1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=.. 13. $SYSTEMTESTTOP/conf.sh 14 15DIGOPTS="-p ${PORT}" 16RESOLVOPTS="-p ${PORT}" 17RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" 18 19status=0 20n=0 21 22n=`expr $n + 1` 23echo_i "checking non-cachable NXDOMAIN response handling ($n)" 24ret=0 25$DIG $DIGOPTS +tcp nxdomain.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 26grep "status: NXDOMAIN" dig.out.ns1.test${n} > /dev/null || ret=1 27if [ $ret != 0 ]; then echo_i "failed"; fi 28status=`expr $status + $ret` 29 30if [ -x ${RESOLVE} ] ; then 31 n=`expr $n + 1` 32 echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" 33 ret=0 34 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 nxdomain.example.net 2> resolve.out.ns1.test${n} || ret=1 35 grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} > /dev/null || ret=1 36 if [ $ret != 0 ]; then echo_i "failed"; fi 37 status=`expr $status + $ret` 38fi 39 40if [ -x ${RESOLVE} ] ; then 41 n=`expr $n + 1` 42 echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" 43 ret=0 44 ${RESOLVE} -b 10.53.0.8 $RESOLVOPTS -t a -s 10.53.0.1 www.example.org 2> resolve.out.ns1.test${n} || ret=1 45 grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 46 if [ $ret != 0 ]; then echo_i "failed"; fi 47 status=`expr $status + $ret` 48 49 n=`expr $n + 1` 50 echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)" 51 ret=0 52 ${RESOLVE} -b 10.53.0.1 $RESOLVOPTS -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 53 grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 54 if [ $ret != 0 ]; then echo_i "failed"; fi 55 status=`expr $status + $ret` 56fi 57 58n=`expr $n + 1` 59echo_i "checking non-cachable NODATA response handling ($n)" 60ret=0 61$DIG $DIGOPTS +tcp nodata.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 62grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 63if [ $ret != 0 ]; then echo_i "failed"; fi 64status=`expr $status + $ret` 65 66if [ -x ${RESOLVE} ] ; then 67 n=`expr $n + 1` 68 echo_i "checking non-cachable NODATA response handling using dns_client ($n)" 69 ret=0 70 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 nodata.example.net 2> resolve.out.ns1.test${n} || ret=1 71 grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} > /dev/null || ret=1 72 if [ $ret != 0 ]; then echo_i "failed"; fi 73 status=`expr $status + $ret` 74fi 75 76n=`expr $n + 1` 77echo_i "checking handling of bogus referrals ($n)" 78# If the server has the "INSIST(!external)" bug, this query will kill it. 79$DIG $DIGOPTS +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=`expr $status + 1`; } 80 81if [ -x ${RESOLVE} ] ; then 82 n=`expr $n + 1` 83 echo_i "checking handling of bogus referrals using dns_client ($n)" 84 ret=0 85 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 www.example.com 2> resolve.out.ns1.test${n} || ret=1 86 grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 87 if [ $ret != 0 ]; then echo_i "failed"; fi 88 status=`expr $status + $ret` 89fi 90 91n=`expr $n + 1` 92echo_i "check handling of cname + other data / 1 ($n)" 93$DIG $DIGOPTS +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=`expr $status + 1`; } 94 95n=`expr $n + 1` 96echo_i "check handling of cname + other data / 2 ($n)" 97$DIG $DIGOPTS +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=`expr $status + 1`; } 98 99n=`expr $n + 1` 100echo_i "check that server is still running ($n)" 101$DIG $DIGOPTS +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=`expr $status + 1`; } 102 103n=`expr $n + 1` 104echo_i "checking answer IPv4 address filtering (deny) ($n)" 105ret=0 106$DIG $DIGOPTS +tcp www.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 107grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 108if [ $ret != 0 ]; then echo_i "failed"; fi 109status=`expr $status + $ret` 110 111n=`expr $n + 1` 112echo_i "checking answer IPv6 address filtering (deny) ($n)" 113ret=0 114$DIG $DIGOPTS +tcp www.example.net @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 115grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 116if [ $ret != 0 ]; then echo_i "failed"; fi 117status=`expr $status + $ret` 118 119n=`expr $n + 1` 120echo_i "checking answer IPv4 address filtering (accept) ($n)" 121ret=0 122$DIG $DIGOPTS +tcp www.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 123grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 124if [ $ret != 0 ]; then echo_i "failed"; fi 125status=`expr $status + $ret` 126 127 128if [ -x ${RESOLVE} ] ; then 129 n=`expr $n + 1` 130 echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" 131 ret=0 132 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 133 grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 134 if [ $ret != 0 ]; then echo_i "failed"; fi 135 status=`expr $status + $ret` 136fi 137 138n=`expr $n + 1` 139echo_i "checking answer IPv6 address filtering (accept) ($n)" 140ret=0 141$DIG $DIGOPTS +tcp www.example.org @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 142grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 143if [ $ret != 0 ]; then echo_i "failed"; fi 144status=`expr $status + $ret` 145 146if [ -x ${RESOLVE} ] ; then 147 n=`expr $n + 1` 148 echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" 149 ret=0 150 $RESOLVE $RESOLVOPTS -t aaaa -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 151 grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} > /dev/null || ret=1 152 if [ $ret != 0 ]; then echo_i "failed"; fi 153 status=`expr $status + $ret` 154fi 155 156n=`expr $n + 1` 157echo_i "checking