xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/cookie/tests.sh (revision 325dc460fcb903ba21d515d6422d8abf39bc692e) 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14SYSTEMTESTTOP=..
15. $SYSTEMTESTTOP/conf.sh
16
17DIGOPTS="-p ${PORT}"
18RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
19
20status=0
21n=0
22
23getcookie() {
24	awk '$2 == "COOKIE:" {
25		print $3;
26	}' < $1 | tr -d '\r'
27}
28
29fullcookie() {
30	awk 'BEGIN { n = 0 }
31	     // { v[n++] = length(); }
32	     END { print (v[1] == v[2]); }'
33}
34
35havetc() {
36	grep 'flags:.* tc[^;]*;' $1 > /dev/null
37}
38
39for bad in bad*.conf
40do
41	n=`expr $n + 1`
42	echo_i "checking that named-checkconf detects error in $bad ($n)"
43	ret=0
44	$CHECKCONF $bad > /dev/null 2>&1 && ret=1
45	if [ $ret != 0 ]; then echo_i "failed"; fi
46	status=`expr $status + $ret`
47done
48
49for good in good*.conf
50do
51	n=`expr $n + 1`
52	echo_i "checking that named-checkconf detects accepts $good ($n)"
53	ret=0
54	$CHECKCONF $good > /dev/null 2>&1 || ret=1
55	if [ $ret != 0 ]; then echo_i "failed"; fi
56	status=`expr $status + $ret`
57done
58
59n=`expr $n + 1`
60echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)"
61ret=0
62$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n
63grep COOKIE: dig.out.test$n > /dev/null && ret=1
64grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
65if [ $ret != 0 ]; then echo_i "failed"; fi
66status=`expr $status + $ret`
67
68n=`expr $n + 1`
69echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)"
70ret=0
71$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n
72grep COOKIE: dig.out.test$n > /dev/null || ret=1
73grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
74if [ $ret != 0 ]; then echo_i "failed"; fi
75status=`expr $status + $ret`
76
77n=`expr $n + 1`
78echo_i "checking COOKIE token is returned to empty COOKIE option ($n)"
79ret=0
80$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n
81grep COOKIE: dig.out.test$n > /dev/null || ret=1
82grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
83if [ $ret != 0 ]; then echo_i "failed"; fi
84status=`expr $status + $ret`
85
86n=`expr $n + 1`
87echo_i "checking COOKIE is not returned when answer-cookie is false ($n)"
88ret=0
89$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n
90grep COOKIE: dig.out.test$n > /dev/null && ret=1
91grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
92if [ $ret != 0 ]; then echo_i "failed"; fi
93status=`expr $status + $ret`
94
95n=`expr $n + 1`
96echo_i "checking response size without COOKIE ($n)"
97ret=0
98$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n
99havetc dig.out.test$n || ret=1
100if [ $ret != 0 ]; then echo_i "failed"; fi
101status=`expr $status + $ret`
102
103n=`expr $n + 1`
104echo_i "checking response size without valid COOKIE ($n)"
105ret=0
106$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n
107havetc dig.out.test$n || ret=1
108grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
109if [ $ret != 0 ]; then echo_i "failed"; fi
110status=`expr $status + $ret`
111
112n=`expr $n + 1`
113echo_i "checking response size with COOKIE ($n)"
114ret=0
115$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l
116cookie=`getcookie dig.out.test$n.l`
117$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n
118havetc dig.out.test$n && ret=1
119grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
120if [ $ret != 0 ]; then echo_i "failed"; fi
121status=`expr $status + $ret`
122
123n=`expr $n + 1`
124echo_i "checking response size with COOKIE recursive ($n)"
125ret=0
126$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n
127havetc dig.out.test$n && ret=1
128grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
129if [ $ret != 0 ]; then echo_i "failed"; fi
130status=`expr $status + $ret`
131
132n=`expr $n + 1`
133echo_i "checking COOKIE is learnt for TCP retry ($n)"
134ret=0
135$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n
136linecount=`getcookie dig.out.test$n | wc -l`
137if [ $linecount != 3 ]; then ret=1; fi
138checkfull=`getcookie dig.out.test$n | fullcookie`
139if [ $checkfull != 1 ]; then ret=1; fi
140if [ $ret != 0 ]; then echo_i "failed"; fi
141status=`expr $status + $ret`
142
143n=`expr $n + 1`
144echo_i "checking for COOKIE value in adb ($n)"
145ret=0
146rndc_dumpdb ns1
147grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1
148if [ $ret != 0 ]; then echo_i "failed"; fi
149status=`expr $status + $ret`
150
151n=`expr $n + 1`
152echo_i "checking require-server-cookie default (no) ($n)"
153ret=0
154$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n
155grep BADCOOKIE dig.out.test$n > /dev/null && ret=1
156linecount=`getcookie dig.out.test$n | wc -l`
157if [ $linecount != 2 ]; then ret=1; fi
158if [ $ret != 0 ]; then echo_i "failed"; fi
159status=`expr $status + $ret`
160
161n=`expr $n + 1`
162echo_i "checking require-server-cookie yes ($n)"
163ret=0
164$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n
165grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1
166grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
167grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
168linecount=`getcookie dig.out.test$n | wc -l`
169if [ $linecount != 2 ]; then ret=1; fi
170if [ $ret != 0 ]; then echo_i "failed"; fi
171status=`expr $status + $ret`
172
173n=`expr $n + 1`
174echo_i "checking require-server-cookie yes with rate-limit ($n)"
175ret=0
176$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n
177grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
178grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
179linecount=`getcookie dig.out.test$n | wc -l`
180if [ $linecount != 2 ]; then ret=1; fi
181if [ $ret != 0 ]; then echo_i "failed"; fi
182status=`expr $status + $ret`
183
184n=`expr $n + 1`
185echo_i "send undersized cookie ($n)"
186ret=0
187$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1
188grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
189if [ $ret != 0 ]; then echo_i "failed"; fi
190status=`expr $status + $ret`
191
192n=`expr $n + 1`
193echo_i "send oversized for named cookie ($n)"
194ret=0
195$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1
196grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
197if [ $ret != 0 ]; then echo_i "failed"; fi
198status=`expr $status + $ret`
199
200n=`expr $n + 1`
201echo_i "send oversized for named cookie with server requiring a good cookie ($n)"
202ret=0
203$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1
204grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
205if [ $ret != 0 ]; then echo_i "failed"; fi
206status=`expr $status + $ret`
207
208#
