1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16# shellcheck source=../conf.sh 17. ../conf.sh 18 19dig_with_opts() { 20 "${DIG}" -p "${PORT}" "${@}" 21} 22 23rndccmd() { 24 "${RNDC}" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "${@}" 25} 26 27status=0 28n=0 29 30n=$((n + 1)) 31echo_i "checking non-cachable NXDOMAIN response handling ($n)" 32ret=0 33dig_with_opts +tcp nxdomain.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 34grep "status: NXDOMAIN" dig.out.ns1.test${n} >/dev/null || ret=1 35if [ $ret != 0 ]; then echo_i "failed"; fi 36status=$((status + ret)) 37 38n=$((n + 1)) 39echo_i "checking non-cachable NODATA response handling ($n)" 40ret=0 41dig_with_opts +tcp nodata.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 42grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 43if [ $ret != 0 ]; then echo_i "failed"; fi 44status=$((status + ret)) 45 46# 'resolver-query-timeout' is set to 5 seconds in ns1, so dig with a lower 47# timeout value should give up earlier than that. 48n=$((n + 1)) 49echo_i "checking no response handling with a shorter than resolver-query-timeout timeout ($n)" 50ret=0 51dig_with_opts +tcp +tries=1 +timeout=3 noresponse.example.net @10.53.0.1 a >dig.out.ns1.test${n} && ret=1 52grep -F "no servers could be reached" dig.out.ns1.test${n} >/dev/null || ret=1 53if [ $ret != 0 ]; then echo_i "failed"; fi 54status=$((status + ret)) 55 56# 'resolver-query-timeout' is set to 5 seconds in ns1, which is lower than the 57# current single query timeout value MAX_SINGLE_QUERY_TIMEOUT of 9 seconds, so 58# the "hung fetch" timer should kick in, interrupt the non-responsive query and 59# send a SERVFAIL answer. 60n=$((n + 1)) 61echo_i "checking no response handling with a longer than resolver-query-timeout timeout ($n)" 62ret=0 63dig_with_opts +tcp +tries=1 +timeout=7 noresponse.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 64grep -F "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 65if [ $ret != 0 ]; then echo_i "failed"; fi 66status=$((status + ret)) 67 68n=$((n + 1)) 69echo_i "checking handling of bogus referrals ($n)" 70# If the server has the "INSIST(!external)" bug, this query will kill it. 71dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { 72 echo_i "failed" 73 status=$((status + 1)) 74} 75 76n=$((n + 1)) 77echo_i "check handling of cname + other data / 1 ($n)" 78dig_with_opts +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { 79 echo_i "failed" 80 status=$((status + 1)) 81} 82 83n=$((n + 1)) 84echo_i "check handling of cname + other data / 2 ($n)" 85dig_with_opts +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { 86 echo_i "failed" 87 status=$((status + 1)) 88} 89 90n=$((n + 1)) 91echo_i "check that server is still running ($n)" 92dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { 93 echo_i "failed" 94 status=$((status + 1)) 95} 96 97n=$((n + 1)) 98echo_i "checking answer IPv4 address filtering (deny) ($n)" 99ret=0 100dig_with_opts +tcp www.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 101grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 102if [ $ret != 0 ]; then echo_i "failed"; fi 103status=$((status + ret)) 104 105n=$((n + 1)) 106echo_i "checking answer IPv6 address filtering (deny) ($n)" 107ret=0 108dig_with_opts +tcp www.example.net @10.53.0.1 aaaa >dig.out.ns1.test${n} || ret=1 109grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 110if [ $ret != 0 ]; then echo_i "failed"; fi 111status=$((status + ret)) 112 113n=$((n + 1)) 114echo_i "checking answer IPv4 address filtering (accept) ($n)" 115ret=0 116dig_with_opts +tcp www.example.org @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 117grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 118if [ $ret != 0 ]; then echo_i "failed"; fi 119status=$((status + ret)) 120 121n=$((n + 1)) 122echo_i "checking answer IPv6 address filtering (accept) ($n)" 123ret=0 124dig_with_opts +tcp www.example.org @10.53.0.1 aaaa >dig.out.ns1.test${n} || ret=1 125grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 126if [ $ret != 0 ]; then echo_i "failed"; fi 127status=$((status + ret)) 128 129n=$((n + 1)) 130echo_i "checking CNAME target filtering (deny) ($n)" 131ret=0 132dig_with_opts +tcp badcname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 133grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 134if [ $ret != 0 ]; then echo_i "failed"; fi 135status=$((status + ret)) 136 137n=$((n + 1)) 138echo_i "checking CNAME target filtering (accept) ($n)" 139ret=0 140dig_with_opts +tcp goodcname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 141grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 142if [ $ret != 0 ]; then echo_i "failed"; fi 143status=$((status + ret)) 144 145n=$((n + 1)) 146echo_i "checking long CNAME chain target filtering (deny) ($n)" 147ret=0 148dig_with_opts +tcp longcname1.