1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16#shellcheck source=conf.sh 17. ../conf.sh 18 19dig_with_opts() ( 20 "$DIG" -p "$PORT" "$@" 21) 22 23sendcmd() ( 24 send "$1" "$EXTRAPORT1" 25) 26 27rndccmd() { 28 "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" 29} 30 31root=10.53.0.1 32hidden=10.53.0.2 33f1=10.53.0.3 34f2=10.53.0.4 35 36status=0 37n=0 38 39n=$((n + 1)) 40echo_i "checking that a forward zone overrides global forwarders ($n)" 41ret=0 42dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1 43dig_with_opts +noadd +noauth txt.example1. txt @$f1 >dig.out.$n.f1 || ret=1 44digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 45if [ $ret != 0 ]; then echo_i "failed"; fi 46status=$((status + ret)) 47 48n=$((n + 1)) 49echo_i "checking that a forward first zone no forwarders recurses ($n)" 50ret=0 51dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 52dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1 53digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 54if [ $ret != 0 ]; then echo_i "failed"; fi 55status=$((status + ret)) 56 57n=$((n + 1)) 58echo_i "checking that a forward only zone no forwarders fails ($n)" 59ret=0 60dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 61dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1 62digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 63if [ $ret != 0 ]; then echo_i "failed"; fi 64status=$((status + ret)) 65 66n=$((n + 1)) 67echo_i "checking that global forwarders work ($n)" 68ret=0 69dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1 70dig_with_opts +noadd +noauth txt.example4. txt @$f1 >dig.out.$n.f1 || ret=1 71digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 72if [ $ret != 0 ]; then echo_i "failed"; fi 73status=$((status + ret)) 74 75n=$((n + 1)) 76echo_i "checking that DoT expired certificate does not work ($n)" 77if $FEATURETEST --have-fips-dh; then 78 ret=0 79 nextpart ns4/named.run >/dev/null 80 dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1 81 dig_with_opts +noadd +noauth txt.example4. txt @$f2 >dig.out.$n.f2 || ret=1 82 digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1 83 wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1 84 if [ $ret != 0 ]; then echo_i "failed"; fi 85 status=$((status + ret)) 86else 87 echo_i "skipped." 88fi 89 90n=$((n + 1)) 91echo_i "checking that a forward zone works (DoT insecure) ($n)" 92if $FEATURETEST --have-fips-dh; then 93 ret=0 94 nextpart ns4/named.run >/dev/null 95 dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1 96 dig_with_opts +noadd +noauth txt.example1. txt @$f2 >dig.out.$n.f2 || ret=1 97 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 98 wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 99 if [ $ret != 0 ]; then echo_i "failed"; fi 100 status=$((status + ret)) 101else 102 echo_i "skipped." 103fi 104 105n=$((n + 1)) 106echo_i "checking that forwarding doesn't spontaneously happen ($n)" 107ret=0 108dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 109dig_with_opts +noadd +noauth txt.example2. txt @$f2 >dig.out.$n.f2 || ret=1 110digcomp dig.out.$n.root dig.out.$n.f2 || ret=1 111if [ $ret != 0 ]; then echo_i "failed"; fi 112status=$((status + ret)) 113 114n=$((n + 1)) 115echo_i "checking that a forward zone with no specified policy works (DoT forward-secrecy) ($n)" 116if $FEATURETEST --have-fips-dh; then 117 ret=0 118 nextpart ns4/named.run >/dev/null 119 dig_with_opts +noadd +noauth txt.example3. txt @$hidden >dig.out.$n.hidden || ret=1 120 dig_with_opts +noadd +noauth txt.example3. txt @$f2 >dig.out.$n.f2 || ret=1 121 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 122 wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 123 if [ $ret != 0 ]; then echo_i "failed"; fi 124 status=$((status + ret)) 125else 126 echo_i "skipped." 127fi 128 129n=$((n + 1)) 130echo_i "checking that DoT remote-hostname works ($n)" 131if $FEATURETEST --have-fips-dh; then 132 ret=0 133 nextpart ns4/named.run >/dev/null 134 dig_with_opts +noadd +noauth txt.example8. txt @$hidden >dig.out.$n.hidden || ret=1 135 dig_with_opts +noadd +noauth txt.example8. txt @$f2 >dig.out.$n.f2 || ret=1 136 digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1 137 wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 138 if [ $ret != 0 ]; then echo_i "failed"; fi 139 status=$((status + ret)) 140else 141 echo_i "skipped." 