1*00b67f09SDavid van Moolenbroek#!/bin/sh 2*00b67f09SDavid van Moolenbroek# 3*00b67f09SDavid van Moolenbroek# Copyright (C) 2010-2013 Internet Systems Consortium, Inc. ("ISC") 4*00b67f09SDavid van Moolenbroek# 5*00b67f09SDavid van Moolenbroek# Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek# purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek# copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek# 9*00b67f09SDavid van Moolenbroek# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek# PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek 17*00b67f09SDavid van Moolenbroek# Id: tests.sh,v 1.5 2011/01/11 23:47:12 tbox Exp 18*00b67f09SDavid van Moolenbroek 19*00b67f09SDavid van MoolenbroekSYSTEMTESTTOP=.. 20*00b67f09SDavid van Moolenbroek. $SYSTEMTESTTOP/conf.sh 21*00b67f09SDavid van Moolenbroek 22*00b67f09SDavid van Moolenbroekstatus=0 23*00b67f09SDavid van Moolenbroekn=0 24*00b67f09SDavid van Moolenbroek 25*00b67f09SDavid van Moolenbroekfor conf in conf/good*.conf 26*00b67f09SDavid van Moolenbroekdo 27*00b67f09SDavid van Moolenbroek n=`expr $n + 1` 28*00b67f09SDavid van Moolenbroek echo "I:checking that $conf is accepted ($n)" 29*00b67f09SDavid van Moolenbroek ret=0 30*00b67f09SDavid van Moolenbroek $CHECKCONF "$conf" || ret=1 31*00b67f09SDavid van Moolenbroek if [ $ret != 0 ]; then echo "I:failed"; fi 32*00b67f09SDavid van Moolenbroek status=`expr $status + $ret` 33*00b67f09SDavid van Moolenbroekdone 34*00b67f09SDavid van Moolenbroek 35*00b67f09SDavid van Moolenbroekfor conf in conf/bad*.conf 36*00b67f09SDavid van Moolenbroekdo 37*00b67f09SDavid van Moolenbroek n=`expr $n + 1` 38*00b67f09SDavid van Moolenbroek echo "I:checking that $conf is rejected ($n)" 39*00b67f09SDavid van Moolenbroek ret=0 40*00b67f09SDavid van Moolenbroek $CHECKCONF "$conf" >/dev/null && ret=1 41*00b67f09SDavid van Moolenbroek if [ $ret != 0 ]; then echo "I:failed"; fi 42*00b67f09SDavid van Moolenbroek status=`expr $status + $ret` 43*00b67f09SDavid van Moolenbroekdone 44*00b67f09SDavid van Moolenbroek 45*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 46*00b67f09SDavid van Moolenbroekecho "I:trying an axfr that should be denied (NOTAUTH) ($n)" 47*00b67f09SDavid van Moolenbroekret=0 48*00b67f09SDavid van Moolenbroek$DIG +tcp data.example. @10.53.0.2 axfr -p 5300 > dig.out.ns2.test$n || ret=1 49*00b67f09SDavid van Moolenbroekgrep "; Transfer failed." dig.out.ns2.test$n > /dev/null || ret=1 50*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 51*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 52*00b67f09SDavid van Moolenbroek 53*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 54*00b67f09SDavid van Moolenbroekecho "I:non recursive query for a static-stub zone with server name should be rejected ($n)" 55*00b67f09SDavid van Moolenbroekret=0 56*00b67f09SDavid van Moolenbroek $DIG +tcp +norec data.example. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n \ 57*00b67f09SDavid van Moolenbroek || ret=1 58*00b67f09SDavid van Moolenbroekgrep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 59*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 60*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 61*00b67f09SDavid van Moolenbroek 62*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 63*00b67f09SDavid van Moolenbroekecho "I:non recursive query for a static-stub zone with server name should be rejected ($n)" 64*00b67f09SDavid van Moolenbroekret=0 65*00b67f09SDavid van Moolenbroek$DIG +tcp +norec data.example.org. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n \ 66*00b67f09SDavid van Moolenbroek || ret=1 67*00b67f09SDavid van Moolenbroekgrep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 68*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 69*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 70*00b67f09SDavid van Moolenbroek 71*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 72*00b67f09SDavid van Moolenbroekecho "I:allow-query ACL ($n)" 73*00b67f09SDavid van Moolenbroekret=0 74*00b67f09SDavid van Moolenbroek$DIG +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 -p 5300 \ 75*00b67f09SDavid van Moolenbroek > dig.out.ns2.test$n || ret=1 76*00b67f09SDavid van Moolenbroekgrep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 77*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 78*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 79*00b67f09SDavid van Moolenbroek 80*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 81*00b67f09SDavid van Moolenbroekecho "I:look for static-stub zone data with recursion (should be found) ($n)" 82*00b67f09SDavid van Moolenbroekret=0 83*00b67f09SDavid van Moolenbroek$DIG +tcp +noauth data.example. