xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/cookie/tests.sh (revision f8cf1a9151c7af1cb0bd8b09c13c66bca599c027) 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14set -e
15
16. ../conf.sh
17
18DIGOPTS="-p ${PORT}"
19RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
20
21status=0
22n=0
23
24getcookie() {
25  awk '$2 == "COOKIE:" {
26		print $3;
27	}' <$1
28}
29
30fullcookie() {
31  awk 'BEGIN { n = 0 }
32	     // { v[n++] = length(); }
33	     END { print (v[1] == v[2]); }'
34}
35
36havetc() {
37  grep 'flags:.* tc[^;]*;' $1 >/dev/null
38}
39
40for bad in bad*.conf; do
41  n=$((n + 1))
42  echo_i "checking that named-checkconf detects error in $bad ($n)"
43  ret=0
44  $CHECKCONF $bad >/dev/null 2>&1 && ret=1
45  if [ $ret != 0 ]; then echo_i "failed"; fi
46  status=$((status + ret))
47done
48
49for good in good*.conf; do
50  n=$((n + 1))
51  echo_i "checking that named-checkconf detects accepts $good ($n)"
52  ret=0
53  $CHECKCONF $good >/dev/null 2>&1 || ret=1
54  if [ $ret != 0 ]; then echo_i "failed"; fi
55  status=$((status + ret))
56done
57
58n=$((n + 1))
59echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)"
60ret=0
61$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
62grep COOKIE: dig.out.test$n >/dev/null && ret=1
63grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
64if [ $ret != 0 ]; then echo_i "failed"; fi
65status=$((status + ret))
66
67n=$((n + 1))
68echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)"
69ret=0
70$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
71grep COOKIE: dig.out.test$n >/dev/null || ret=1
72grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
73if [ $ret != 0 ]; then echo_i "failed"; fi
74status=$((status + ret))
75
76n=$((n + 1))
77echo_i "checking COOKIE token is returned to empty COOKIE option ($n)"
78ret=0
79$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1
80grep COOKIE: dig.out.test$n >/dev/null || ret=1
81grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
82if [ $ret != 0 ]; then echo_i "failed"; fi
83status=$((status + ret))
84
85n=$((n + 1))
86echo_i "checking COOKIE is not returned when answer-cookie is false ($n)"
87ret=0
88$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 >dig.out.test$n || ret=1
89grep COOKIE: dig.out.test$n >/dev/null && ret=1
90grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
91if [ $ret != 0 ]; then echo_i "failed"; fi
92status=$((status + ret))
93
94n=$((n + 1))
95echo_i "checking response size without COOKIE ($n)"
96ret=0
97$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
98havetc dig.out.test$n || ret=1
99if [ $ret != 0 ]; then echo_i "failed"; fi
100status=$((status + ret))
101
102n=$((n + 1))
103echo_i "checking response size without valid COOKIE ($n)"
104ret=0
105$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
106havetc dig.out.test$n || ret=1
107grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
108if [ $ret != 0 ]; then echo_i "failed"; fi
109status=$((status + ret))
110
111n=$((n + 1))
112echo_i "checking response size with COOKIE ($n)"
113ret=0
114$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l || ret=1
115cookie=$(getcookie dig.out.test$n.l)
116$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
117havetc dig.out.test$n && ret=1
118grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
119if [ $ret != 0 ]; then echo_i "failed"; fi
120status=$((status + ret))
121
122n=$((n + 1))
123echo_i "checking response size with COOKIE recursive ($n)"
124ret=0
125$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n || ret=1
126havetc dig.out.test$n && ret=1
127grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
128if [ $ret != 0 ]; then echo_i "failed"; fi
129status=$((status + ret))
130
131n=$((n + 1))
132echo_i "checking COOKIE is learnt for TCP retry ($n)"
133ret=0
134$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n || ret=1
135linecount=$(getcookie dig.out.test$n | wc -l)
136if [ $linecount != 3 ]; then ret=1; fi
137checkfull=$(getcookie dig.out.test$n | fullcookie)
138if [ $checkfull != 1 ]; then ret=1; fi
139if [ $ret != 0 ]; then echo_i "failed"; fi
140status=$((status + ret))
141
142n=$((n + 1))
143echo_i "checking for COOKIE value in adb ($n)"
144ret=0
145rndc_dumpdb ns1
146grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1
147if [ $ret != 0 ]; then echo_i "failed"; fi
148status=$((status + ret))
149
150n=$((n + 1))
151echo_i "checking require-server-cookie default (no) ($n)"
152ret=0
153$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n || ret=1
154grep BADCOOKIE dig.out.test$n >/dev/null && ret=1
155linecount=$(getcookie dig.out.test$n | wc -l)
156if [ $linecount != 2 ]; then ret=1; fi
157if [ $ret != 0 ]; then echo_i "failed"; fi
158status=$((status + ret))
159
160n=$((n + 1))
161echo_i "checking require-server-cookie yes ($n)"
162ret=0
163$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
164grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1
165grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
166grep BADCOOKIE dig.out.test$n >/dev/null || ret=1
167linecount=$(getcookie dig.out.test$n | wc -l)
168if [ $linecount != 2 ]; then ret=1; fi
169if [ $ret != 0 ]; then echo_i "failed"; fi
170status=$((status + ret))
171
172n=$((n + 1))
173echo_i "checking +qr +showbadcookie ($n)"
174ret=0
175$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
176noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l)
177badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l)
178server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l)
179good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l)
180linecount=$(getcookie dig.out.test$n | wc -l)
181if [ $noerror != 3 ]; then ret=1; fi
182if [ $badcookie != 1 ]; then ret=1; fi
183if [ $server != 3 ]; then ret=1; fi
184if [ $good != 2 ]; then ret=1; fi
185if [ $linecount != 4 ]; then ret=1; fi
186if [ $ret != 0 ]; then echo_i "failed"; fi
187status=$((status + ret))
188
189n=$((n + 1))
190echo_i "checking +showbadcookie ($n)"
191ret=0
192$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1
193noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l)
194badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l)
195server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l)
196good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l)
197linecount=$(getcookie dig.out.test$n | wc -l)
198if [ $noerror != 1 ]; then ret=1; fi
199if [ $badcookie != 1 ]; then ret=1; fi
200if [ $server != 2 ]; then ret=1; fi
201if [ $good != 2 ]; then ret=1; fi
202if [ $linecount != 2 ]; then ret=1; fi
203if [ $ret != 0 ]; then echo_i "failed"; fi
204status=$((status + ret))
205
206n=$((n + 1))
207echo_i "checking require-server-cookie yes with rate-limit ($n)"
208ret=0
209$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n || ret=1
210grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1
211grep BADCOOKIE dig.out.test$n >/dev/null || ret=1
212linecount=$(getcookie dig.out.test$n | wc -l)
213if [ $linecount != 2 ]; then ret=1; fi
214if [ $ret != 0 ]; then echo_i "failed"; fi
215status=$((status + ret))