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 149grep -F "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 150grep -F "max. restarts reached" dig.out.ns1.test${n} >/dev/null || ret=1 151lines=$(grep -F "CNAME" dig.out.ns1.test${n} | wc -l) 152test ${lines:-1} -eq 12 || ret=1 153if [ $ret != 0 ]; then echo_i "failed"; fi 154status=$((status + ret)) 155 156n=$((n + 1)) 157echo_i "checking DNAME target filtering (deny) ($n)" 158ret=0 159dig_with_opts +tcp foo.baddname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 160grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1 161grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 162if [ $ret != 0 ]; then echo_i "failed"; fi 163status=$((status + ret)) 164 165n=$((n + 1)) 166echo_i "checking DNAME target filtering (accept) ($n)" 167ret=0 168dig_with_opts +tcp foo.gooddname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 169grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 170if [ $ret != 0 ]; then echo_i "failed"; fi 171status=$((status + ret)) 172 173n=$((n + 1)) 174echo_i "checking DNAME target filtering (accept due to subdomain) ($n)" 175ret=0 176dig_with_opts +tcp www.dname.sub.example.org @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 177grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 178if [ $ret != 0 ]; then echo_i "failed"; fi 179status=$((status + ret)) 180 181n=$((n + 1)) 182echo_i "check that the resolver accepts a referral response with a non-empty ANSWER section ($n)" 183ret=0 184dig_with_opts @10.53.0.1 foo.glue-in-answer.example.org. A >dig.ns1.out.${n} || ret=1 185grep "status: NOERROR" dig.ns1.out.${n} >/dev/null || ret=1 186grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} >/dev/null || ret=1 187if [ $ret != 0 ]; then echo_i "failed"; fi 188status=$((status + ret)) 189 190n=$((n + 1)) 191echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" 192# ns5 is the recusor being tested. ns4 holds the sourcens zone containing 193# names with varying numbers of NS records pointing to non-existent 194# nameservers in the targetns zone on ns6. 195ret=0 196rndccmd 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test 197count_fetches() { 198 actual=$(nextpartpeek ns5/named.run | grep -c " fetch: ns.fake${nscount}") 199 [ "${actual:-0}" -eq "${expected}" ] || return 1 200 return 0 201} 202for nscount in 1 2 3 4 5 6 7 8 9 10; do 203 # Verify number of NS records at source server 204 dig_with_opts +norecurse @10.53.0.4 target${nscount}.sourcens ns >dig.ns4.out.${nscount}.${n} 205 sourcerecs=$(grep NS dig.ns4.out.${nscount}.${n} | grep -cv ';') 206 test "${sourcerecs}" -eq "${nscount}" || ret=1 207 test "${sourcerecs}" -eq "${nscount}" || echo_i "NS count incorrect for target${nscount}.sourcens" 208 209 # Expected queries = 2 * number of NS records, up to a maximum of 10. 210 expected=$((nscount * 2)) 211 if [ "$expected" -gt 10 ]; then expected=10; fi 212 # Count the number of logged fetches 213 nextpart ns5/named.run >/dev/null 214 dig_with_opts @10.53.0.5 target${nscount}.sourcens A >dig.ns5.out.${nscount}.${n} || ret=1 215 retry_quiet 5 count_fetches ns5/named.run $nscount $expected || { 216 echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" 217 ret=1 218 } 219done 220if [ $ret != 0 ]; then echo_i "failed"; fi 221status=$((status + ret)) 222 223n=$((n + 1)) 224echo_i "RT21594 regression test check setup ($n)" 225ret=0 226# Check that "aa" is not being set by the authoritative server. 227dig_with_opts +tcp . @10.53.0.4 soa >dig.ns4.out.${n} || ret=1 228grep 'flags: qr rd;' dig.ns4.out.${n} >/dev/null || ret=1 229if [ $ret != 0 ]; then echo_i "failed"; fi 230status=$((status + ret)) 231 232n=$((n + 1)) 233echo_i "RT21594 regression test positive answers ($n)" 234ret=0 235# Check that resolver accepts the non-authoritative positive answers. 236dig_with_opts +tcp . @10.53.0.5 soa >dig.ns5.out.${n} || ret=1 237grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 238if [ $ret != 0 ]; then echo_i "failed"; fi 239status=$((status + ret)) 240 241n=$((n + 1)) 242echo_i "RT21594 regression test NODATA answers ($n)" 243ret=0 244# Check that resolver accepts the non-authoritative nodata answers. 245dig_with_opts +tcp . @10.53.0.5 txt >dig.ns5.out.${n} || ret=1 246grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 247if [ $ret != 0 ]; then echo_i "failed"; fi 248status=$((status + ret)) 249 250n=$((n + 1)) 251echo_i "RT21594 regression test NXDOMAIN answers ($n)" 252ret=0 253# Check that resolver accepts the non-authoritative positive answers. 254dig_with_opts +tcp noexistent @10.53.0.5 txt >dig.ns5.out.${n} || ret=1 255grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || ret=1 256if [ $ret != 0 ]; then echo_i "failed"; fi 257status=$((status + ret)) 258 259n=$((n + 1)) 260echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" 261ret=0 262dig_with_opts +tcp mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=1 263grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=1 264if [ $ret = 1 ]; then echo_i "mx priming failed"; fi 265$NSUPDATE <<EOF 266server 10.53.0.6 ${PORT} 267zone example.net 268update delete mail.example.net A 269update add mail.example.net 0 AAAA ::1 270send 271EOF 272dig_with_opts +tcp a mail.example.net @10.53.0.7 >dig.ns7.out.${n} || ret=2 273grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=2 274grep "ANSWER: 0" dig.ns7.out.