xref: /netbsd-src/external/bsd/unbound/dist/testdata/ede.tdir/ede.test (revision 91f7d55fb697b5e0475da4718fa34c3a3ebeac85) 
1# #-- ede.test --#
2# source the master var file when it's there
3[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
4# use .tpkg.var.test for in test variable passing
5[ -f .tpkg.var.test ] && source .tpkg.var.test
6
7
8# DNSSEC failure: Signature Expired or DNSKEY Missing (depending on the servfail configuration)
9dig @127.0.0.1 -p $UNBOUND_PORT servfail.nl > servfail.txt
10
11# DNSSEC failure: key not incepted
12dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > sig_notyetincepted.txt
13
14if ! grep -q -e "OPT=15: 00 08" -e "EDE: 8" sig_notyetincepted.txt
15then
16	echo "Signature not yet valid does not return EDE Signature Not Yet Valid"
17	cat sig_notyetincepted.txt
18	exit 1
19fi
20
21# DNSSEC failure: key expired
22dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > sig_expired.txt
23
24if ! grep -q -e "OPT=15: 00 07" -e "EDE: 7"  sig_expired.txt
25then
26	echo "Expired signature does not return EDE Signature expired"
27	cat sig_expired.txt
28	exit 1
29fi
30
31# DNSSEC failure: missing rrsigs
32dig @127.0.0.1 -p $UNBOUND_PORT missingrrsigs.dnssec-failures.test. TXT +dnssec > missingrrsigs.txt
33
34if ! grep -q -e "OPT=15: 00 0a" -e "EDE: 10" missingrrsigs.txt
35then
36	echo "Expired signature does not return EDE RRSIGs missing"
37	cat missingrrsigs.txt
38	exit 1
39fi
40
41# signed zone with DNSKEY missing
42dig @127.0.0.1 -p $UNBOUND_PORT dnskey-failures.test > dnskey-failure.txt
43
44if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" dnskey-failure.txt
45then
46	echo "Expired signature does not return EDE DNSKEY missing"
47	cat dnskey-failure.txt
48	exit 1
49fi
50
51# signed zone with RRSIGs missing
52dig @127.0.0.1 -p $UNBOUND_PORT rrsig-failures.test > rrsig-failure.txt
53
54if ! grep -q -e "OPT=15: 00 0a" -e "EDE: 10" rrsig-failure.txt
55then
56	echo "Expired signature does not return EDE RRSIGs missing"
57	cat rrsig-failure.txt
58	exit 1
59fi
60
61# signed zone with NSEC missing
62dig @127.0.0.1 -p $UNBOUND_PORT abc.nsec-failures.test > nsec-failure.txt
63
64if ! grep -q -e "OPT=15: 00 0c" -e "EDE: 12" nsec-failure.txt
65then
66	echo "Expired signature does not return EDE NSEC missing"
67	cat nsec-failure.txt
68	exit 1
69fi
70
71# EDE with CD bit set (EDE but no SERVFAIL)
72dig @127.0.0.1 -p $UNBOUND_PORT cd.dnskey-failures.test +cd > cd_bit_ede.txt
73
74if ! grep -q -e "NXDOMAIN" cd_bit_ede.txt
75then
76	echo "No NXDOMAIN reply with CD bit set"
77	cat cd_bit_ede.txt
78	exit 1
79fi
80if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" cd_bit_ede.txt
81then
82	echo "No EDE attached with CD bit set"
83	cat cd_bit_ede.txt
84	exit 1
85fi
86
87# EDE with CD bit set (EDE but no SERVFAIL) for a cached answer
88# Same test as above
89dig @127.0.0.1 -p $UNBOUND_PORT cd.dnskey-failures.test +cd > cd_bit_ede.txt
90
91if ! grep -q -e "NXDOMAIN" cd_bit_ede.txt
92then
93	echo "No NXDOMAIN reply with CD bit set for cached answer"
94	cat cd_bit_ede.txt
95	exit 1
96fi
97if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" cd_bit_ede.txt
98then
99	echo "No EDE attached with CD bit set for cached answer"
100	cat cd_bit_ede.txt
101	exit 1
102fi
103# TODO DNSSEC indeterminate when implemented
104