216
217n=$((n + 1))
218echo_i "send undersized cookie ($n)"
219ret=0
220$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1
221grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1
222if [ $ret != 0 ]; then echo_i "failed"; fi
223status=$((status + ret))
224
225n=$((n + 1))
226echo_i "send oversized for named cookie ($n)"
227ret=0
228$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1
229grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
230if [ $ret != 0 ]; then echo_i "failed"; fi
231status=$((status + ret))
232
233n=$((n + 1))
234echo_i "send oversized for named cookie with server requiring a good cookie ($n)"
235ret=0
236$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1
237grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1
238if [ $ret != 0 ]; then echo_i "failed"; fi
239status=$((status + ret))
240
241#
242# Test shared cookie-secret support.
243#
244# NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
245#
246# NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
247# NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; (alternate)
248#
249# NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
250#
251# Server cookies from NS4 are accepted by NS5 and not NS6
252# Server cookies from NS5 are accepted by NS4 and not NS6
253# Server cookies from NS6 are accepted by NS5 and not NS4
254#
255# Force local address so that the client's address is the same to all servers.
256#
257
258n=$((n + 1))
259echo_i "get NS4 cookie for cross server checking ($n)"
260ret=0
261$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n || ret=1
262grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
263ns4cookie=$(getcookie dig.out.test$n)
264test -n "$ns4cookie" || ret=1
265if [ $ret != 0 ]; then echo_i "failed"; fi
266status=$((status + ret))
267
268n=$((n + 1))
269echo_i "get NS5 cookie for cross server checking ($n)"
270ret=0
271$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n || ret=1
272grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
273ns5cookie=$(getcookie dig.out.test$n)
274test -n "$ns5cookie" || ret=1
275if [ $ret != 0 ]; then echo_i "failed"; fi
276status=$((status + ret))
277
278n=$((n + 1))
279echo_i "get NS6 cookie for cross server checking ($n)"
280ret=0
281$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n || ret=1
282grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
283ns6cookie=$(getcookie dig.out.test$n)
284if [ $ret != 0 ]; then echo_i "failed"; fi
285status=$((status + ret))
286
287n=$((n + 1))
288echo_i "test NS4 cookie on NS5 (expect success) ($n)"
289ret=0
290$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1
291grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
292grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
293if [ $ret != 0 ]; then echo_i "failed"; fi
294status=$((status + ret))
295
296n=$((n + 1))
297echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)"
298ret=0
299$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1
300grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
301grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
302if [ $ret != 0 ]; then echo_i "failed"; fi
303status=$((status + ret))
304
305n=$((n + 1))
306echo_i "test NS5 cookie on NS4 (expect success) ($n)"
307ret=0
308$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
309grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
310grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
311if [ $ret != 0 ]; then echo_i "failed"; fi
312status=$((status + ret))
313
314n=$((n + 1))
315echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)"
316ret=0
317$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1
318grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
319grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
320if [ $ret != 0 ]; then echo_i "failed"; fi
321status=$((status + ret))
322
323n=$((n + 1))
324echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)"
325ret=0
326$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
327grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
328grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1
329if [ $ret != 0 ]; then echo_i "failed"; fi
330status=$((status + ret))
331
332n=$((n + 1))
333echo_i "test NS6 cookie on NS5 (expect success) ($n)"
334ret=0
335$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1
336grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
337grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
338if [ $ret != 0 ]; then echo_i "failed"; fi
339status=$((status + ret))
340
341n=$((n + 1))
342echo_i "check that test server is correctly configured ($n)"
343ret=0
344pat="; COOKIE: ................................ (good)"
345#UDP
346$DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1 || ret=1
347grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
348grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
349grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
350grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
351grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
352
353$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2 || ret=1
354grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
355grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
356grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
357grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
358grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
359
360$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3 || ret=1
361grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
362grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
363grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
364grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
365grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
366
367$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4 || ret=1
368grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1
369grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1
370grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1
371grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1
372grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1
373
374#TCP
375$DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5 || ret=1
376grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
377grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
378grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
379grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
380grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
381
382$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6 || ret=1
383grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
384grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
385grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
386grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
387grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
388
389$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7 || ret=1
390grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
391grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
392grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
393grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
394grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1
395
396$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8 || ret=1
397grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1
398grep "$pat" dig.out.test$n.8 >/dev/null || ret=1
399grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1
400grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1
401grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1
402
403if [ $ret != 0 ]; then echo_i "failed"; fi
404status=$((status + ret))
405
406n=$((n + 1))
407echo_i "check that spoofed response is dropped when we have a server cookie ($n)"
408ret=0
409msg="missing expected cookie from"
410pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
411# prime EDNS COOKIE state
412$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
413grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
414rndc_dumpdb ns1
415grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
416# spoofed response contains 10.53.0.10
417nextpart ns1/named.run >/dev/null
418$DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2 || ret=1
419wait_for_log 5 "$msg" ns1/named.run || ret=1
420grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
421grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
422grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
423if [ $ret != 0 ]; then echo_i "failed"; fi
424status=$((status + ret))
425
426n=$((n + 1))
427echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)"
428ret=0
429msg="missing expected cookie from"
430pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
431# prime EDNS COOKIE state
432$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
433grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
434rndc_dumpdb ns1
435grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
436# check the disabled server response
437nextpart ns1/named.run >/dev/null
438$DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2 || ret=1
439wait_for_log 5 "$msg" ns1/named.run || ret=1
440grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
441grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
442grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
443if [ $ret != 0 ]; then echo_i "failed"; fi
444status=$((status + ret))
445
446n=$((n + 1))
447echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)"
448ret=0
449pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
450# prime EDNS COOKIE state
451$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1
452grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
453rndc_dumpdb ns1
454grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
455# spoofed response contains 10.53.0.10
456nextpart ns1/named.run >/dev/null
457$DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2 || ret=1
458grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
459grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
460grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1
461nextpart ns1/named.run >named.run.test$n
462count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
463test $count -eq 1 || ret=1
464if [ $ret != 0 ]; then echo_i "failed"; fi
465status=$((status + ret))
466
467if $PYTHON -c '
468import dns.version, sys;
469if dns.version.MAJOR > 1: sys.exit(0);
470if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
471sys.exit(1)'; then
472  n=$((n + 1))
473  echo_i "check that TSIG test server is correctly configured ($n)"
474  ret=0
475  pat="; COOKIE: ................................ (good)"
476  key=hmac-sha256:foo:aaaaaaaaaaaa
477  #UDP
478  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1 || ret=1
479  grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
480  grep "$pat" dig.out.test$n.1 >/dev/null || ret=1
481  grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1
482  grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1
483  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
484
485  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2 || ret=1
486  grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
487  grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1
488  grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
489  grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
490  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
491
492  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3 || ret=1
493  grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1
494  grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1
495  grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1
496  grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1
497  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
498
499  #TCP
500  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5 || ret=1
501  grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1
502  grep "$pat" dig.out.test$n.5 >/dev/null || ret=1
503  grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1
504  grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1
505  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
506
507  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6 || ret=1
508  grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1
509  grep "$pat" dig.out.test$n.6 >/dev/null || ret=1
510  grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1
511  grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1
512  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
513
514  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7 || ret=1
515  grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1
516  grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1
517  grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1
518  grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1
519  grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1
520
521  if [ $ret != 0 ]; then echo_i "failed"; fi
522  status=$((status + ret))
523
524  n=$((n + 1))
525  echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)"
526  ret=0
527  pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
528  # prime EDNS COOKIE state
529  $DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1 || ret=1
530  grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1
531  rndc_dumpdb ns1
532  grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1
533  # check the disabled server response
534  nextpart ns1/named.run >/dev/null
535  $DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2 || ret=1
536  grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1
537  grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1
538  grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1
539  nextpart ns1/named.run >named.run.test$n
540  count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
541  test $count -eq 2 || ret=1
542  if [ $ret != 0 ]; then echo_i "failed"; fi
543  status=$((status + ret))
544fi
545
546echo_i "exit status: $status"
547[ $status -eq 0 ] || exit 1
548