${n} >/dev/null || ret=2 275if [ $ret = 2 ]; then echo_i "ncache priming failed"; fi 276dig_with_opts +tcp mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=3 277grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=3 278dig_with_opts +tcp rrsig mail.example.net +norec @10.53.0.7 >dig.ns7.out.${n} || ret=4 279grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=4 280grep "ANSWER: 0" dig.ns7.out.${n} >/dev/null || ret=4 281if [ $ret != 0 ]; then 282 echo_i "failed" 283 ret=1 284fi 285status=$((status + ret)) 286 287if [ $ret != 0 ]; then 288 echo_i "failed" 289 ret=1 290fi 291status=$((status + ret)) 292 293n=$((n + 1)) 294echo_i "checking that update a nameservers address has immediate effects ($n)" 295ret=0 296dig_with_opts +tcp TXT foo.moves @10.53.0.7 >dig.ns7.foo.${n} || ret=1 297grep "From NS 5" dig.ns7.foo.${n} >/dev/null || ret=1 298$NSUPDATE <<EOF 299server 10.53.0.7 ${PORT} 300zone server 301update delete ns.server A 302update add ns.server 300 A 10.53.0.4 303send 304EOF 305sleep 1 306dig_with_opts +tcp TXT bar.moves @10.53.0.7 >dig.ns7.bar.${n} || ret=1 307grep "From NS 4" dig.ns7.bar.${n} >/dev/null || ret=1 308 309if [ $ret != 0 ]; then 310 echo_i "failed" 311 status=1 312fi 313 314n=$((n + 1)) 315echo_i "checking that update a nameservers glue has immediate effects ($n)" 316ret=0 317dig_with_opts +tcp TXT foo.child.server @10.53.0.7 >dig.ns7.foo.${n} || ret=1 318grep "From NS 5" dig.ns7.foo.${n} >/dev/null || ret=1 319$NSUPDATE <<EOF 320server 10.53.0.7 ${PORT} 321zone server 322update delete ns.child.server A 323update add ns.child.server 300 A 10.53.0.4 324send 325EOF 326sleep 1 327dig_with_opts +tcp TXT bar.child.server @10.53.0.7 >dig.ns7.bar.${n} || ret=1 328grep "From NS 4" dig.ns7.bar.${n} >/dev/null || ret=1 329 330if [ $ret != 0 ]; then 331 echo_i "failed" 332 status=1 333fi 334 335n=$((n + 1)) 336echo_i "checking empty RFC 1918 reverse zones ($n)" 337ret=0 338# Check that "aa" is being set by the resolver for RFC 1918 zones 339# except the one that has been deliberately disabled 340dig_with_opts @10.53.0.7 -x 10.1.1.1 >dig.ns4.out.1.${n} || ret=1 341grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} >/dev/null || ret=1 342dig_with_opts @10.53.0.7 -x 192.168.1.1 >dig.ns4.out.2.${n} || ret=1 343grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} >/dev/null || ret=1 344dig_with_opts @10.53.0.7 -x 172.16.1.1 >dig.ns4.out.3.${n} || ret=1 345grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} >/dev/null || ret=1 346dig_with_opts @10.53.0.7 -x 172.17.1.1 >dig.ns4.out.4.${n} || ret=1 347grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} >/dev/null || ret=1 348dig_with_opts @10.53.0.7 -x 172.18.1.1 >dig.ns4.out.5.${n} || ret=1 349grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} >/dev/null || ret=1 350dig_with_opts @10.53.0.7 -x 172.19.1.1 >dig.ns4.out.6.${n} || ret=1 351grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} >/dev/null || ret=1 352dig_with_opts @10.53.0.7 -x 172.21.1.1 >dig.ns4.out.7.${n} || ret=1 353grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} >/dev/null || ret=1 354dig_with_opts @10.53.0.7 -x 172.22.1.1 >dig.ns4.out.8.${n} || ret=1 355grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} >/dev/null || ret=1 356dig_with_opts @10.53.0.7 -x 172.23.1.1 >dig.ns4.out.9.${n} || ret=1 357grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} >/dev/null || ret=1 358dig_with_opts @10.53.0.7 -x 172.24.1.1 >dig.ns4.out.11.${n} || ret=1 359grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} >/dev/null || ret=1 360dig_with_opts @10.53.0.7 -x 172.25.1.1 >dig.ns4.out.12.${n} || ret=1 361grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} >/dev/null || ret=1 362dig_with_opts @10.53.0.7 -x 172.26.1.1 >dig.ns4.out.13.${n} || ret=1 363grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} >/dev/null || ret=1 364dig_with_opts @10.53.0.7 -x 172.27.1.1 >dig.ns4.out.14.${n} || ret=1 365grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} >/dev/null || ret=1 366dig_with_opts @10.53.0.7 -x 172.28.1.1 >dig.ns4.out.15.${n} || ret=1 367grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} >/dev/null || ret=1 368dig_with_opts @10.53.0.7 -x 172.29.1.1 >dig.ns4.out.16.${n} || ret=1 369grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} >/dev/null || ret=1 370dig_with_opts @10.53.0.7 -x 172.30.1.1 >dig.ns4.out.17.${n} || ret=1 371grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} >/dev/null || ret=1 372dig_with_opts @10.53.0.7 -x 172.31.1.1 >dig.ns4.out.18.${n} || ret=1 373grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} >/dev/null || ret=1 374# but this one should NOT be authoritative 375dig_with_opts @10.53.0.7 -x 172.20.1.1 >dig.ns4.out.19.${n} || ret=1 376grep 'flags: qr rd ra;' dig.ns4.out.19.${n} >/dev/null || ret=1 377if [ $ret != 0 ]; then 378 echo_i "failed" 379 status=1 380fi 381 382n=$((n + 1)) 383echo_i "checking that removal of a delegation is honoured ($n)" 384ret=0 385dig_with_opts @10.53.0.5 www.to-be-removed.tld A >dig.ns5.prime.${n} 386grep "status: NOERROR" dig.ns5.prime.