1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14SYSTEMTESTTOP=.. 15. $SYSTEMTESTTOP/conf.sh 16 17DIGOPTS="-p ${PORT}" 18RESOLVOPTS="-p ${PORT}" 19RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" 20 21status=0 22n=0 23 24n=`expr $n + 1` 25echo_i "checking non-cachable NXDOMAIN response handling ($n)" 26ret=0 27$DIG $DIGOPTS +tcp nxdomain.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 28grep "status: NXDOMAIN" dig.out.ns1.test${n} > /dev/null || ret=1 29if [ $ret != 0 ]; then echo_i "failed"; fi 30status=`expr $status + $ret` 31 32if [ -x ${RESOLVE} ] ; then 33 n=`expr $n + 1` 34 echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" 35 ret=0 36 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 nxdomain.example.net 2> resolve.out.ns1.test${n} || ret=1 37 grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} > /dev/null || ret=1 38 if [ $ret != 0 ]; then echo_i "failed"; fi 39 status=`expr $status + $ret` 40fi 41 42if [ -x ${RESOLVE} ] ; then 43 n=`expr $n + 1` 44 echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" 45 ret=0 46 ${RESOLVE} -b 10.53.0.8 $RESOLVOPTS -t a -s 10.53.0.1 www.example.org 2> resolve.out.ns1.test${n} || ret=1 47 grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 48 if [ $ret != 0 ]; then echo_i "failed"; fi 49 status=`expr $status + $ret` 50 51 n=`expr $n + 1` 52 echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)" 53 ret=0 54 ${RESOLVE} -b 10.53.0.1 $RESOLVOPTS -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 55 grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 56 if [ $ret != 0 ]; then echo_i "failed"; fi 57 status=`expr $status + $ret` 58fi 59 60n=`expr $n + 1` 61echo_i "checking non-cachable NODATA response handling ($n)" 62ret=0 63$DIG $DIGOPTS +tcp nodata.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 64grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 65if [ $ret != 0 ]; then echo_i "failed"; fi 66status=`expr $status + $ret` 67 68if [ -x ${RESOLVE} ] ; then 69 n=`expr $n + 1` 70 echo_i "checking non-cachable NODATA response handling using dns_client ($n)" 71 ret=0 72 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 nodata.example.net 2> resolve.out.ns1.test${n} || ret=1 73 grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} > /dev/null || ret=1 74 if [ $ret != 0 ]; then echo_i "failed"; fi 75 status=`expr $status + $ret` 76fi 77 78n=`expr $n + 1` 79echo_i "checking handling of bogus referrals ($n)" 80# If the server has the "INSIST(!external)" bug, this query will kill it. 81$DIG $DIGOPTS +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=`expr $status + 1`; } 82 83if [ -x ${RESOLVE} ] ; then 84 n=`expr $n + 1` 85 echo_i "checking handling of bogus referrals using dns_client ($n)" 86 ret=0 87 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 www.example.com 2> resolve.out.ns1.test${n} || ret=1 88 grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 89 if [ $ret != 0 ]; then echo_i "failed"; fi 90 status=`expr $status + $ret` 91fi 92 93n=`expr $n + 1` 94echo_i "check handling of cname + other data / 1 ($n)" 95$DIG $DIGOPTS +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=`expr $status + 1`; } 96 97n=`expr $n + 1` 98echo_i "check handling of cname + other data / 2 ($n)" 99$DIG $DIGOPTS +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=`expr $status + 1`; } 100 101n=`expr $n + 1` 102echo_i "check that server is still running ($n)" 103$DIG $DIGOPTS +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=`expr $status + 1`; } 104 105n=`expr $n + 1` 106echo_i "checking answer IPv4 address filtering (deny) ($n)" 107ret=0 108$DIG $DIGOPTS +tcp www.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 109grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 110if [ $ret != 0 ]; then echo_i "failed"; fi 111status=`expr $status + $ret` 112 113n=`expr $n + 1` 114echo_i "checking answer IPv6 address filtering (deny) ($n)" 115ret=0 116$DIG $DIGOPTS +tcp www.example.net @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 117grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 118if [ $ret != 0 ]; then echo_i "failed"; fi 119status=`expr $status + $ret` 120 121n=`expr $n + 1` 122echo_i "checking answer IPv4 address filtering (accept) ($n)" 123ret=0 124$DIG $DIGOPTS +tcp www.