xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/cookie/tests.sh (revision 9689912e6b171cbda866ec33f15ae94a04e2c02d) 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14set -e
15
16. ../conf.sh
17
18DIGOPTS="-p ${PORT}"
19RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
20
21status=0
22n=0
23
24getcookie() {
25  awk '$2 == "COOKIE:" {
26		print $3;
27	}' <$1
28}
29
30fullcookie() {
31  awk 'BEGIN { n = 0 }
32	     // { v[n++] = length(); }
33	     END { print (v[1] == v[2]); }'
34}
35
36havetc() {
37  grep 'flags:.* tc[^;]*;' $1 >/dev/null
38}
39
40for bad in bad*.conf; do
41  n=$((n + 1))
42  echo_i "checking that named-checkconf detects error in $bad ($n)"
43  ret=0
44  $CHECKCONF $bad >/dev/null 2>&1 && ret=1
45  if [ $ret != 0 ]; then echo_i "failed"; fi
46  status=$((status + ret))
47done
48
49for good in good*.conf; do
50  n=$((n + 1))
51  echo_i "checking that named-checkconf detects accepts $good ($n)"
52  ret=0
53  $CHECKCONF $good >/dev/null 2>&1 || ret=1
54  if [ $ret != 0 ]; then echo_i "failed"; fi
55  status=$((status + ret))
56done
57
58n=$((n + 1))
59echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)"
60ret=0
61$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
62grep COOKIE: dig.out.test$n >/dev/null && ret=1
63grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
64if [ $ret != 0 ]; then echo_i "failed"; fi
65status=$((status + ret))
66
67n=$((n + 1))
68echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)"
69ret=0
70$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
71grep COOKIE: dig.out.test$n >/dev/null || ret=1
72grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
73if [ $ret != 0 ]; then echo_i "failed"; fi
74status=$((status + ret))
75
76n=$((n + 1))
77echo_i "checking COOKIE token is returned to empty COOKIE option ($n)"
78ret=0
79$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
80grep COOKIE: dig.out.test$n >/dev/null || ret=1
81grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
82if [ $ret != 0 ]; then echo_i "failed"; fi
83status=$((status + ret))
84
85n=$((n + 1))
86echo_i "checking COOKIE is not returned when answer-cookie is false ($n)"
87ret=0
88oldcookie=b71d3138bb984fc50100000064a65cffbbf02482dfb99ba5
89$DIG $DIGOPTS +cookie=$oldcookie version.bind txt ch @10.53.0.7 >dig.out.test$n || ret=1
90grep COOKIE: dig.out.test$n >/dev/null && ret=1
91grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
92if [ $ret != 0 ]; then echo_i "failed"; fi
93status=$((status + ret))
94
95n=$((n + 1))
96echo_i "checking response size without COOKIE ($n)"
97ret=0
98$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
99havetc dig.out.test$n || ret=1
100if [ $ret != 0 ]; then echo_i "failed"; fi
101status=$((status + ret))
102
103n=$((n + 1))
104echo_i "checking response size without valid COOKIE ($n)"
105ret=0
106$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
107havetc dig.out.test$n || ret=1
108grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
109if [ $ret != 0 ]; then echo_i "failed"; fi
110status=$((status + ret))
111
112n=$((n + 1))
113echo_i "checking response size with COOKIE ($n)"
114ret=0
115$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l || ret=1
116cookie=$(getcookie dig.out.test$n.l)
117$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
118havetc dig.out.test$n && ret=1
119grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
120if [ $ret != 0 ]; then echo_i "failed"; fi
121status=$((status + ret))
122
123n=$((n + 1))
124echo_i "checking response size with COOKIE recursive ($n)"
125ret=0
126$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
127havetc dig.out.test$n && ret=1
128grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
129if [ $ret != 0 ]; then echo_i "failed"; fi
130status=$((status + ret))
131
132n=$((n + 1))
133echo_i "checking COOKIE is learnt for TCP retry ($n)"
134ret=0
135$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n || ret=1
136linecount=$(getcookie dig.out.test$n | wc -l)
137if [ $linecount != 3 ]; then ret=1; fi
138checkfull=$(getcookie dig.out.test$n | fullcookie)
139if [ $checkfull != 1 ]; then ret=1; fi
140if [ $ret != 0 ]; then echo_i "failed"; fi
141status=$((status + ret))
142
143n=$((n + 1))
144echo_i "checking for COOKIE value in adb ($n)"
145ret=0
146rndc_dumpdb ns1
147grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1
148if [ $ret != 0 ]; then echo_i "failed"; fi
149status=$((status + ret))
150
151n=$((n + 1))
152echo_i "checking require-server-cookie default (no) ($n)"
153ret=0
154$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n || ret=1