${n} >/dev/null || { 387 ret=1 388 echo_i "priming failed" 389} 390cp ns4/tld2.db ns4/tld.db 391rndc_reload ns4 10.53.0.4 tld 392old= 393for i in 0 1 2 3 4 5 6 7 8 9; do 394 foo=0 395 dig_with_opts @10.53.0.5 ns$i.to-be-removed.tld A >/dev/null 396 dig_with_opts @10.53.0.5 www.to-be-removed.tld A >dig.ns5.out.${n} 397 grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || foo=1 398 [ $foo = 0 ] && break 399 $NSUPDATE <<EOF 400server 10.53.0.6 ${PORT} 401zone to-be-removed.tld 402update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld 403update delete to-be-removed.tld NS ns${old}.to-be-removed.tld 404send 405EOF 406 old=$i 407 sleep 1 408done 409[ $ret = 0 ] && ret=$foo 410if [ $ret != 0 ]; then 411 echo_i "failed" 412 status=1 413fi 414 415n=$((n + 1)) 416echo_i "check for improved error message with SOA mismatch ($n)" 417ret=0 418dig_with_opts @10.53.0.1 www.sub.broken aaaa >dig.out.ns1.test${n} || ret=1 419grep "not subdomain of zone" ns1/named.run >/dev/null || ret=1 420if [ $ret != 0 ]; then echo_i "failed"; fi 421status=$((status + ret)) 422 423copy_setports ns7/named2.conf.in ns7/named.conf 424rndccmd 10.53.0.7 reconfig 2>&1 | sed 's/^/ns7 /' | cat_i 425 426n=$((n + 1)) 427echo_i "check resolution on the listening port ($n)" 428ret=0 429dig_with_opts +tcp +tries=2 +time=5 mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=2 430grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=1 431grep "ANSWER: 1" dig.ns7.out.${n} >/dev/null || ret=1 432if [ $ret != 0 ]; then 433 echo_i "failed" 434 ret=1 435fi 436status=$((status + ret)) 437 438n=$((n + 1)) 439echo_i "check prefetch (${n})" 440ret=0 441# read prefetch value from config. 442PREFETCH=$(sed -n "s/[[:space:]]*prefetch \([0-9]\).*/\1/p" ns5/named.conf) 443dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.1.${n} || ret=1 444ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) 445interval=$((ttl1 - PREFETCH + 1)) 446# sleep so we are in prefetch range 447sleep ${interval:-0} 448# trigger prefetch 449dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.2.${n} || ret=1 450ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) 451sleep 1 452# check that prefetch occurred 453dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.3.${n} || ret=1 454ttl=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) 455test "${ttl:-0}" -gt "${ttl2:-1}" || ret=1 456if [ $ret != 0 ]; then echo_i "failed"; fi 457status=$((status + ret)) 458 459n=$((n + 1)) 460echo_i "check prefetch of validated DS's RRSIG TTL is updated (${n})" 461ret=0 462dig_with_opts +dnssec @10.53.0.5 ds.example.net ds >dig.out.1.${n} || ret=1 463dsttl1=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.1.${n}) 464interval=$((dsttl1 - PREFETCH + 1)) 465# sleep so we are in prefetch range 466sleep ${interval:-0} 467# trigger prefetch 468dig_with_opts @10.53.0.5 ds.example.net ds >dig.out.2.${n} || ret=1 469dsttl2=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.2.${n}) 470sleep 1 471# check that prefetch occurred 472dig_with_opts @10.53.0.5 ds.example.net ds +dnssec >dig.out.3.${n} || ret=1 473dsttl=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.3.${n}) 474sigttl=$(awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}) 475test "${dsttl:-0}" -gt "${dsttl2:-1}" || ret=1 476test "${sigttl:-0}" -gt "${dsttl2:-1}" || ret=1 477test "${dsttl:-0}" -eq "${sigttl:-1}" || ret=1 478if [ $ret != 0 ]; then echo_i "failed"; fi 479status=$((status + ret)) 480 481n=$((n + 1)) 482echo_i "check prefetch disabled (${n})" 483ret=0 484dig_with_opts @10.53.0.7 fetch.example.net txt >dig.out.1.${n} || ret=1 485ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) 486interval=$((ttl1 - PREFETCH + 1)) 487# sleep so we are in expire range 488sleep ${interval:-0} 489tmp_ttl=$ttl1 490no_prefetch() { 491 # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. 492 # since prefetch is disabled, updated ttl must be a lower value than 493 # the previous one. 494 dig_with_opts @10.53.0.7 fetch.example.net txt >dig.out.2.${n} || return 1 495 ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) 496 # check that prefetch has not occurred 497 if [ "$ttl2" -ge "${tmp_ttl}" ]; then 498 return 1 499 fi 500 tmp_ttl=$ttl2 501} 502retry_quiet 3 no_prefetch || ret=1 503if [ $ret != 0 ]; then echo_i "failed"; fi 504status=$((status + ret)) 505 506n=$((n + 1)) 507echo_i "check prefetch qtype * (${n})" 508ret=0 509dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.1.${n} || ret=1 510ttl1=$(awk '/^fetchall.tld/ { print $2 - 3; exit }' dig.out.1.${n}) 511# sleep so we are in prefetch range 512sleep "${ttl1:-0}" 513# trigger prefetch 514dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.2.${n} || ret=1 515ttl2=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.2.${n}) 516sleep 1 517# check that prefetch occurred; 518# note that only the first record is prefetched, 519# because of the order of the records in the cache 520dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.3.${n} || ret=1 521ttl3=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.3.${n}) 522test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1 523if [ $ret != 0 ]; then echo_i "failed"; fi 524status=$((status + ret)) 525 526n=$((n + 1)) 527echo_i "check that E was logged on EDNS queries in the query log (${n})" 528ret=0 529dig_with_opts @10.53.0.5 +edns edns.fetchall.tld any >dig.out.2.