209# Test shared cookie-secret support.
210#
211# NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
212#
213# NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
214# NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; (alternate)
215#
216# NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
217#
218# Server cookies from NS4 are accepted by NS5 and not NS6
219# Server cookies from NS5 are accepted by NS4 and not NS6
220# Server cookies from NS6 are accepted by NS5 and not NS4
221#
222# Force local address so that the client's address is the same to all servers.
223#
224
225n=`expr $n + 1`
226echo_i "get NS4 cookie for cross server checking ($n)"
227ret=0
228$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n
229grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
230ns4cookie=`getcookie dig.out.test$n`
231test -n "$ns4cookie" || ret=1
232if [ $ret != 0 ]; then echo_i "failed"; fi
233status=`expr $status + $ret`
234
235n=`expr $n + 1`
236echo_i "get NS5 cookie for cross server checking ($n)"
237ret=0
238$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n
239grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
240ns5cookie=`getcookie dig.out.test$n`
241test -n "$ns5cookie" || ret=1
242if [ $ret != 0 ]; then echo_i "failed"; fi
243status=`expr $status + $ret`
244
245n=`expr $n + 1`
246echo_i "get NS6 cookie for cross server checking ($n)"
247ret=0
248$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n
249grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
250ns6cookie=`getcookie dig.out.test$n`
251if [ $ret != 0 ]; then echo_i "failed"; fi
252status=`expr $status + $ret`
253
254n=`expr $n + 1`
255echo_i "test NS4 cookie on NS5 (expect success) ($n)"
256ret=0
257$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n
258grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
259grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
260if [ $ret != 0 ]; then echo_i "failed"; fi
261status=`expr $status + $ret`
262
263n=`expr $n + 1`
264echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)"
265ret=0
266$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n
267grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
268grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
269if [ $ret != 0 ]; then echo_i "failed"; fi
270status=`expr $status + $ret`
271
272n=`expr $n + 1`
273echo_i "test NS5 cookie on NS4 (expect success) ($n)"
274ret=0
275$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n
276grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
277grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
278if [ $ret != 0 ]; then echo_i "failed"; fi
279status=`expr $status + $ret`
280
281n=`expr $n + 1`
282echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)"
283ret=0
284$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n
285grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
286grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
287if [ $ret != 0 ]; then echo_i "failed"; fi
288status=`expr $status + $ret`
289
290n=`expr $n + 1`
291echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)"
292ret=0
293$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n
294grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
295grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
296if [ $ret != 0 ]; then echo_i "failed"; fi
297status=`expr $status + $ret`
298
299n=`expr $n + 1`
300echo_i "test NS6 cookie on NS5 (expect success) ($n)"
301ret=0
302$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n
303grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
304grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
305if [ $ret != 0 ]; then echo_i "failed"; fi
306status=`expr $status + $ret`
307
308n=`expr $n + 1`
309echo_i "check that test server is correctly configured ($n)"
310ret=0
311pat="; COOKIE: ................................ (good)"
312#UDP
313$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1
314grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
315grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
316grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
317grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
318grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
319
320$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2
321grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
322grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
323grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
324grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null  || ret=1
325grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
326
327$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3
328grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
329grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
330grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
331grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null  || ret=1
332grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
333
334$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4
335grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1
336grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1
337grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1
338grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1
339grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1
340
341#TCP
342$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5
343grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
344grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
345grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
346grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
347grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
348
349$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6
350grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
351grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
352grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
353grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
354grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
355
356$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7
357grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
358grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
359grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
360grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
361grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
362
363$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8
364grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1
365grep "$pat" dig.out.test$n.8 > /dev/null || ret=1
366grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1
367grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1
368grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1
369
370if [ $ret != 0 ]; then echo_i "failed"; fi
371status=`expr $status + $ret`
372
373n=`expr $n + 1`
374echo_i "check that spoofed response is dropped when we have a server cookie ($n)"
375ret=0
376msg="missing expected cookie from"
377pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
378# prime EDNS COOKIE state
379$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
380grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
381rndc_dumpdb ns1
382grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
383# spoofed response contains 10.53.0.10
384nextpart ns1/named.run >/dev/null
385$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2
386wait_for_log 5 "$msg" ns1/named.run || ret=1
387grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
388grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
389grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
390if [ $ret != 0 ]; then echo_i "failed"; fi
391status=`expr $status + $ret`
392
393n=`expr $n + 1`
394echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)"
395ret=0
396msg="missing expected cookie from"
397pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
398# prime EDNS COOKIE state
399$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
400grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
401rndc_dumpdb ns1
402grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
403# check the disabled server response
404nextpart ns1/named.run >/dev/null
405$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2
406wait_for_log 5 "$msg" ns1/named.run || ret=1
407grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
408grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
409grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
410if [ $ret != 0 ]; then echo_i "failed"; fi
411status=`expr $status + $ret`
412
413n=`expr $n + 1`
414echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)"
415ret=0
416pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
417# prime EDNS COOKIE state
418$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
419grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
420rndc_dumpdb ns1
421grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
422# spoofed response contains 10.53.0.10
423nextpart ns1/named.run >/dev/null
424$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2
425grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
426grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
427grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
428nextpart ns1/named.run > named.run.test$n
429count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
430test $count -eq 1 || ret=1
431if [ $ret != 0 ]; then echo_i "failed"; fi
432status=`expr $status + $ret`
433
434if $PYTHON -c '
435import dns.version, sys;
436if dns.version.MAJOR > 1: sys.exit(0);
437if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
438sys.exit(1)'
439then
440  n=`expr $n + 1`
441  echo_i "check that TSIG test server is correctly configured ($n)"
442  ret=0
443  pat="; COOKIE: ................................ (good)"
444  key=hmac-sha256:foo:aaaaaaaaaaaa
445  #UDP
446  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1
447  grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
448  grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
449  grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
450  grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
451  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
452
453  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2
454  grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
455  grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
456  grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
457  grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null  || ret=1
458  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
459
460  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3
461  grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
462  grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
463  grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
464  grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null  || ret=1
465  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
466
467  #TCP
468  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5
469  grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
470  grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
471  grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
472  grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
473  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
474
475  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6
476  grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
477  grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
478  grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
479  grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
480  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
481
482  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7
483  grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
484  grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
485  grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
486  grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
487  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
488
489  if [ $ret != 0 ]; then echo_i "failed"; fi
490  status=`expr $status + $ret`
491
492  n=`expr $n + 1`
493  echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)"
494  ret=0
495  pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
496  # prime EDNS COOKIE state
497  $DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1
498  grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
499  rndc_dumpdb ns1
500  grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
501  # check the disabled server response
502  nextpart ns1/named.run >/dev/null
503  $DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2
504  grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
505  grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
506  grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
507  nextpart ns1/named.run > named.run.test$n
508  count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
509  test $count -eq 2 || ret=1
510  if [ $ret != 0 ]; then echo_i "failed"; fi
511  status=`expr $status + $ret`
512fi
513
514echo_i "exit status: $status"
515[ $status -eq 0 ] || exit 1
516