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n || ret=1 84*00b67f09SDavid van Moolenbroek$PERL ../digcomp.pl knowngood.dig.out.rec dig.out.ns2.test$n || ret=1 85*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 86*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 87*00b67f09SDavid van Moolenbroek 88*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 89*00b67f09SDavid van Moolenbroekecho "I:checking authoritative NS is ignored for delegation ($n)" 90*00b67f09SDavid van Moolenbroekret=0 91*00b67f09SDavid van Moolenbroek# the auth server returns a different (and incorrect) NS for .example. 92*00b67f09SDavid van Moolenbroek$DIG +tcp example. @10.53.0.2 ns -p 5300 > dig.out.ns2.test1.$n || ret=1 93*00b67f09SDavid van Moolenbroekgrep "ns4.example." dig.out.ns2.test1.$n > /dev/null || ret=1 94*00b67f09SDavid van Moolenbroek# but static-stub configuration should still be used 95*00b67f09SDavid van Moolenbroek$DIG +tcp data2.example. @10.53.0.2 txt -p 5300 > dig.out.ns2.test2.$n || ret=1 96*00b67f09SDavid van Moolenbroekgrep "2nd test data" dig.out.ns2.test2.$n > /dev/null || ret=1 97*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 98*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 99*00b67f09SDavid van Moolenbroek 100*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 101*00b67f09SDavid van Moolenbroekecho "I:checking queries for a child zone of the static-stub zone ($n)" 102*00b67f09SDavid van Moolenbroekret=0 103*00b67f09SDavid van Moolenbroek# prime the delegation to a child zone of the static-stub zone 104*00b67f09SDavid van Moolenbroek$DIG +tcp data1.sub.example. @10.53.0.2 txt -p 5300 > dig.out.ns2.test1.$n || ret=1 105*00b67f09SDavid van Moolenbroekgrep "1st sub test data" dig.out.ns2.test1.$n > /dev/null || ret=1 106*00b67f09SDavid van Moolenbroek# temporarily disable the the parent zone 107*00b67f09SDavid van Moolenbroeksed 's/EXAMPLE_ZONE_PLACEHOLDER//' ns3/named.conf.in > ns3/named.conf 108*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 | sed 's/^/I:ns3 /' 109*00b67f09SDavid van Moolenbroek# query the child zone again. this should directly go to the child and 110*00b67f09SDavid van Moolenbroek# succeed. 111*00b67f09SDavid van Moolenbroekfor i in 0 1 2 3 4 5 6 7 8 9 112*00b67f09SDavid van Moolenbroekdo 113*00b67f09SDavid van Moolenbroek $DIG +tcp data2.sub.example. @10.53.0.2 txt -p 5300 > dig.out.ns2.test2.$n || ret=1 114*00b67f09SDavid van Moolenbroek grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null && break 115*00b67f09SDavid van Moolenbroek sleep 1 116*00b67f09SDavid van Moolenbroekdone 117*00b67f09SDavid van Moolenbroekgrep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null || ret=1 118*00b67f09SDavid van Moolenbroek# re-enable the parent 119*00b67f09SDavid van Moolenbroeksed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type master; file "example.db.signed"; };/' ns3/named.conf.in > ns3/named.conf 120*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 | sed 's/^/I:ns3 /' 121*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 122*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 123*00b67f09SDavid van Moolenbroek 124*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 125*00b67f09SDavid van Moolenbroekecho "I:checking authoritative NS addresses are ignored for delegation ($n)" 126*00b67f09SDavid van Moolenbroekret=0 127*00b67f09SDavid van Moolenbroek# the auth server returns a different (and incorrect) A/AAA RR for .example. 128*00b67f09SDavid van Moolenbroek$DIG +tcp example. @10.53.0.2 a -p 5300 > dig.out.ns2.test1.$n || ret=1 129*00b67f09SDavid van Moolenbroekgrep "10.53.0.4" dig.out.ns2.test1.$n > /dev/null || ret=1 130*00b67f09SDavid van Moolenbroek$DIG +tcp example. @10.53.0.2 aaaa -p 5300 > dig.out.ns2.test2.$n || ret=1 131*00b67f09SDavid van Moolenbroekgrep "::1" dig.out.ns2.test2.$n > /dev/null || ret=1 132*00b67f09SDavid van Moolenbroek# reload the server. this will flush the ADB. 133*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 134*00b67f09SDavid van Moolenbroek# ask another RR that would require delegation. static-stub configuration 135*00b67f09SDavid van Moolenbroek# should still be used instead of the authoritative A/AAAA cached above. 136*00b67f09SDavid van Moolenbroek$DIG +tcp data3.example. @10.53.0.2 txt -p 5300 > dig.out.ns2.test3.$n || ret=1 137*00b67f09SDavid van Moolenbroekgrep "3rd test data" dig.out.ns2.test3.$n > /dev/null || ret=1 138*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 139*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 140*00b67f09SDavid van Moolenbroek 141*00b67f09SDavid van Moolenbroek# the authoritative server of the query domain (example.com) is the apex 142*00b67f09SDavid van Moolenbroek# name of the static-stub zone (example). in this case the static-stub 143*00b67f09SDavid van Moolenbroek# configuration must be ignored and cached information must be used. 144*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 145*00b67f09SDavid van Moolenbroekecho "I:checking NS of static-stub is ignored when referenced from other domain ($n)" 146*00b67f09SDavid van Moolenbroekret=0 147*00b67f09SDavid van Moolenbroek$DIG +tcp data.example.com. