid van Moolenbroek        return $?
*00b67f09SDavid van Moolenbroek}
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking automatic key reloading interval ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekcheck_interval ns1 3600 || ret=1
*00b67f09SDavid van Moolenbroekcheck_interval ns2 1800 || ret=1
*00b67f09SDavid van Moolenbroekcheck_interval ns3 600 || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:checking for key reloading loops ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek# every key event should schedule a successor, so these should be equal
*00b67f09SDavid van Moolenbroekrekey_calls=`grep "reconfiguring zone keys" ns*/named.run | wc -l`
*00b67f09SDavid van Moolenbroekrekey_events=`grep "next key event" ns*/named.run | wc -l`
*00b67f09SDavid van Moolenbroek[ "$rekey_calls" = "$rekey_events" ] || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:forcing full sign with unreadable keys ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroekchmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /'
*00b67f09SDavid van Moolenbroek$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
*00b67f09SDavid van Moolenbroekgrep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:test turning on auto-dnssec during reconfig ($n)"
*00b67f09SDavid van Moolenbroekret=0
*00b67f09SDavid van Moolenbroek# first create a zone that doesn't have auto-dnssec
*00b67f09SDavid van Moolenbroekrm -f ns3/*.nzf
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/I:ns3 /'
*00b67f09SDavid van Moolenbroekrekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
*00b67f09SDavid van Moolenbroek[ "$rekey_calls" -eq 0 ] || ret=1
*00b67f09SDavid van Moolenbroek# ...then we add auto-dnssec and reconfigure
*00b67f09SDavid van Moolenbroeknzf=`ls ns3/*.nzf`
*00b67f09SDavid van Moolenbroekecho 'zone reconf.example { type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' > $nzf
*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /'
*00b67f09SDavid van Moolenbroekfor i in 0 1 2 3 4 5 6 7 8 9; do
*00b67f09SDavid van Moolenbroek    lret=0
*00b67f09SDavid van Moolenbroek    rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
*00b67f09SDavid van Moolenbroek    [ "$rekey_calls" -gt 0 ] || lret=1
*00b67f09SDavid van Moolenbroek    if [ "$lret" -eq 0 ]; then break; fi
*00b67f09SDavid van Moolenbroek    echo "I:waiting ... ($i)"
*00b67f09SDavid van Moolenbroek    sleep 1
*00b67f09SDavid van Moolenbroekdone
*00b67f09SDavid van Moolenbroekn=`expr $n + 1`
*00b67f09SDavid van Moolenbroekif [ "$lret" != 0 ]; then ret=$lret; fi
*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi
*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret`
*00b67f09SDavid van Moolenbroek
*00b67f09SDavid van Moolenbroekecho "I:exit status: $status"
*00b67f09SDavid van Moolenbroekexit $status