1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, You can obtain one at http://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=.. 13. $SYSTEMTESTTOP/conf.sh 14 15DIGOPTS="-p ${PORT}" 16RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" 17 18status=0 19n=0 20 21getcookie() { 22 awk '$2 == "COOKIE:" { 23 print $3; 24 }' < $1 | tr -d '\r' 25} 26 27fullcookie() { 28 awk 'BEGIN { n = 0 } 29 // { v[n++] = length(); } 30 END { print (v[1] == v[2]); }' 31} 32 33havetc() { 34 grep 'flags:.* tc[^;]*;' $1 > /dev/null 35} 36 37for bad in bad*.conf 38do 39 n=`expr $n + 1` 40 echo_i "checking that named-checkconf detects error in $bad ($n)" 41 ret=0 42 $CHECKCONF $bad > /dev/null 2>&1 && ret=1 43 if [ $ret != 0 ]; then echo_i "failed"; fi 44 status=`expr $status + $ret` 45done 46 47for good in good*.conf 48do 49 n=`expr $n + 1` 50 echo_i "checking that named-checkconf detects accepts $good ($n)" 51 ret=0 52 $CHECKCONF $good > /dev/null 2>&1 || ret=1 53 if [ $ret != 0 ]; then echo_i "failed"; fi 54 status=`expr $status + $ret` 55done 56 57n=`expr $n + 1` 58echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)" 59ret=0 60$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n 61grep COOKIE: dig.out.test$n > /dev/null && ret=1 62grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 63if [ $ret != 0 ]; then echo_i "failed"; fi 64status=`expr $status + $ret` 65 66n=`expr $n + 1` 67echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)" 68ret=0 69$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n 70grep COOKIE: dig.out.test$n > /dev/null || ret=1 71grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 72if [ $ret != 0 ]; then echo_i "failed"; fi 73status=`expr $status + $ret` 74 75n=`expr $n + 1` 76echo_i "checking COOKIE token is returned to empty COOKIE option ($n)" 77ret=0 78$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n 79grep COOKIE: dig.out.test$n > /dev/null || ret=1 80grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 81if [ $ret != 0 ]; then echo_i "failed"; fi 82status=`expr $status + $ret` 83 84n=`expr $n + 1` 85echo_i "checking COOKIE is not returned when answer-cookie is false ($n)" 86ret=0 87$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n 88grep COOKIE: dig.out.test$n > /dev/null && ret=1 89grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 90if [ $ret != 0 ]; then echo_i "failed"; fi 91status=`expr $status + $ret` 92 93n=`expr $n + 1` 94echo_i "checking response size without COOKIE ($n)" 95ret=0 96$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n 97havetc dig.out.test$n || ret=1 98if [ $ret != 0 ]; then echo_i "failed"; fi 99status=`expr $status + $ret` 100 101n=`expr $n + 1` 102echo_i "checking response size without valid COOKIE ($n)" 103ret=0 104$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n 105havetc dig.out.test$n || ret=1 106grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 107if [ $ret != 0 ]; then echo_i "failed"; fi 108status=`expr $status + $ret` 109 110n=`expr $n + 1` 111echo_i "checking response size with COOKIE ($n)" 112ret=0 113$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l 114cookie=`getcookie dig.out.test$n.l` 115$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n 116havetc dig.out.test$n && ret=1 117grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 118if [ $ret != 0 ]; then echo_i "failed"; fi 119status=`expr $status + $ret` 120 121n=`expr $n + 1` 122echo_i "checking response size with COOKIE recursive ($n)" 123ret=0 124$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n 125havetc dig.out.test$n && ret=1 126grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 127if [ $ret != 0 ]; then echo_i "failed"; fi 128status=`expr $status + $ret` 129 130n=`expr $n + 1` 131echo_i "checking COOKIE is learnt for TCP retry ($n)" 132ret=0 133$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n 134linecount=`getcookie dig.out.test$n | wc -l` 135if [ $linecount != 3 ]; then ret=1; fi 136checkfull=`getcookie dig.out.test$n | fullcookie` 137if [ $checkfull != 1 ]; then ret=1; fi 138if [ $ret != 0 ]; then echo_i "failed"; fi 139status=`expr $status + $ret` 140 141n=`expr $n + 1` 142echo_i "checking for COOKIE value in adb ($n)" 143ret=0 144rndc_dumpdb ns1 145grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1 146if [ $ret != 0 ]; then echo_i "failed"; fi 147status=`expr $status + $ret` 148 149n=`expr $n + 1` 150echo_i "checking require-server-cookie default (no) ($n)" 151ret=0 152$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n 153grep BADCOOKIE dig.out.test$n > /dev/null && ret=1 154linecount=`getcookie dig.out.test$n | wc -l` 155if [ $linecount != 2 ]; then ret=1; fi 156if [ $ret != 0 ]; then echo_i "failed"; fi 157status=`expr $status + $ret` 158 159n=`expr $n + 1` 160echo_i "checking require-server-cookie yes ($n)" 161ret=0 162$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n 163grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1 164grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 165grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 166linecount=`getcookie dig.out.test$n | wc -l` 167if [ $linecount != 2 ]; then ret=1; fi 168if [ $ret != 0 ]; then echo_i "failed"; fi 169status=`expr $status + $ret` 170 171n=`expr $n + 1` 172echo_i "checking require-server-cookie yes with rate-limit ($n)" 173ret=0 174$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n 175grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 176grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 177linecount=`getcookie dig.out.test$n | wc -l` 178if [ $linecount != 2 ]; then ret=1; fi 179if [ $ret != 0 ]; then echo_i "failed"; fi 180status=`expr $status + $ret` 181 182n=`expr $n + 1` 183echo_i "send undersized cookie ($n)" 184ret=0 185$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1 186grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 187if [ $ret != 0 ]; then echo_i "failed"; fi 188status=`expr $status + $ret` 189 190n=`expr $n + 1` 191echo_i "send oversized for named cookie ($n)" 192ret=0 193$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1 194grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 195if [ $ret != 0 ]; then echo_i "failed"; fi 196status=`expr $status + $ret` 197 198n=`expr $n + 1` 199echo_i "send oversized for named cookie with server requiring a good cookie ($n)" 200ret=0 201$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1 202grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 203if [ $ret != 0 ]; then echo_i "failed"; fi 204status=`expr $status + $ret` 205 206# 207# Test shared cookie-secret support. 208# 209# NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352"; 210# 211# NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352"; 212# NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; (alternate) 213# 214# NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; 215# 216# Server cookies from NS4 are accepted by NS5 and not NS6 217# Server cookies from NS5 are accepted by NS4 and not NS6 218# Server cookies from NS6 are accepted by NS5 and not NS4 219# 220# Force local address so that the client's address is the same to all servers. 221# 222 223n=`expr $n + 1` 224echo_i "get NS4 cookie for cross server checking ($n)" 225ret=0 226$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n 227grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 228ns4cookie=`getcookie dig.out.test$n` 229test -n "$ns4cookie" || ret=1 230if [ $ret != 0 ]; then echo_i "failed"; fi 231status=`expr $status + $ret` 232 233n=`expr $n + 1` 234echo_i "get NS5 cookie for cross server checking ($n)" 235ret=0 236$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n 237grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 238ns5cookie=`getcookie dig.out.test$n` 239test -n "$ns5cookie" || ret=1 240if [ $ret != 0 ]; then echo_i "failed"; fi 241status=`expr $status + $ret` 242 243n=`expr $n + 1` 244echo_i "get NS6 cookie for cross server checking ($n)" 245ret=0 246$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n 247grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 248ns6cookie=`getcookie dig.out.test$n` 249if [ $ret != 0 ]; then echo_i "failed"; fi 250status=`expr $status + $ret` 251 252n=`expr $n + 1` 253echo_i "test NS4 cookie on NS5 (expect success) ($n)" 254ret=0 255$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n 256grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 257grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 258if [ $ret != 0 ]; then echo_i "failed"; fi 259status=`expr $status + $ret` 260 261n=`expr $n + 1` 262echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)" 263ret=0 264$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n 265grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 266grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 267if [ $ret != 0 ]; then echo_i "failed"; fi 268status=`expr $status + $ret` 269 270n=`expr $n + 1` 271echo_i "test NS5 cookie on NS4 (expect success) ($n)" 272ret=0 273$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n 274grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 275grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 276if [ $ret != 0 ]; then echo_i "failed"; fi 277status=`expr $status + $ret` 278 279n=`expr $n + 1` 280echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)" 281ret=0 282$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n 283grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 284grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 285if [ $ret != 0 ]; then echo_i "failed"; fi 286status=`expr $status + $ret` 287 288n=`expr $n + 1` 289echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)" 290ret=0 291$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n 292grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 293grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 294if [ $ret != 0 ]; then echo_i "failed"; fi 295status=`expr $status + $ret` 296 297n=`expr $n + 1` 298echo_i "test NS6 cookie on NS5 (expect success) ($n)" 299ret=0 300$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n 301grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 302grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 303if [ $ret != 0 ]; then echo_i "failed"; fi 304status=`expr $status + $ret` 305 306echo_i "exit status: $status" 307[ $status -eq 0 ] || exit 1 308