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 125grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 126if [ $ret != 0 ]; then echo_i "failed"; fi 127status=`expr $status + $ret` 128 129 130if [ -x ${RESOLVE} ] ; then 131 n=`expr $n + 1` 132 echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" 133 ret=0 134 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 135 grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 136 if [ $ret != 0 ]; then echo_i "failed"; fi 137 status=`expr $status + $ret` 138fi 139 140n=`expr $n + 1` 141echo_i "checking answer IPv6 address filtering (accept) ($n)" 142ret=0 143$DIG $DIGOPTS +tcp www.example.org @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 144grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 145if [ $ret != 0 ]; then echo_i "failed"; fi 146status=`expr $status + $ret` 147 148if [ -x ${RESOLVE} ] ; then 149 n=`expr $n + 1` 150 echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" 151 ret=0 152 $RESOLVE $RESOLVOPTS -t aaaa -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 153 grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} > /dev/null || ret=1 154 if [ $ret != 0 ]; then echo_i "failed"; fi 155 status=`expr $status + $ret` 156fi 157 158n=`expr $n + 1` 159echo_i "checking CNAME target filtering (deny) ($n)" 160ret=0 161$DIG $DIGOPTS +tcp badcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 162grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 163if [ $ret != 0 ]; then echo_i "failed"; fi 164status=`expr $status + $ret` 165 166n=`expr $n + 1` 167echo_i "checking CNAME target filtering (accept) ($n)" 168ret=0 169$DIG $DIGOPTS +tcp goodcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 170grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 171if [ $ret != 0 ]; then echo_i "failed"; fi 172status=`expr $status + $ret` 173 174if [ -x ${RESOLVE} ] ; then 175 n=`expr $n + 1` 176 echo_i "checking CNAME target filtering using dns_client (accept) ($n)" 177 ret=0 178 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 goodcname.example.net > resolve.out.ns1.test${n} || ret=1 179 grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 180 grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 181 if [ $ret != 0 ]; then echo_i "failed"; fi 182 status=`expr $status + $ret` 183fi 184 185n=`expr $n + 1` 186echo_i "checking CNAME target filtering (accept due to subdomain) ($n)" 187ret=0 188$DIG $DIGOPTS +tcp cname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 189grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 190if [ $ret != 0 ]; then echo_i "failed"; fi 191status=`expr $status + $ret` 192 193if [ -x ${RESOLVE} ] ; then 194 n=`expr $n + 1` 195 echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" 196 ret=0 197 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 cname.sub.example.org > resolve.out.ns1.test${n} || ret=1 198 grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 199 grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 200 if [ $ret != 0 ]; then echo_i "failed"; fi 201 status=`expr $status + $ret` 202fi 203 204n=`expr $n + 1` 205echo_i "checking DNAME target filtering (deny) ($n)" 206ret=0 207$DIG $DIGOPTS +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 208grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1 209grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 210if [ $ret != 0 ]; then echo_i "failed"; fi 211status=`expr $status + $ret` 212 213n=`expr $n + 1` 214echo_i "checking DNAME target filtering (accept) ($n)" 215ret=0 216$DIG $DIGOPTS +tcp foo.gooddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 217grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 218if [ $ret != 0 ]; then echo_i "failed"; fi 219status=`expr $status + $ret` 220 221if [ -x ${RESOLVE} ] ; then 222 n=`expr $n + 1` 223 echo_i "checking DNAME target filtering using dns_client (accept) ($n)" 224 ret=0 225 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 foo.gooddname.example.net > resolve.out.ns1.test${n} || ret=1 226 grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} > /dev/null || ret=1 227 grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 228 if [ $ret != 0 ]; then echo_i "failed"; fi 229 status=`expr $status + $ret` 230fi 231 232n=`expr $n + 1` 233echo_i "checking DNAME target filtering (accept due to subdomain) ($n)" 234ret=0 235$DIG $DIGOPTS +tcp www.dname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 236grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 237if [ $ret != 0 ]; then echo_i "failed"; fi 238status=`expr $status + $ret` 239 240if [ -x ${RESOLVE} ] ; then 241 n=`expr $n + 1` 242 echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" 243 ret=0 244 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 www.dname.sub.example.org > resolve.out.ns1.test${n} || ret=1 245 grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 246 grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 247 if [ $ret != 0 ]; then echo_i "failed"; fi 248 status=`expr $status + $ret` 249fi 250 251n=`expr $n + 1` 252echo_i "check that the resolver accepts a referral response with a non-empty ANSWER section ($n)" 253ret=0 254$DIG $DIGOPTS @10.53.0.1 foo.glue-in-answer.example.org. A > dig.ns1.out.