155grep "status: BADCOOKIE" dig.out.test$n >/dev/null && ret=1
156linecount=$(getcookie dig.out.test$n | wc -l)
157if [ $linecount != 2 ]; then ret=1; fi
158if [ $ret != 0 ]; then echo_i "failed"; fi
159status=$((status + ret))
160
161n=$((n + 1))
162echo_i "checking require-server-cookie yes ($n)"
163ret=0
164$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
165grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1
166grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
167grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1
168linecount=$(getcookie dig.out.test$n | wc -l)
169if [ $linecount != 2 ]; then ret=1; fi
170if [ $ret != 0 ]; then echo_i "failed"; fi
171status=$((status + ret))
172
173n=$((n + 1))
174echo_i "checking +qr +showbadcookie ($n)"
175ret=0
176$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
177noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l)
178badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l)
179server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l)
180good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l)
181linecount=$(getcookie dig.out.test$n | wc -l)
182if [ $noerror != 3 ]; then ret=1; fi
183if [ $badcookie != 1 ]; then ret=1; fi
184if [ $server != 3 ]; then ret=1; fi
185if [ $good != 2 ]; then ret=1; fi
186if [ $linecount != 4 ]; then ret=1; fi
187if [ $ret != 0 ]; then echo_i "failed"; fi
188status=$((status + ret))
189n=$((n + 1))
190
191echo_i "checking +showbadcookie ($n)"
192ret=0
193$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
194noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l)
195badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l)
196server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l)
197good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l)
198linecount=$(getcookie dig.out.test$n | wc -l)
199if [ $noerror != 1 ]; then ret=1; fi
200if [ $badcookie != 1 ]; then ret=1; fi
201if [ $server != 2 ]; then ret=1; fi
202if [ $good != 2 ]; then ret=1; fi
203if [ $linecount != 2 ]; then ret=1; fi
204if [ $ret != 0 ]; then echo_i "failed"; fi
205status=$((status + ret))
206
207n=$((n + 1))
208echo_i "checking require-server-cookie yes with rate-limit ($n)"
209ret=0
210$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n || ret=1
211grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
212grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1
213linecount=$(getcookie dig.out.test$n | wc -l)
214if [ $linecount != 2 ]; then ret=1; fi
215if [ $ret != 0 ]; then echo_i "failed"; fi
216status=$((status + ret))
217
218n=$((n + 1))
219echo_i "checking 'server <prefix> { require-cookie yes; };' triggers TCP when cookie not returned ($n)"
220ret=0
221nextpart ns8/named.run >/dev/null
222$DIG $DIGOPTS +cookie soa from-no-cookie-server.example @10.53.0.8 >dig.out.test$n || ret=1
223grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
224wait_for_log_peek 3 "missing required cookie from 10.53.0.7#" ns8/named.run || ret=1
225wait_for_log_peek 3 "connected from" ns8/named.run || ret=1
226if [ $ret != 0 ]; then echo_i "failed"; fi
227status=$((status + ret))
228
229n=$((n + 1))
230echo_i "send undersized cookie ($n)"
231ret=0
232$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1
233grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
234if [ $ret != 0 ]; then echo_i "failed"; fi
235status=$((status + ret))
236
237n=$((n + 1))
238echo_i "send oversized for named cookie ($n)"
239ret=0
240$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1
241grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
242if [ $ret != 0 ]; then echo_i "failed"; fi
243status=$((status + ret))
244
245n=$((n + 1))
246echo_i "send oversized for named cookie with server requiring a good cookie ($n)"
247ret=0
248$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1
249grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
250if [ $ret != 0 ]; then echo_i "failed"; fi
251status=$((status + ret))
252
253echo_i "check that BADCOOKIE is returned for a bad server COOKIE ($n)"
254ret=0
255badcookie=$(echo $cookie | sed 's/[a-f0-9]/0/g')
256$DIG $DIGOPTS +qr +cookie=$badcookie +nobadcookie soa example @10.53.0.1 >dig.out.test$n || ret=1
257grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
258grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1
259linecount=$(getcookie dig.out.test$n | wc -l)
260if [ $linecount != 2 ]; then ret=1; fi
261if [ $ret != 0 ]; then echo_i "failed"; fi
262status=$((status + ret))
263
264#
265# Test shared cookie-secret support.