${n} || ret=1 530grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run >/dev/null || ret=1 531dig_with_opts @10.53.0.5 +noedns noedns.fetchall.tld any >dig.out.2.${n} || ret=1 532grep "query: noedns.fetchall.tld IN ANY" ns5/named.run >/dev/null || ret=1 533grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run >/dev/null && ret=1 534if [ $ret != 0 ]; then echo_i "failed"; fi 535status=$((status + ret)) 536 537n=$((n + 1)) 538echo_i "check that '-t aaaa' in .digrc does not have unexpected side effects ($n)" 539ret=0 540echo "-t aaaa" >.digrc 541( 542 HOME="$(pwd)" 543 export HOME 544 dig_with_opts @10.53.0.4 . >dig.out.1.${n} 545) || ret=1 546( 547 HOME="$(pwd)" 548 export HOME 549 dig_with_opts @10.53.0.4 . A >dig.out.2.${n} 550) || ret=1 551( 552 HOME="$(pwd)" 553 export HOME 554 dig_with_opts @10.53.0.4 -x 127.0.0.1 >dig.out.3.${n} 555) || ret=1 556grep ';\..*IN.*AAAA$' dig.out.1.${n} >/dev/null || ret=1 557grep ';\..*IN.*A$' dig.out.2.${n} >/dev/null || ret=1 558grep 'extra type option' dig.out.2.${n} >/dev/null && ret=1 559grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} >/dev/null || ret=1 560if [ $ret != 0 ]; then echo_i "failed"; fi 561status=$((status + ret)) 562 563edns=$($FEATURETEST --edns-version) 564 565n=$((n + 1)) 566echo_i "check that EDNS version is logged (${n})" 567ret=0 568dig_with_opts @10.53.0.5 +edns edns0.fetchall.tld any >dig.out.2.${n} || ret=1 569grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run >/dev/null || ret=1 570if test "${edns:-0}" != 0; then 571 dig_with_opts @10.53.0.5 +edns=1 edns1.fetchall.tld any >dig.out.2.${n} || ret=1 572 grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run >/dev/null || ret=1 573fi 574if [ $ret != 0 ]; then echo_i "failed"; fi 575status=$((status + ret)) 576 577if test "${edns:-0}" != 0; then 578 n=$((n + 1)) 579 echo_i "check that edns-version is honoured (${n})" 580 ret=0 581 dig_with_opts @10.53.0.5 +edns no-edns-version.tld >dig.out.1.${n} || ret=1 582 grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run >/dev/null || ret=1 583 dig_with_opts @10.53.0.5 +edns edns-version.tld >dig.out.2.${n} || ret=1 584 grep "query: edns-version.tld IN A -E(0)" ns7/named.run >/dev/null || ret=1 585 if [ $ret != 0 ]; then echo_i "failed"; fi 586 status=$((status + ret)) 587fi 588 589n=$((n + 1)) 590echo_i "check that CNAME nameserver is logged correctly (${n})" 591ret=0 592dig_with_opts soa all-cnames @10.53.0.5 >dig.out.ns5.test${n} || ret=1 593grep "status: SERVFAIL" dig.out.ns5.test${n} >/dev/null || ret=1 594grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run >/dev/null || ret=1 595if [ $ret != 0 ]; then echo_i "failed"; fi 596status=$((status + ret)) 597 598n=$((n + 1)) 599echo_i "check that unexpected opcodes are handled correctly (${n})" 600ret=0 601dig_with_opts soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag >dig.out.ns5.test${n} || ret=1 602grep "status: NOTIMP" dig.out.ns5.test${n} >/dev/null || ret=1 603grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} >/dev/null || ret=1 604grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 605grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 606grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 607grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 608grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} >/dev/null && ret=1 609if [ $ret != 0 ]; then echo_i "failed"; fi 610status=$((status + ret)) 611 612n=$((n + 1)) 613echo_i "check that EDNS client subnet with non-zeroed bits is handled correctly (${n})" 614ret=0 615# 0001 (IPv4) 1f (31 significant bits) 00 (0) ffffffff (255.255.255.255) 616dig_with_opts soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff >dig.out.ns5.test${n} || ret=1 617grep "status: FORMERR" dig.out.ns5.test${n} >/dev/null || ret=1 618grep "; EDNS: version:" dig.out.ns5.test${n} >/dev/null || ret=1 619if [ $ret != 0 ]; then echo_i "failed"; fi 620status=$((status + ret)) 621 622n=$((n + 1)) 623echo_i "check that dig +subnet zeros address bits correctly (${n})" 624ret=0 625dig_with_opts soa . @10.53.0.5 +subnet=255.255.255.255/23 >dig.out.ns5.test${n} || ret=1 626grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 627grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} >/dev/null || ret=1 628if [ $ret != 0 ]; then echo_i "failed"; fi 629status=$((status + ret)) 630 631n=$((n + 1)) 632echo_i "check zero ttl not returned for learnt non zero ttl records (${n})" 633ret=0 634# use prefetch disabled server 635dig_with_opts @10.53.0.7 non-zero.example.net txt >dig.out.1.${n} || ret=1 636ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 2 }' dig.out.1.${n}) 637# sleep so we are in expire range 638sleep "${ttl1:-0}" 639# look for ttl = 1, allow for one miss at getting zero ttl 640zerotonine="0 1 2 3 4 5 6 7 8 9" 641zerotonine="$zerotonine $zerotonine $zerotonine" 642for i in $zerotonine $zerotonine $zerotonine $zerotonine; do 643 dig_with_opts @10.53.0.7 non-zero.example.net txt >dig.out.2.