${n} || ret=1 255grep "status: NOERROR" dig.ns1.out.${n} > /dev/null || ret=1 256grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null || ret=1 257if [ $ret != 0 ]; then echo_i "failed"; fi 258status=`expr $status + $ret` 259 260n=`expr $n + 1` 261echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" 262# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS 263# records pointing to non-existent nameservers in the targetns zone on ns6. 264ret=0 265$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test 266for nscount in 1 2 3 4 5 6 7 8 9 10 267do 268 # Verify number of NS records at source server 269 $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} 270 sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l` 271 test $sourcerecs -eq $nscount || ret=1 272 test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens" 273 # Expected queries = 2 * number of NS records, up to a maximum of 10. 274 expected=`expr 2 \* $nscount` 275 if [ $expected -gt 10 ]; then expected=10; fi 276 # Work out the queries made by checking statistics on the target before and after the test 277 $RNDCCMD 10.53.0.6 stats || ret=1 278 initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats` 279 mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n} 280 $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 281 $RNDCCMD 10.53.0.6 stats || ret=1 282 final_count=`awk '/responses sent/ {print $1}' ns6/named.stats` 283 mv ns6/named.stats ns6/named.stats.final.${nscount}.${n} 284 # Check number of queries during the test is as expected 285 actual=`expr $final_count - $initial_count` 286 if [ $actual -ne $expected ]; then 287 echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" 288 ret=1 289 fi 290done 291if [ $ret != 0 ]; then echo_i "failed"; fi 292status=`expr $status + $ret` 293 294n=`expr $n + 1` 295echo_i "RT21594 regression test check setup ($n)" 296ret=0 297# Check that "aa" is not being set by the authoritative server. 298$DIG $DIGOPTS +tcp . @10.53.0.4 soa > dig.ns4.out.${n} || ret=1 299grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1 300if [ $ret != 0 ]; then echo_i "failed"; fi 301status=`expr $status + $ret` 302 303n=`expr $n + 1` 304echo_i "RT21594 regression test positive answers ($n)" 305ret=0 306# Check that resolver accepts the non-authoritative positive answers. 307$DIG $DIGOPTS +tcp . @10.53.0.5 soa > dig.ns5.out.${n} || ret=1 308grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 309if [ $ret != 0 ]; then echo_i "failed"; fi 310status=`expr $status + $ret` 311 312n=`expr $n + 1` 313echo_i "RT21594 regression test NODATA answers ($n)" 314ret=0 315# Check that resolver accepts the non-authoritative nodata answers. 316$DIG $DIGOPTS +tcp . @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 317grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 318if [ $ret != 0 ]; then echo_i "failed"; fi 319status=`expr $status + $ret` 320 321n=`expr $n + 1` 322echo_i "RT21594 regression test NXDOMAIN answers ($n)" 323ret=0 324# Check that resolver accepts the non-authoritative positive answers. 325$DIG $DIGOPTS +tcp noexistent @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 326grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 327if [ $ret != 0 ]; then echo_i "failed"; fi 328status=`expr $status + $ret` 329 330n=`expr $n + 1` 331echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" 332ret=0 333$DIG $DIGOPTS +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=1 334grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 335if [ $ret = 1 ]; then echo_i "mx priming failed"; fi 336$NSUPDATE << EOF 337server 10.53.0.6 ${PORT} 338zone example.net 339update delete mail.example.net A 340update add mail.example.net 0 AAAA ::1 341send 342EOF 343$DIG $DIGOPTS +tcp a mail.example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 344grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2 345grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2 346if [ $ret = 2 ]; then echo_i "ncache priming failed"; fi 347$DIG $DIGOPTS +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=3 348grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3 349$DIG $DIGOPTS +tcp rrsig mail.example.net +norec @10.53.0.7 > dig.ns7.out.