266#
267# NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
268#
269# NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
270# NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; (alternate)
271#
272# NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
273#
274# Server cookies from NS4 are accepted by NS5 and not NS6
275# Server cookies from NS5 are accepted by NS4 and not NS6
276# Server cookies from NS6 are accepted by NS5 and not NS4
277#
278# Force local address so that the client's address is the same to all servers.
279#
280
281n=$((n + 1))
282echo_i "get NS4 cookie for cross server checking ($n)"
283ret=0
284$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n || ret=1
285grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
286ns4cookie=$(getcookie dig.out.test$n)
287test -n "$ns4cookie" || ret=1
288if [ $ret != 0 ]; then echo_i "failed"; fi
289status=$((status + ret))
290
291n=$((n + 1))
292echo_i "get NS5 cookie for cross server checking ($n)"
293ret=0
294$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n || ret=1
295grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
296ns5cookie=$(getcookie dig.out.test$n)
297test -n "$ns5cookie" || ret=1
298if [ $ret != 0 ]; then echo_i "failed"; fi
299status=$((status + ret))
300
301n=$((n + 1))
302echo_i "get NS6 cookie for cross server checking ($n)"
303ret=0
304$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n || ret=1
305grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
306ns6cookie=$(getcookie dig.out.test$n)
307if [ $ret != 0 ]; then echo_i "failed"; fi
308status=$((status + ret))
309
310n=$((n + 1))
311echo_i "test NS4 cookie on NS5 (expect success) ($n)"
312ret=0
313$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1
314grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
315grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
316if [ $ret != 0 ]; then echo_i "failed"; fi
317status=$((status + ret))
318
319n=$((n + 1))
320echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)"
321ret=0
322$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1
323grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
324grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
325if [ $ret != 0 ]; then echo_i "failed"; fi
326status=$((status + ret))
327
328n=$((n + 1))
329echo_i "test NS5 cookie on NS4 (expect success) ($n)"
330ret=0
331$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
332grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
333grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
334if [ $ret != 0 ]; then echo_i "failed"; fi
335status=$((status + ret))
336
337n=$((n + 1))
338echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)"
339ret=0
340$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1
341grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
342grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
343if [ $ret != 0 ]; then echo_i "failed"; fi
344status=$((status + ret))
345
346n=$((n + 1))
347echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)"
348ret=0
349$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
350grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
351grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
352if [ $ret != 0 ]; then echo_i "failed"; fi
353status=$((status + ret))
354
355n=$((n + 1))
356echo_i "test NS6 cookie on NS5 (expect success) ($n)"
357ret=0
358$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1
359grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
360grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
361if [ $ret != 0 ]; then echo_i "failed"; fi
362status=$((status + ret))
363
364n=$((n + 1))
365echo_i "check that test server is correctly configured ($n)"
366ret=0
367pat="; COOKIE: ................................ (good)"
368#UDP
369$DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1 || ret=1
370grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
371grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
372grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
373grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
374grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
375
376$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2 || ret=1
377grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
378grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
379grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
380grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
381grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
382
383$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3 || ret=1
384grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
385grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
386grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
387grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
388grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
389
390$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4 || ret=1
391grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1
392grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1
393grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1
394grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1
395grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1
396
397#TCP
398$DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5 || ret=1
399grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
400grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
401grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
402grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
403grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
404
405$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6 || ret=1
406grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
407grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
408grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
409grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
410grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
411
412$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7 || ret=1
413grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
414grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
415grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
416grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
417grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
418
419$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8 || ret=1
420grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1
421grep "$pat" dig.out.test$n.8 >/dev/null || ret=1
422grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1
423grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1
424grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1
425
426if [ $ret != 0 ]; then echo_i "failed"; fi
427status=$((status + ret))
428
429n=$((n + 1))
430echo_i "check that spoofed response is dropped when we have a server cookie ($n)"
431ret=0
432msg="missing expected cookie from"
433pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
434# prime EDNS COOKIE state
435$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
436grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
437rndc_dumpdb ns1
438grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
439# spoofed response contains 10.53.0.10
440nextpart ns1/named.run >/dev/null
441$DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2 || ret=1
442wait_for_log 5 "$msg" ns1/named.run || ret=1
443grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
444grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
445grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
446if [ $ret != 0 ]; then echo_i "failed"; fi
447status=$((status + ret))
448
449n=$((n + 1))
450echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)"
451ret=0
452msg="missing expected cookie from"
453pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
454# prime EDNS COOKIE state
455$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
456grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
457rndc_dumpdb ns1
458grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
459# check the disabled server response
460nextpart ns1/named.run >/dev/null
461$DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2 || ret=1
462wait_for_log 5 "$msg" ns1/named.run || ret=1
463grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
464grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
465grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
466if [ $ret != 0 ]; then echo_i "failed"; fi
467status=$((status + ret))
468
469n=$((n + 1))
470echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)"
471ret=0
472pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
473# prime EDNS COOKIE state
474$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
475grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
476rndc_dumpdb ns1
477grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
478# spoofed response contains 10.53.0.10
479nextpart ns1/named.run >/dev/null
480$DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2 || ret=1
481grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
482grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
483grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
484nextpart ns1/named.run >named.run.test$n
485count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
486test $count -eq 1 || ret=1
487if [ $ret != 0 ]; then echo_i "failed"; fi
488status=$((status + ret))
489
490if $PYTHON -c '
491import dns.version, sys;
492if dns.version.MAJOR > 1: sys.exit(0);
493if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
494sys.exit(1)'; then
495  n=$((n + 1))
496  echo_i "check that TSIG test server is correctly configured ($n)"
497  ret=0
498  pat="; COOKIE: ................................ (good)"
499  key="${DEFAULT_HMAC}:foo:aaaaaaaaaaaa"
500  #UDP
501  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1 || ret=1
502  grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
503  grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
504  grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
505  grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
506  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
507
508  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2 || ret=1
509  grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
510  grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
511  grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
512  grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
513  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
514
515  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3 || ret=1
516  grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
517  grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
518  grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
519  grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
520  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
521
522  #TCP
523  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5 || ret=1
524  grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
525  grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
526  grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
527  grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
528  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
529
530  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6 || ret=1
531  grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
532  grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
533  grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
534  grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
535  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
536
537  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7 || ret=1
538  grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
539  grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
540  grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
541  grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
542  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
543
544  if [ $ret != 0 ]; then echo_i "failed"; fi
545  status=$((status + ret))
546
547  n=$((n + 1))
548  echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)"
549  ret=0
550  pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
551  # prime EDNS COOKIE state
552  $DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1 || ret=1
553  grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
554  rndc_dumpdb ns1
555  grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
556  # check the disabled server response
557  nextpart ns1/named.run >/dev/null
558  $DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2 || ret=1
559  grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
560  grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
561  grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
562  nextpart ns1/named.run >named.run.test$n
563  count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
564  test $count -eq 2 || ret=1
565  if [ $ret != 0 ]; then echo_i "failed"; fi
566  status=$((status + ret))
567fi
568
569echo_i "exit status: $status"
570[ $status -eq 0 ] || exit 1
571