${n} || ret=1 644 ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) 645 test "${ttl2:-1}" -eq 0 && break 646 test "${ttl2:-1}" -ge "${ttl1:-0}" && break 647 "${PERL}" -e 'select(undef, undef, undef, 0.05);' 648done 649test "${ttl2:-1}" -eq 0 && ret=1 650test "${ttl2:-1}" -ge "${ttl1:-0}" || ret=1 651if [ $ret != 0 ]; then echo_i "failed"; fi 652status=$((status + ret)) 653 654n=$((n + 1)) 655echo_i "check zero ttl is returned for learnt zero ttl records (${n})" 656ret=0 657dig_with_opts @10.53.0.7 zero.example.net txt >dig.out.1.${n} || ret=1 658ttl=$(awk '/"A" "zero" "ttl"/ { print $2 }' dig.out.1.${n}) 659test "${ttl:-1}" -eq 0 || ret=1 660if [ $ret != 0 ]; then echo_i "failed"; fi 661status=$((status + ret)) 662 663n=$((n + 1)) 664echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})" 665ret=0 666dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec >dig.out.$n 667grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 668if [ $ret != 0 ]; then echo_i "failed"; fi 669status=$((status + ret)) 670 671n=$((n + 1)) 672echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})" 673ret=0 674dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec >dig.out.$n 675grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 676if [ $ret != 0 ]; then echo_i "failed"; fi 677status=$((status + ret)) 678 679n=$((n + 1)) 680echo_i "check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP ($n)" 681ret=0 682dig_with_opts @10.53.0.5 truncated.no-questions. a +tries=3 +time=4 >dig.ns5.out.${n} || ret=1 683grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 684grep "ANSWER: 1," dig.ns5.out.${n} >/dev/null || ret=1 685grep "1\.2\.3\.4" dig.ns5.out.${n} >/dev/null || ret=1 686if [ $ret != 0 ]; then echo_i "failed"; fi 687status=$((status + ret)) 688 689n=$((n + 1)) 690echo_i "check that the resolver rejects a reply with empty question section with TC=0 ($n)" 691ret=0 692dig_with_opts @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=4 >dig.ns5.out.${n} || ret=1 693grep "status: NOERROR" dig.ns5.out.${n} >/dev/null && ret=1 694grep "ANSWER: 1," dig.ns5.out.${n} >/dev/null && ret=1 695grep "1\.2\.3\.4" dig.ns5.out.${n} >/dev/null && ret=1 696if [ $ret != 0 ]; then echo_i "failed"; fi 697status=$((status + ret)) 698 699if ${FEATURETEST} --enable-querytrace; then 700 n=$((n + 1)) 701 echo_i "check that SERVFAIL is returned for an empty question section via TCP ($n)" 702 ret=0 703 nextpart ns5/named.run >/dev/null 704 # bind to local address so that addresses in log messages are consistent 705 # between platforms 706 dig_with_opts @10.53.0.5 -b 10.53.0.5 tcpalso.no-questions. a +tries=2 +timeout=15 >dig.ns5.out.${n} || ret=1 707 grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null || ret=1 708 check_namedrun() { 709 nextpartpeek ns5/named.run >nextpart.out.${n} 710 grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section, accepting it anyway as TC=1' nextpart.out.${n} >/dev/null || return 1 711 grep '(tcpalso.no-questions/A): connecting via TCP' nextpart.out.${n} >/dev/null || return 1 712 grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section$' nextpart.out.${n} >/dev/null || return 1 713 grep '(tcpalso.no-questions/A): nextitem' nextpart.out.${n} >/dev/null || return 1 714 return 0 715 } 716 retry_quiet 12 check_namedrun || ret=1 717 if [ $ret != 0 ]; then echo_i "failed"; fi 718 status=$((status + ret)) 719fi 720 721n=$((n + 1)) 722echo_i "checking SERVFAIL is returned when all authoritative servers return FORMERR ($n)" 723ret=0 724dig_with_opts @10.53.0.5 ns.formerr-to-all. a >dig.ns5.out.${n} || ret=1 725grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null || ret=1 726if [ $ret != 0 ]; then echo_i "failed"; fi 727status=$((status + ret)) 728 729n=$((n + 1)) 730echo_i "checking SERVFAIL is not returned if only some authoritative servers return FORMERR ($n)" 731ret=0 732dig_with_opts @10.53.0.5 ns.partial-formerr. a >dig.ns5.out.${n} || ret=1 733grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null && ret=1 734if [ $ret != 0 ]; then echo_i "failed"; fi 735status=$((status + ret)) 736 737n=$((n + 1)) 738echo_i "check logged command line ($n)" 739ret=0 740grep "running as: .* -m record " ns1/named.run >/dev/null || ret=1 741if [ $ret != 0 ]; then echo_i "failed"; fi 742status=$((status + ret)) 743 744n=$((n + 1)) 745echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)" 746ret=0 747dig_with_opts @10.53.0.1 id.hostname txt ch >dig.ns1.out.${n} || ret=1 748grep "status: NXDOMAIN" dig.ns1.out.${n} >/dev/null || ret=1 749if [ $ret != 0 ]; then echo_i "failed"; fi 750status=$((status + ret)) 751 752n=$((n + 1)) 753echo_i "check that the addition section for HTTPS is populated on initial query to a recursive server ($n)" 754ret=0 755dig_with_opts @10.53.0.7 www.example.net https >dig.out.ns7.${n} || ret=1 756grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 757grep "flags:[^;]* ra[ ;]" dig.out.ns7.${n} >/dev/null || ret=1 758grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 759grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 760grep "http-server\.example\.net\..*A.*10\.53\.0\.6" dig.out.ns7.