142fi 143 144n=$((n + 1)) 145echo_i "checking that DoT bad remote-hostname does not work ($n)" 146if $FEATURETEST --have-fips-dh; then 147 ret=0 148 nextpart ns4/named.run >/dev/null 149 dig_with_opts +noadd +noauth txt.example9. txt @$hidden >dig.out.$n.hidden || ret=1 150 dig_with_opts +noadd +noauth txt.example9. txt @$f2 >dig.out.$n.f2 || ret=1 151 digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1 152 wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1 153 if [ $ret != 0 ]; then echo_i "failed"; fi 154 status=$((status + ret)) 155else 156 echo_i "skipped." 157fi 158 159n=$((n + 1)) 160echo_i "checking that a forward only doesn't recurse ($n)" 161ret=0 162dig_with_opts txt.example5. txt @$f2 >dig.out.$n.f2 || ret=1 163grep "SERVFAIL" dig.out.$n.f2 >/dev/null || ret=1 164if [ $ret != 0 ]; then echo_i "failed"; fi 165status=$((status + ret)) 166 167# GL#1793 168n=$((n + 1)) 169echo_i "checking that the 'serverquota' counter isn't increased because of the SERVFAIL in the previous check ($n)" 170ret=0 171"${CURL}" "http://10.53.0.4:${EXTRAPORT1}/json/v1" 2>/dev/null >statschannel.out.$n 172grep -F "ServerQuota" statschannel.out.$n >/dev/null && ret=1 173if [ $ret != 0 ]; then echo_i "failed"; fi 174status=$((status + ret)) 175 176n=$((n + 1)) 177echo_i "checking for negative caching of forwarder response ($n)" 178# prime the cache, shutdown the forwarder then check that we can 179# get the answer from the cache. restart forwarder. 180ret=0 181dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1 182grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1 183stop_server ns4 || ret=1 184dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1 185grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1 186start_server --restart --noclean --port "${PORT}" ns4 || ret=1 187if [ $ret != 0 ]; then echo_i "failed"; fi 188status=$((status + ret)) 189 190check_override() ( 191 dig_with_opts 1.0.10.in-addr.arpa TXT @$f2 >dig.out.$n.f2 \ 192 && grep "status: NOERROR" dig.out.$n.f2 >/dev/null \ 193 && dig_with_opts 2.0.10.in-addr.arpa TXT @$f2 >dig.out.$n.f2 \ 194 && grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null 195) 196 197n=$((n + 1)) 198echo_i "checking that forward only zone overrides empty zone (DoT forward-secrecy-mutual-tls) ($n)" 199if $FEATURETEST --have-fips-dh; then 200 ret=0 201 # retry loop in case the server restart above causes transient failure 202 retry_quiet 10 check_override || ret=1 203 if [ $ret != 0 ]; then echo_i "failed"; fi 204 status=$((status + ret)) 205else 206 echo_i "skipped." 207fi 208 209n=$((n + 1)) 210echo_i "checking that DS lookups for grafting forward zones are isolated ($n)" 211ret=0 212dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q1 || ret=1 213dig_with_opts grafted DS @10.53.0.4 >dig.out.$n.q2 || ret=1 214dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q3 || ret=1 215dig_with_opts grafted AAAA @10.53.0.4 >dig.out.$n.q4 || ret=1 216grep "status: NOERROR" dig.out.$n.q1 >/dev/null || ret=1 217grep "status: NXDOMAIN" dig.out.$n.q2 >/dev/null || ret=1 218grep "status: NOERROR" dig.out.$n.q3 >/dev/null || ret=1 219grep "status: NOERROR" dig.out.$n.q4 >/dev/null || ret=1 220if [ $ret != 0 ]; then echo_i "failed"; fi 221status=$((status + ret)) 222 223n=$((n + 1)) 224echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)" 225ret=0 226$CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1 227$CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1 228if [ $ret != 0 ]; then echo_i "failed"; fi 229status=$((status + ret)) 230 231n=$((n + 1)) 232echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)" 233ret=0 234$CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1 235$CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1 236if [ $ret != 0 ]; then echo_i "failed"; fi 237status=$((status + ret)) 238 239count_sent() ( 240 logfile="$1" 241 start_pattern="$2" 242 pattern="$3" 243 nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" 244) 245 246check_sent() ( 247 expected="$1" 248 shift 249 count=$(count_sent "$@") 250 [ "$expected" = "$count" ] 251) 252 253wait_for_log() ( 254 nextpartpeek "$1" | grep "$2" >/dev/null 255 256) 257 258n=$((n + 1)) 259echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)" 260ret=0 261# Make ans6 receive queries without responding to them. 262echo "//" | sendcmd 10.53.0.6 263# Query for a record in a zone which is forwarded to a non-responding forwarder 264# and is delegated from the root to check whether the forwarder will be retried 265# when a delegation is encountered after falling back to full recursive 266# resolution. 