${n} || ret=4 350grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4 351grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4 352if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 353status=`expr $status + $ret` 354 355if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 356status=`expr $status + $ret` 357 358n=`expr $n + 1` 359echo_i "checking that update a nameservers address has immediate effects ($n)" 360ret=0 361$DIG $DIGOPTS +tcp TXT foo.moves @10.53.0.7 > dig.ns7.foo.${n} || ret=1 362grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 363$NSUPDATE << EOF 364server 10.53.0.7 ${PORT} 365zone server 366update delete ns.server A 367update add ns.server 300 A 10.53.0.4 368send 369EOF 370sleep 1 371$DIG $DIGOPTS +tcp TXT bar.moves @10.53.0.7 > dig.ns7.bar.${n} || ret=1 372grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 373 374if [ $ret != 0 ]; then echo_i "failed"; status=1; fi 375 376n=`expr $n + 1` 377echo_i "checking that update a nameservers glue has immediate effects ($n)" 378ret=0 379$DIG $DIGOPTS +tcp TXT foo.child.server @10.53.0.7 > dig.ns7.foo.${n} || ret=1 380grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 381$NSUPDATE << EOF 382server 10.53.0.7 ${PORT} 383zone server 384update delete ns.child.server A 385update add ns.child.server 300 A 10.53.0.4 386send 387EOF 388sleep 1 389$DIG $DIGOPTS +tcp TXT bar.child.server @10.53.0.7 > dig.ns7.bar.${n} || ret=1 390grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 391 392if [ $ret != 0 ]; then echo_i "failed"; status=1; fi 393 394n=`expr $n + 1` 395echo_i "checking empty RFC 1918 reverse zones ($n)" 396ret=0 397# Check that "aa" is being set by the resolver for RFC 1918 zones 398# except the one that has been deliberately disabled 399$DIG $DIGOPTS @10.53.0.7 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1 400grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1 401$DIG $DIGOPTS @10.53.0.7 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1 402grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1 403$DIG $DIGOPTS @10.53.0.7 -x 172.16.1.1 > dig.ns4.out.3.${n} || ret=1 404grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1 405$DIG $DIGOPTS @10.53.0.7 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1 406grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1 407$DIG $DIGOPTS @10.53.0.7 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1 408grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1 409$DIG $DIGOPTS @10.53.0.7 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1 410grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1 411$DIG $DIGOPTS @10.53.0.7 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1 412grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1 413$DIG $DIGOPTS @10.53.0.7 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1 414grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1 415$DIG $DIGOPTS @10.53.0.7 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1 416grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1 417$DIG $DIGOPTS @10.53.0.7 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1 418grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1 419$DIG $DIGOPTS @10.53.0.7 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1 420grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1 421$DIG $DIGOPTS @10.53.0.7 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1 422grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1 423$DIG $DIGOPTS @10.53.0.7 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1 424grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1 425$DIG $DIGOPTS @10.53.0.7 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1 426grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1 427$DIG $DIGOPTS @10.53.0.7 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1 428grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1 429$DIG $DIGOPTS @10.53.0.7 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1 430grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1 