${n} >/dev/null || ret=1 761if [ $ret != 0 ]; then echo_i "failed"; fi 762status=$((status + ret)) 763 764n=$((n + 1)) 765echo_i "check HTTPS loop is handled properly ($n)" 766ret=0 767dig_with_opts @10.53.0.7 https-loop.example.net https >dig.out.ns7.${n} || ret=1 768grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 769grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 770grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 771if [ $ret != 0 ]; then echo_i "failed"; fi 772status=$((status + ret)) 773 774n=$((n + 1)) 775echo_i "check HTTPS -> CNAME loop is handled properly ($n)" 776ret=0 777dig_with_opts @10.53.0.7 https-cname-loop.example.net https >dig.out.ns7.${n} || ret=1 778grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 779grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 780grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 781if [ $ret != 0 ]; then echo_i "failed"; fi 782status=$((status + ret)) 783 784n=$((n + 1)) 785echo_i "check HTTPS cname chains are followed ($n)" 786ret=0 787dig_with_opts @10.53.0.7 https-cname.example.net https >dig.out.ns7.${n} || ret=1 788grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 789grep "ADDITIONAL: 4" dig.out.ns7.${n} >/dev/null || ret=1 790grep 'http-server\.example\.net\..*A.10\.53\.0\.6' dig.out.ns7.${n} >/dev/null || ret=1 791grep 'cname-server\.example\.net\..*CNAME.cname-next\.example\.net\.' dig.out.ns7.${n} >/dev/null || ret=1 792grep 'cname-next\.example\.net\..*CNAME.http-server\.example\.net\.' dig.out.ns7.${n} >/dev/null || ret=1 793if [ $ret != 0 ]; then echo_i "failed"; fi 794status=$((status + ret)) 795 796n=$((n + 1)) 797echo_i "check ADB find loops are detected ($n)" 798ret=0 799dig_with_opts +tcp +tries=1 +timeout=5 @10.53.0.1 fake.lame.example.org >dig.out.ns1.${n} || ret=1 800grep "status: SERVFAIL" dig.out.ns1.${n} >/dev/null || ret=1 801if [ $ret != 0 ]; then echo_i "failed"; fi 802status=$((status + ret)) 803 804n=$((n + 1)) 805echo_i "check handling of large referrals to unresponsive name servers ($n)" 806ret=0 807dig_with_opts +timeout=15 large-referral.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 808grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 809# Check the total number of findname() calls triggered by a single query 810# for large-referral.example.net/A. 811findname_call_count="$(grep -c "large-referral\.example\.net.*FINDNAME" ns1/named.run || true)" 812if [ "${findname_call_count}" -gt 1000 ]; then 813 echo_i "failed: ${findname_call_count} (> 1000) findname() calls detected for large-referral.example.net" 814 ret=1 815fi 816# Check whether the limit of NS RRs processed for any delegation 817# encountered was not exceeded. 818if grep -Eq "dns_adb_createfind: started (A|AAAA) fetch for name ns21.fake.redirect.com" ns1/named.run; then 819 echo_i "failed: unexpected address fetch(es) were triggered for ns21.fake.redirect.com" 820 ret=1 821fi 822if [ $ret != 0 ]; then echo_i "failed"; fi 823status=$((status + ret)) 824 825n=$((n + 1)) 826echo_i "checking query resolution for a domain with a valid glueless delegation chain ($n)" 827ret=0 828rndccmd 10.53.0.1 flush || ret=1 829dig_with_opts foo.bar.sub.tld1 @10.53.0.1 TXT >dig.out.ns1.test${n} || ret=1 830grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 831grep "IN.*TXT.*baz" dig.out.ns1.test${n} >/dev/null || ret=1 832if [ $ret != 0 ]; then echo_i "failed"; fi 833status=$((status + ret)) 834 835n=$((n + 1)) 836echo_i "check that correct namespace is chosen for dual-stack-servers ($n)" 837ret=0 838# 839# The two priming queries are needed until we fix dual-stack-servers fully 840# 841dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A >dig.out.prime1.${n} || ret=1 842dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA >dig.out.prime2.${n} || ret=1 843dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A >dig.out.ns9.${n} || ret=1 844grep "status: NOERROR" dig.out.ns9.${n} >/dev/null || ret=1 845if [ $ret != 0 ]; then echo_i "failed"; fi 846status=$((status + ret)) 847 848n=$((n + 1)) 849echo_i "check expired TTLs with qtype * (${n})" 850ret=0 851dig_with_opts +tcp @10.53.0.5 mixedttl.tld any >dig.out.1.${n} || ret=1 852ttl1=$(awk '$1 == "mixedttl.tld." && $4 == "A" { print $2 + 1 }' dig.out.1.${n}) 853# sleep TTL + 1 so that record has expired 854sleep "${ttl1:-0}" 855dig_with_opts +tcp @10.53.0.5 mixedttl.tld any >dig.out.2.${n} || ret=1 856# check preconditions 857grep "ANSWER: 3," dig.out.1.${n} >/dev/null || ret=1 858lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.1.${n} | wc -l) 859test ${lines:-1} -ne 0 && ret=1 860# check behaviour (there may be 1 answer on very slow machines) 861grep "ANSWER: [12]," dig.out.2.${n} >/dev/null || ret=1 862lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.2.${n} | wc -l) 863test ${lines:-1} -ne 0 && ret=1 864if [ $ret != 0 ]; then echo_i "failed"; fi 865status=$((status + ret)) 866 867n=$((n + 1)) 868echo_i "check resolver behavior when FORMERR for EDNS options happens (${n})" 869ret=0 870msg="resolving options-formerr/A .