267nextpart ns3/named.run >/dev/null 268dig_with_opts txt.example7. txt @$f1 >dig.out.$n.f1 || ret=1 269# The forwarder for the "example7" zone should only be queried once. 270start_pattern="sending packet to 10\.53\.0\.6" 271retry_quiet 5 wait_for_log ns3/named.run "$start_pattern" 272check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1 273if [ $ret != 0 ]; then echo_i "failed"; fi 274status=$((status + ret)) 275 276n=$((n + 1)) 277echo_i "checking that priming queries are not forwarded ($n)" 278ret=0 279nextpart ns7/named.run >/dev/null 280dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 >dig.out.$n.f7 || ret=1 281received_pattern="received packet from 10\.53\.0\.1" 282start_pattern="sending packet to 10\.53\.0\.1" 283retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1 284check_sent 1 ns7/named.run "$start_pattern" ";\.[[:space:]]*IN[[:space:]]*NS$" || ret=1 285sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run || true) 286[ "$sent" -eq 0 ] || ret=1 287sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run || true) 288[ "$sent" -eq 1 ] || ret=1 289if [ $ret != 0 ]; then echo_i "failed"; fi 290status=$((status + ret)) 291 292n=$((n + 1)) 293echo_i "checking recovery from forwarding to a non-recursive server ($n)" 294ret=0 295dig_with_opts xxx.sld.tld txt @10.53.0.8 >dig.out.$n.f8 || ret=1 296grep "status: NOERROR" dig.out.$n.f8 >/dev/null || ret=1 297if [ $ret != 0 ]; then echo_i "failed"; fi 298status=$((status + ret)) 299 300n=$((n + 1)) 301echo_i "checking that rebinding protection works in forward only mode ($n)" 302ret=0 303# 10.53.0.5 will forward target.malicious. query to 10.53.0.4 304# which in turn will return a CNAME for subdomain.rebind. 305# to honor the option deny-answer-aliases { "rebind"; }; 306# ns5 should return a SERVFAIL to avoid potential rebinding attacks 307dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. >dig.out.$n || ret=1 308grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1 309if [ $ret != 0 ]; then echo_i "failed"; fi 310status=$((status + ret)) 311 312# Prepare ans6 for the chasing DS tests. 313sendcmd 10.53.0.6 <<EOF 314/ns1.sld.tld/A/ 315300 A 10.53.0.2 316/sld.tld/NS/ 317300 NS ns1.sld.tld. 318/sld.tld/ 319EOF 320 321n=$((n + 1)) 322echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)" 323ret=0 324copy_setports ns3/named2.conf.in ns3/named.conf 325rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 326sleep 1 327nextpart ns3/named.run >/dev/null 328dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1 329grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1 330if [ $ret != 0 ]; then echo_i "failed"; fi 331status=$((status + ret)) 332 333# See [GL #3129]. 334# Enable silent mode for ans11. 335echo "1" | sendcmd 10.53.0.11 336n=$((n + 1)) 337echo_i "checking the handling of hung DS fetch while chasing DS ($n)" 338ret=0 339copy_setports ns3/named2.conf.in ns3/tmp 340sed 's/root.db/root2.db/' ns3/tmp >ns3/named.conf 341rm -f ns3/tmp 342rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 343rndccmd 10.53.0.3 flush 2>&1 | sed 's/^/ns3 /' | cat_i 344sleep 1 345nextpart ns3/named.run >/dev/null 346dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1 347grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1 348# Disable silent mode for ans11. 349echo "0" | sendcmd 10.53.0.11 350if [ $ret != 0 ]; then echo_i "failed"; fi 351status=$((status + ret)) 352 353# 354# Check various spoofed response scenarios. The same tests will be 355# run twice, with "forward first" and "forward only" configurations. 356# 357run_spooftests() { 358 n=$((n + 1)) 359 echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" 360 ret=0 361 # prime 362 dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1 363 # check 'net' is not poisoned. 364 dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1 365 grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net >/dev/null || ret=1 366 # check 'sub.local.net' is not poisoned. 