431$DIG $DIGOPTS @10.53.0.7 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1 432grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1 433# but this one should NOT be authoritative 434$DIG $DIGOPTS @10.53.0.7 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1 435grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1 436if [ $ret != 0 ]; then echo_i "failed"; status=1; fi 437 438n=`expr $n + 1` 439echo_i "checking that removal of a delegation is honoured ($n)" 440ret=0 441$DIG $DIGOPTS @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n} 442grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo_i "priming failed"; } 443cp ns4/tld2.db ns4/tld.db 444rndc_reload ns4 10.53.0.4 tld 445old= 446for i in 0 1 2 3 4 5 6 7 8 9 447do 448 foo=0 449 $DIG $DIGOPTS @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null 450 $DIG $DIGOPTS @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n} 451 grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1 452 [ $foo = 0 ] && break 453 $NSUPDATE << EOF 454server 10.53.0.6 ${PORT} 455zone to-be-removed.tld 456update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld 457update delete to-be-removed.tld NS ns${old}.to-be-removed.tld 458send 459EOF 460 old=$i 461 sleep 1 462done 463[ $ret = 0 ] && ret=$foo; 464if [ $ret != 0 ]; then echo_i "failed"; status=1; fi 465 466n=`expr $n + 1` 467echo_i "check for improved error message with SOA mismatch ($n)" 468ret=0 469$DIG $DIGOPTS @10.53.0.1 www.sub.broken aaaa > dig.out.ns1.test${n} || ret=1 470grep "not subdomain of zone" ns1/named.run > /dev/null || ret=1 471if [ $ret != 0 ]; then echo_i "failed"; fi 472status=`expr $status + $ret` 473 474copy_setports ns7/named2.conf.in ns7/named.conf 475$RNDCCMD 10.53.0.7 reconfig 2>&1 | sed 's/^/ns7 /' | cat_i 476 477n=`expr $n + 1` 478echo_i "check resolution on the listening port ($n)" 479ret=0 480$DIG $DIGOPTS +tcp +tries=2 +time=5 mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 481grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 482grep "ANSWER: 1" dig.ns7.out.${n} > /dev/null || ret=1 483if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 484status=`expr $status + $ret` 485 486n=`expr $n + 1` 487echo_i "check prefetch (${n})" 488ret=0 489# read prefetch value from config. 490PREFETCH=`sed -n "s/[[:space:]]*prefetch \([0-9]\).*/\1/p" ns5/named.conf` 491$DIG $DIGOPTS @10.53.0.5 fetch.tld txt > dig.out.1.${n} || ret=1 492ttl1=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}` 493interval=$((ttl1 - PREFETCH + 1)) 494# sleep so we are in prefetch range 495sleep ${interval:-0} 496# trigger prefetch 497$DIG $DIGOPTS @10.53.0.5 fetch.tld txt > dig.out.2.${n} || ret=1 498ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}` 499sleep 1 500# check that prefetch occurred 501$DIG $DIGOPTS @10.53.0.5 fetch.tld txt > dig.out.3.${n} || ret=1 502ttl=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}` 503test ${ttl:-0} -gt ${ttl2:-1} || ret=1 504if [ $ret != 0 ]; then echo_i "failed"; fi 505status=`expr $status + $ret` 506 507n=`expr $n + 1` 508echo_i "check prefetch of validated DS's RRSIG TTL is updated (${n})" 509ret=0 510$DIG $DIGOPTS +dnssec @10.53.0.5 ds.example.net ds > dig.out.1.${n} || ret=1 511dsttl1=`awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.1.${n}` 512interval=$((dsttl1 - PREFETCH + 1)) 513# sleep so we are in prefetch range 514sleep ${interval:-0} 515# trigger prefetch 516$DIG $DIGOPTS @10.53.0.5 ds.example.net ds > dig.out.2.${n} || ret=1 517dsttl2=`awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.2.${n}` 518sleep 1 519# check that prefetch occurred 520$DIG $DIGOPTS @10.53.0.5 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1 521dsttl=`awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.3.${n}` 522sigttl=`awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}` 523test ${dsttl:-0} -gt ${dsttl2:-1} || ret=1 524test ${sigttl:-0} -gt ${dsttl2:-1} || ret=1 525test ${dsttl:-0} -eq ${sigttl:-1} || ret=1 526if [ $ret != 0 ]; then echo_i "failed"; fi 527status=`expr $status + $ret` 528 529n=`expr $n + 1` 530echo_i "check prefetch disabled (${n})" 531ret=0 532$DIG $DIGOPTS @10.53.0.7 fetch.example.net txt > dig.out.1.${n} || ret=1 533ttl1=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}` 534interval=$((ttl1 - PREFETCH + 1)) 535# sleep so we are in expire range 536sleep ${interval:-0} 537tmp_ttl=$ttl1 538no_prefetch() { 539 # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. 