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n || ret=1 148*00b67f09SDavid van Moolenbroekgrep "example com data" dig.out.ns2.test$n > /dev/null || ret=1 149*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 150*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 151*00b67f09SDavid van Moolenbroek 152*00b67f09SDavid van Moolenbroek# check server-names 153*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 154*00b67f09SDavid van Moolenbroekecho "I:checking static-stub with a server-name ($n)" 155*00b67f09SDavid van Moolenbroekret=0 156*00b67f09SDavid van Moolenbroek$DIG +tcp data.example.org. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n || ret=1 157*00b67f09SDavid van Moolenbroekgrep "example org data" dig.out.ns2.test$n > /dev/null || ret=1 158*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 159*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 160*00b67f09SDavid van Moolenbroek 161*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 162*00b67f09SDavid van Moolenbroek# Note: for a short term workaround we use ::1, assuming it's configured and 163*00b67f09SDavid van Moolenbroek# usable for our tests. We should eventually use the test ULA and available 164*00b67f09SDavid van Moolenbroek# checks introduced in change 2916. 165*00b67f09SDavid van Moolenbroekif $PERL ../testsock6.pl ::1 2> /dev/null 166*00b67f09SDavid van Moolenbroekthen 167*00b67f09SDavid van Moolenbroek echo "I:checking IPv6 static-stub address ($n)" 168*00b67f09SDavid van Moolenbroek ret=0 169*00b67f09SDavid van Moolenbroek $DIG +tcp data.example.info. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n || ret=1 170*00b67f09SDavid van Moolenbroek grep "example info data" dig.out.ns2.test$n > /dev/null || ret=1 171*00b67f09SDavid van Moolenbroek if [ $ret != 0 ]; then echo "I:failed"; fi 172*00b67f09SDavid van Moolenbroek status=`expr $status + $ret` 173*00b67f09SDavid van Moolenbroekelse 174*00b67f09SDavid van Moolenbroek echo "I:SKIPPED: checking IPv6 static-stub address ($n)" 175*00b67f09SDavid van Moolenbroekfi 176*00b67f09SDavid van Moolenbroek 177*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 178*00b67f09SDavid van Moolenbroekecho "I:look for static-stub zone data with DNSSEC validation ($n)" 179*00b67f09SDavid van Moolenbroekret=0 180*00b67f09SDavid van Moolenbroek$DIG +tcp +dnssec data4.example. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n || ret=1 181*00b67f09SDavid van Moolenbroekgrep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 182*00b67f09SDavid van Moolenbroekgrep "4th test data" dig.out.ns2.test$n > /dev/null || ret=1 183*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 184*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 185*00b67f09SDavid van Moolenbroek 186*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 187*00b67f09SDavid van Moolenbroekecho "I:look for a child of static-stub zone data with DNSSEC validation ($n)" 188*00b67f09SDavid van Moolenbroekret=0 189*00b67f09SDavid van Moolenbroek$DIG +tcp +dnssec data3.sub.example. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n || ret=1 190*00b67f09SDavid van Moolenbroekgrep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 191*00b67f09SDavid van Moolenbroekgrep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1 192*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 193*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 194*00b67f09SDavid van Moolenbroek 195*00b67f09SDavid van Moolenbroek# reload with a different name server: exisitng zone shouldn't be reused. 196*00b67f09SDavid van Moolenbroekn=`expr $n + 1` 197*00b67f09SDavid van Moolenbroekecho "I:checking server reload with a different static-stub config ($n)" 198*00b67f09SDavid van Moolenbroekret=0 199*00b67f09SDavid van Moolenbroeksed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' ns2/named.conf.in > ns2/named.conf 200*00b67f09SDavid van Moolenbroek$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' 201*00b67f09SDavid van Moolenbroek$DIG +tcp data2.example.org. @10.53.0.2 txt -p 5300 > dig.out.ns2.test$n || ret=1 202*00b67f09SDavid van Moolenbroekgrep "2nd example org data" dig.out.ns2.test$n > /dev/null || ret=1 203*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 204*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 205*00b67f09SDavid van Moolenbroek 206*00b67f09SDavid van Moolenbroekecho "I:exit status: $status" 207*00b67f09SDavid van Moolenbroekexit $status 208