367 dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1 368 grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub >/dev/null || ret=1 369 if [ $ret != 0 ]; then echo_i "failed"; fi 370 status=$((status + ret)) 371 372 n=$((n + 1)) 373 echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" 374 ret=0 375 # prime 376 dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1 377 # check that net2/DNAME is not cached 378 dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1 379 grep "ANSWER: 0," dig.out.$n.net2 >/dev/null || ret=1 380 grep "status: NXDOMAIN" dig.out.$n.net2 >/dev/null || ret=1 381 if [ $ret != 0 ]; then echo_i "failed"; fi 382 status=$((status + ret)) 383 384 n=$((n + 1)) 385 echo_i "checking spoofed response scenario 3 - extra answer ($n)" 386 ret=0 387 # prime 388 dig_with_opts @10.53.0.9 attackSecureDomain.net3 >dig.out.$n.prime || ret=1 389 # check extra net3 records are not cached 390 rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i 391 for try in 1 2 3 4 5; do 392 lines=$(grep "net3" ns9/named_dump.db | wc -l) 393 if [ ${lines} -eq 0 ]; then 394 sleep 1 395 continue 396 fi 397 [ ${lines} -eq 1 ] || ret=1 398 grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 399 grep -q '^local.net3' ns9/named_dump.db && ret=1 400 done 401 if [ $ret != 0 ]; then echo_i "failed"; fi 402 status=$((status + ret)) 403} 404 405echo_i "checking spoofed response scenarios with forward first zones" 406run_spooftests 407 408copy_setports ns9/named2.conf.in ns9/named.conf 409rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 410rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i 411sleep 1 412 413echo_i "rechecking spoofed response scenarios with forward only zones" 414run_spooftests 415 416# 417# This scenario expects the spoofed response to succeed. The tests are 418# similar to the ones above, but not identical. 419# 420echo_i "rechecking spoofed response scenarios with 'forward only' set globally" 421copy_setports ns9/named3.conf.in ns9/named.conf 422rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 423rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i 424sleep 1 425 426n=$((n + 1)) 427echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" 428ret=0 429# prime 430dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1 431# check 'net' is poisoned. 432dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1 433grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net >/dev/null || ret=1 434# check 'sub.local.net' is poisoned. 435dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1 436grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub >/dev/null || ret=1 437if [ $ret != 0 ]; then echo_i "failed"; fi 438status=$((status + ret)) 439 440n=$((n + 1)) 441echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" 442ret=0 443# prime 444dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1 445# check that net2/DNAME is cached 446dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1 447grep "ANSWER: 1," dig.out.$n.net2 >/dev/null || ret=1 448grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 >/dev/null || ret=1 449if [ $ret != 0 ]; then echo_i "failed"; fi 450status=$((status + ret)) 451 452# 453# This test doesn't use any forwarder clauses but is here because it 454# is similar to forwarders, as the set of servers that can populate 455# the namespace is defined by the zone content. 456# 457echo_i "rechecking spoofed response scenarios glue below local zone" 458copy_setports ns9/named4.conf.in ns9/named.conf 459rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i 460rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i 461sleep 1 462 463n=$((n + 1)) 464echo_i "checking sibling glue below zone ($n)" 465ret=0 466# prime 467dig_with_opts @10.53.0.9 sibling.tld >dig.out.$n.prime || ret=1 468# check for glue A record for sub.local.tld is not used 469dig_with_opts @10.53.0.9 sub.local.tld TXT >dig.out.$n.sub || ret=1 470grep "ANSWER: 1," dig.out.$n.sub >/dev/null || ret=1 471grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub >/dev/null || ret=1 472if [ $ret != 0 ]; then echo_i "failed"; fi 473status=$((status + ret)) 474 475echo_i "exit status: $status" 476[ $status -eq 0 ] || exit 1 477