540 # since prefetch is disabled, updated ttl must be a lower value than 541 # the previous one. 542 $DIG $DIGOPTS @10.53.0.7 fetch.example.net txt > dig.out.2.${n} || return 1 543 ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}` 544 # check that prefetch has not occurred 545 if [ $ttl2 -ge $tmp_ttl ]; then 546 return 1 547 fi 548 tmp_ttl=$ttl2 549} 550retry_quiet 3 no_prefetch || ret=1 551if [ $ret != 0 ]; then echo_i "failed"; fi 552status=`expr $status + $ret` 553 554n=`expr $n + 1` 555echo_i "check prefetch qtype * (${n})" 556ret=0 557$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.1.${n} || ret=1 558ttl1=`awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n}` 559# sleep so we are in prefetch range 560sleep ${ttl1:-0} 561# trigger prefetch 562$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.2.${n} || ret=1 563ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}` 564sleep 1 565# check that the nameserver is still alive 566$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.3.${n} || ret=1 567if [ $ret != 0 ]; then echo_i "failed"; fi 568status=`expr $status + $ret` 569 570n=`expr $n + 1` 571echo_i "check that E was logged on EDNS queries in the query log (${n})" 572ret=0 573$DIG $DIGOPTS @10.53.0.5 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1 574grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null || ret=1 575$DIG $DIGOPTS @10.53.0.5 +noedns noedns.fetchall.tld any > dig.out.2.${n} || ret=1 576grep "query: noedns.fetchall.tld IN ANY" ns5/named.run > /dev/null || ret=1 577grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null && ret=1 578if [ $ret != 0 ]; then echo_i "failed"; fi 579status=`expr $status + $ret` 580 581n=`expr $n + 1` 582echo_i "check that '-t aaaa' in .digrc does not have unexpected side effects ($n)" 583ret=0 584echo "-t aaaa" > .digrc 585env HOME=`pwd` $DIG $DIGOPTS @10.53.0.4 . > dig.out.1.${n} || ret=1 586env HOME=`pwd` $DIG $DIGOPTS @10.53.0.4 . A > dig.out.2.${n} || ret=1 587env HOME=`pwd` $DIG $DIGOPTS @10.53.0.4 -x 127.0.0.1 > dig.out.3.${n} || ret=1 588grep ';\..*IN.*AAAA$' dig.out.1.${n} > /dev/null || ret=1 589grep ';\..*IN.*A$' dig.out.2.${n} > /dev/null || ret=1 590grep 'extra type option' dig.out.2.${n} > /dev/null && ret=1 591grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || ret=1 592if [ $ret != 0 ]; then echo_i "failed"; fi 593status=`expr $status + $ret` 594 595edns=`$FEATURETEST --edns-version` 596 597n=`expr $n + 1` 598echo_i "check that EDNS version is logged (${n})" 599ret=0 600$DIG $DIGOPTS @10.53.0.5 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1 601grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1 602if test ${edns:-0} != 0; then 603 $DIG $DIGOPTS @10.53.0.5 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1 604 grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1 605fi 606if [ $ret != 0 ]; then echo_i "failed"; fi 607status=`expr $status + $ret` 608 609if test ${edns:-0} != 0; then 610 n=`expr $n + 1` 611 echo_i "check that edns-version is honoured (${n})" 612 ret=0 613 $DIG $DIGOPTS @10.53.0.5 +edns no-edns-version.tld > dig.out.1.${n} || ret=1 614 grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1 615 $DIG $DIGOPTS @10.53.0.5 +edns edns-version.tld > dig.out.2.${n} || ret=1 616 grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1 617 if [ $ret != 0 ]; then echo_i "failed"; fi 618 status=`expr $status + $ret` 619fi 620 621n=`expr $n + 1` 622echo_i "check that CNAME nameserver is logged correctly (${n})" 623ret=0 624$DIG $DIGOPTS soa all-cnames @10.53.0.5 > dig.out.ns5.test${n} || ret=1 625grep "status: SERVFAIL" dig.out.ns5.test${n} > /dev/null || ret=1 626grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run > /dev/null || ret=1 627if [ $ret != 0 ]; then echo_i "failed"; fi 628status=`expr $status + $ret` 629 630n=`expr $n + 1` 631echo_i "check that unexpected opcodes are handled correctly (${n})" 632ret=0 633$DIG $DIGOPTS soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag > dig.out.ns5.test${n} || ret=1 634grep "status: NOTIMP" dig.out.ns5.test${n} > /dev/null || ret=1 635grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} > /dev/null || ret=1 636grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 637grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 638grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 639grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 640grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} > /dev/null && ret=1 641if [ $ret != 0 ]; then echo_i "failed"; fi 642status=`expr $status + $ret` 643 644n=`expr $n + 1` 645echo_i "check that EDNS client subnet with non-zeroed bits is handled correctly (${n})" 646ret=0 647# 0001 (IPv4) 1f (31 significant bits) 00 (0) ffffffff (255.255.255.255) 648$DIG $DIGOPTS soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff > dig.out.ns5.test${n} || ret=1 649grep "status: FORMERR" dig.out.ns5.test${n} > /dev/null || ret=1 650grep "; EDNS: version:" dig.out.ns5.test${n} > /dev/null || ret=1 651if [ $ret != 0 ]; then echo_i "failed"; fi 652status=`expr $status + $ret` 653 654n=`expr $n + 1` 655echo_i "check that dig +subnet zeros address bits correctly (${n})" 656ret=0 657$DIG $DIGOPTS soa . @10.53.0.5 +subnet=255.255.255.255/23 > dig.out.ns5.test${n} || ret=1 658grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 659grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret=1 660if [ $ret != 0 ]; then echo_i "failed"; fi 661status=`expr $status + $ret` 662 663n=`expr $n + 1` 664echo_i "check that SOA query returns data for delegation-only apex (${n})" 665ret=0 666$DIG $DIGOPTS soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 667grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 668grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 669if [ $ret != 0 ]; then echo_i "failed"; fi 670status=`expr $status + $ret` 671n=`expr $n + 1` 672 673n=`expr $n + 1` 674echo_i "check that NS query returns data for delegation-only apex (${n})" 675ret=0 676$DIG $DIGOPTS ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 677grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 678grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 679if [ $ret != 0 ]; then echo_i "failed"; fi 680status=`expr $status + $ret` 681 682n=`expr $n + 1` 683echo_i "check that A query returns data for delegation-only A apex (${n})" 684ret=0 685$DIG $DIGOPTS a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 686grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 687grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 688if [ $ret != 0 ]; then echo_i "failed"; fi 689status=`expr $status + $ret` 690 691n=`expr $n + 1` 692echo_i "check that CDS query returns data for delegation-only apex (${n})" 693ret=0 694$DIG $DIGOPTS cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 695grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 696grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 697if [ $ret != 0 ]; then echo_i "failed"; fi 698status=`expr $status + $ret` 699 700n=`expr $n + 1` 701echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})" 702ret=0 703$DIG $DIGOPTS a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 704grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 705grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 706if [ $ret != 0 ]; then echo_i "failed"; fi 707status=`expr $status + $ret` 708n=`expr $n + 1` 709 710echo_i "check that DNSKEY query returns data for delegation-only apex (${n})" 711ret=0 712$DIG $DIGOPTS dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 713grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 714grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 715if [ $ret != 0 ]; then echo_i "failed"; fi 716status=`expr $status + $ret` 717 718n=`expr $n + 1` 719echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})" 720ret=0 721$DIG $DIGOPTS cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 722grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 723grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 724if [ $ret != 0 ]; then echo_i "failed"; fi 725status=`expr $status + $ret` 726 727n=`expr $n + 1` 728echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})" 729ret=0 730$DIG $DIGOPTS a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 731grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 732if [ $ret != 0 ]; then echo_i "failed"; fi 733status=`expr $status + $ret` 734 735n=`expr $n + 1` 736echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})" 737ret=0 738$DIG $DIGOPTS cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 739grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 740if [ $ret != 0 ]; then echo_i "failed"; fi 741status=`expr $status + $ret` 742 743n=`expr $n + 1` 744echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})" 745ret=0 746$DIG $DIGOPTS aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 747grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 748if [ $ret != 0 ]; then echo_i "failed"; fi 749status=`expr $status + $ret` 750n=`expr $n + 1` 751 752echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})" 753ret=0 754$DIG $DIGOPTS cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 755grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 756if [ $ret != 0 ]; then echo_i "failed"; fi 757status=`expr $status + $ret` 758 759n=`expr $n + 1` 760echo_i "check zero ttl not returned for learnt non zero ttl records (${n})" 761ret=0 762# use prefetch disabled server 763$DIG $DIGOPTS @10.53.0.7 non-zero.example.net txt > dig.out.1.${n} || ret=1 764ttl1=`awk '/"A" "short" "ttl"/ { print $2 - 2 }' dig.out.1.${n}` 765# sleep so we are in expire range 766sleep ${ttl1:-0} 767# look for ttl = 1, allow for one miss at getting zero ttl 768zerotonine="0 1 2 3 4 5 6 7 8 9" 769zerotonine="$zerotonine $zerotonine $zerotonine" 770for i in $zerotonine $zerotonine $zerotonine $zerotonine 771do 772 $DIG $DIGOPTS @10.53.0.7 non-zero.example.net txt > dig.out.2.${n} || ret=1 773 ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}` 774 test ${ttl2:-1} -eq 0 && break 775 test ${ttl2:-1} -ge ${ttl1:-0} && break 776 $PERL -e 'select(undef, undef, undef, 0.05);' 777done 778test ${ttl2:-1} -eq 0 && ret=1 779test ${ttl2:-1} -ge ${ttl1:-0} || break 780if [ $ret != 0 ]; then echo_i "failed"; fi 781status=`expr $status + $ret` 782 783n=`expr $n + 1` 784echo_i "check zero ttl is returned for learnt zero ttl records (${n})" 785ret=0 786$DIG $DIGOPTS @10.53.0.7 zero.example.net txt > dig.out.1.${n} || ret=1 787ttl=`awk '/"A" "zero" "ttl"/ { print $2 }' dig.out.1.${n}` 788test ${ttl:-1} -eq 0 || ret=1 789if [ $ret != 0 ]; then echo_i "failed"; fi 790status=`expr $status + $ret` 791 792n=`expr $n + 1` 793echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})" 794ret=0 795$DIG $DIGOPTS @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec > dig.out.$n 796grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 797if [ $ret != 0 ]; then echo_i "failed"; fi 798status=`expr $status + $ret` 799 800n=`expr $n + 1` 801echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})" 802ret=0 803$DIG $DIGOPTS @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec > dig.out.$n 804grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 805if [ $ret != 0 ]; then echo_i "failed"; fi 806status=`expr $status + $ret` 807 808n=`expr $n + 1` 809echo_i "check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP ($n)" 810ret=0 811$DIG $DIGOPTS @10.53.0.5 truncated.no-questions. a +tries=3 +time=5 > dig.ns5.out.${n} || ret=1 812grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 813grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null || ret=1 814grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null || ret=1 815if [ $ret != 0 ]; then echo_i "failed"; fi 816status=`expr $status + $ret` 817 818n=`expr $n + 1` 819echo_i "check that the resolver rejects a reply with empty question section with TC=0 ($n)" 820ret=0 821$DIG $DIGOPTS @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=5 > dig.ns5.out.${n} || ret=1 822grep "status: NOERROR" dig.ns5.out.${n} > /dev/null && ret=1 823grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null && ret=1 824grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null && ret=1 825if [ $ret != 0 ]; then echo_i "failed"; fi 826status=`expr $status + $ret` 827 828n=`expr $n + 1` 829echo_i "checking SERVFAIL is returned when all authoritative servers return FORMERR ($n)" 830ret=0 831$DIG $DIGOPTS @10.53.0.5 ns.formerr-to-all. a > dig.ns5.out.${n} || ret=1 832grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 833if [ $ret != 0 ]; then echo_i "failed"; fi 834status=`expr $status + $ret` 835 836n=`expr $n + 1` 837echo_i "check logged command line ($n)" 838ret=0 839grep "running as: .* -m record,size,mctx " ns1/named.run > /dev/null || ret=1 840if [ $ret != 0 ]; then echo_i "failed"; fi 841status=`expr $status + $ret` 842 843n=`expr $n + 1` 844echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)" 845ret=0 846$DIG $DIGOPTS @10.53.0.1 id.hostname txt ch > dig.ns1.out.${n} || ret=1 847grep "status: NXDOMAIN" dig.ns1.out.${n} > /dev/null || ret=1 848if [ $ret != 0 ]; then echo_i "failed"; fi 849status=`expr $status + $ret` 850 851echo_i "exit status: $status" 852[ $status -eq 0 ] || exit 1 853