* server sent FORMERR with echoed DNS COOKIE" 871if [ $ret != 0 ]; then echo_i "failed"; fi 872nextpart ns5/named.run >/dev/null 873dig_with_opts +tcp @10.53.0.5 options-formerr A >dig.out.${n} || ret=1 874grep "status: NOERROR" dig.out.${n} >/dev/null || ret=1 875nextpart ns5/named.run | grep "$msg" >/dev/null || ret=1 876if [ $ret != 0 ]; then echo_i "failed"; fi 877status=$((status + ret)) 878 879n=$((n + 1)) 880echo_i "GL#4612 regression test: DS query against broken NODATA responses (${n})" 881# servers ns2 and ns3 return authority SOA which matches QNAME rather than the zone 882ret=0 883dig_with_opts @10.53.0.7 a.a.gl6412 DS >dig.out.${n} || ret=1 884grep "status: SERVFAIL" dig.out.${n} >/dev/null || ret=1 885if [ $ret != 0 ]; then echo_i "failed"; fi 886status=$((status + ret)) 887 888n=$((n + 1)) 889echo_i "check that response codes have been logged with 'responselog yes;' ($n)" 890ret=0 891grep "responselog yes;" ns5/named.conf >/dev/null || ret=1 892grep "response: version.bind CH TXT NOERROR" ns5/named.run >/dev/null || ret=1 893if [ $ret != 0 ]; then echo_i "failed"; fi 894status=$((status + ret)) 895 896n=$((n + 1)) 897echo_i "check that 'rndc responselog off' disables logging 'responselog yes;' ($n)" 898ret=0 899rndccmd 10.53.0.5 responselog off || ret=1 900dig_with_opts @10.53.0.5 should.not.be.logged >dig.ns5.out.${n} || ret=1 901grep "response: should.not.be.logged" ns5/named.run >/dev/null && ret=1 902if [ $ret != 0 ]; then echo_i "failed"; fi 903status=$((status + ret)) 904 905n=$((n + 1)) 906echo_i "check that 'rndc responselog on' enables logging 'responselog yes;' ($n)" 907ret=0 908grep "response: should.be.logged" ns5/named.run >/dev/null && ret=1 909rndccmd 10.53.0.5 responselog on || ret=1 910dig_with_opts @10.53.0.5 should.be.logged >dig.ns5.out.${n} || ret=1 911grep "response: should.be.logged" ns5/named.run >/dev/null || ret=1 912if [ $ret != 0 ]; then echo_i "failed"; fi 913status=$((status + ret)) 914 915n=$((n + 1)) 916echo_i "check that response codes have not been logged with default 'responselog' ($n)" 917ret=0 918grep "responselog" ns1/named.conf >/dev/null && ret=1 919grep "response: version.bind CH TXT NOERROR" ns1/named.run >/dev/null && ret=1 920if [ $ret != 0 ]; then echo_i "failed"; fi 921status=$((status + ret)) 922 923n=$((n + 1)) 924echo_i "check that 'rndc responselog on' enables logging with default 'responselog' ($n)" 925ret=0 926grep "response: should.be.logged" ns1/named.run >/dev/null && ret=1 927rndccmd 10.53.0.1 responselog on || ret=1 928dig_with_opts @10.53.0.1 should.be.logged >dig.ns1.out.${n} || ret=1 929grep "response: should.be.logged" ns1/named.run >/dev/null || ret=1 930if [ $ret != 0 ]; then echo_i "failed"; fi 931status=$((status + ret)) 932 933n=$((n + 1)) 934echo_i "check that 'rndc responselog off' disables logging with default 'responselog' ($n)" 935ret=0 936rndccmd 10.53.0.1 responselog off || ret=1 937dig_with_opts @10.53.0.1 should.not.be.logged >dig.ns1.out.${n} || ret=1 938grep "response: should.not.be.logged" ns1/named.run >/dev/null && ret=1 939if [ $ret != 0 ]; then echo_i "failed"; fi 940status=$((status + ret)) 941 942n=$((n + 1)) 943echo_i "check that response codes have not been logged with 'responselog no;' ($n)" 944ret=0 945grep "responselog no;" ns6/named.conf >/dev/null || ret=1 946grep "response: version.bind CH TXT NOERROR" ns6/named.run >/dev/null && ret=1 947if [ $ret != 0 ]; then echo_i "failed"; fi 948status=$((status + ret)) 949 950n=$((n + 1)) 951echo_i "check that 'rndc responselog on' enables logging with default 'responselog no;' ($n)" 952ret=0 953grep "response: should.be.logged" ns6/named.run >/dev/null && ret=1 954rndccmd 10.53.0.6 responselog on || ret=1 955dig_with_opts @10.53.0.6 should.be.logged >dig.ns6.out.${n} || ret=1 956grep "response: should.be.logged" ns6/named.run >/dev/null || ret=1 957if [ $ret != 0 ]; then echo_i "failed"; fi 958status=$((status + ret)) 959 960n=$((n + 1)) 961echo_i "check that 'rndc responselog' toggles logging off with default 'responselog no;' ($n)" 962ret=0 963rndccmd 10.53.0.6 responselog || ret=1 964dig_with_opts @10.53.0.6 toggled.should.not.be.logged >dig.ns6.out.${n} || ret=1 965grep "response: toggled.should.not.be.logged" ns6/named.run >/dev/null && ret=1 966if [ $ret != 0 ]; then echo_i "failed"; fi 967status=$((status + ret)) 968 969n=$((n + 1)) 970echo_i "check that 'rndc responselog' toggles logging on with default 'responselog no;' ($n)" 971ret=0 972rndccmd 10.53.0.6 responselog || ret=1 973dig_with_opts @10.53.0.6 toggled.should.be.logged >dig.ns6.out.${n} || ret=1 974grep "response: toggled.should.be.logged" ns6/named.run >/dev/null || ret=1 975if [ $ret != 0 ]; then echo_i "failed"; fi 976status=$((status + ret)) 977 978n=$((n + 1)) 979echo_i "check that 'rndc responselog off' disables logging with default 'responselog no;' ($n)" 980ret=0 981rndccmd 10.53.0.6 responselog off || ret=1 982dig_with_opts @10.53.0.6 should.not.be.logged >dig.ns6.out.${n} || ret=1 983grep "response: should.not.be.logged" ns6/named.run >/dev/null && ret=1 984if [ $ret != 0 ]; then echo_i "failed"; fi 985status=$((status + ret)) 986 987echo_i "exit status: $status" 988[ $status -eq 0 ] || exit 1 989