CNAME target filtering (deny) ($n)" 158ret=0 159$DIG $DIGOPTS +tcp badcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 160grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 161if [ $ret != 0 ]; then echo_i "failed"; fi 162status=`expr $status + $ret` 163 164n=`expr $n + 1` 165echo_i "checking CNAME target filtering (accept) ($n)" 166ret=0 167$DIG $DIGOPTS +tcp goodcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 168grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 169if [ $ret != 0 ]; then echo_i "failed"; fi 170status=`expr $status + $ret` 171 172if [ -x ${RESOLVE} ] ; then 173 n=`expr $n + 1` 174 echo_i "checking CNAME target filtering using dns_client (accept) ($n)" 175 ret=0 176 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 goodcname.example.net > resolve.out.ns1.test${n} || ret=1 177 grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 178 grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 179 if [ $ret != 0 ]; then echo_i "failed"; fi 180 status=`expr $status + $ret` 181fi 182 183n=`expr $n + 1` 184echo_i "checking CNAME target filtering (accept due to subdomain) ($n)" 185ret=0 186$DIG $DIGOPTS +tcp cname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 187grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 188if [ $ret != 0 ]; then echo_i "failed"; fi 189status=`expr $status + $ret` 190 191if [ -x ${RESOLVE} ] ; then 192 n=`expr $n + 1` 193 echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" 194 ret=0 195 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 cname.sub.example.org > resolve.out.ns1.test${n} || ret=1 196 grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 197 grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 198 if [ $ret != 0 ]; then echo_i "failed"; fi 199 status=`expr $status + $ret` 200fi 201 202n=`expr $n + 1` 203echo_i "checking DNAME target filtering (deny) ($n)" 204ret=0 205$DIG $DIGOPTS +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 206grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1 207grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 208if [ $ret != 0 ]; then echo_i "failed"; fi 209status=`expr $status + $ret` 210 211n=`expr $n + 1` 212echo_i "checking DNAME target filtering (accept) ($n)" 213ret=0 214$DIG $DIGOPTS +tcp foo.gooddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 215grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 216if [ $ret != 0 ]; then echo_i "failed"; fi 217status=`expr $status + $ret` 218 219if [ -x ${RESOLVE} ] ; then 220 n=`expr $n + 1` 221 echo_i "checking DNAME target filtering using dns_client (accept) ($n)" 222 ret=0 223 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 foo.gooddname.example.net > resolve.out.ns1.test${n} || ret=1 224 grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} > /dev/null || ret=1 225 grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 226 if [ $ret != 0 ]; then echo_i "failed"; fi 227 status=`expr $status + $ret` 228fi 229 230n=`expr $n + 1` 231echo_i "checking DNAME target filtering (accept due to subdomain) ($n)" 232ret=0 233$DIG $DIGOPTS +tcp www.dname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 234grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 235if [ $ret != 0 ]; then echo_i "failed"; fi 236status=`expr $status + $ret` 237 238if [ -x ${RESOLVE} ] ; then 239 n=`expr $n + 1` 240 echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" 241 ret=0 242 $RESOLVE $RESOLVOPTS -t a -s 10.53.0.1 www.dname.sub.example.org > resolve.out.ns1.test${n} || ret=1 243 grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 244 grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 245 if [ $ret != 0 ]; then echo_i "failed"; fi 246 status=`expr $status + $ret` 247fi 248 249n=`expr $n + 1` 250echo_i "check that the resolver accepts a referral response with a non-empty ANSWER section ($n)" 251ret=0 252$DIG $DIGOPTS @10.53.0.1 foo.glue-in-answer.example.org. A > dig.ns1.out.${n} || ret=1 253grep "status: NOERROR" dig.ns1.out.${n} > /dev/null || ret=1 254grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null || ret=1 255if [ $ret != 0 ]; then echo_i "failed"; fi 256status=`expr $status + $ret` 257 258n=`expr $n + 1` 259echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" 260# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS 261# records pointing to non-existent nameservers in the targetns zone on ns6. 262ret=0 263$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test 264for nscount in 1 2 3 4 5 6 7 8 9 10 265do 266 # Verify number of NS records at source server 267 $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} 268 sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l` 269 test $sourcerecs -eq $nscount || ret=1 270 test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens" 271 # Expected queries = 2 * number of NS records, up to a maximum of 10. 272 expected=`expr 2 \* $nscount` 273 if [ $expected -gt 10 ]; then expected=10; fi 274 # Work out the queries made by checking statistics on the target before and after the test 275 $RNDCCMD 10.53.0.6 stats || ret=1 276 initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats` 277 mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n} 278 $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 279 $RNDCCMD 10.53.0.6 stats || ret=1 280 final_count=`awk '/responses sent/ {print $1}' ns6/named.stats` 281 mv ns6/named.stats ns6/named.stats.final.${nscount}.${n} 282 # Check number of queries during the test is as expected 283 actual=`expr $final_count - $initial_count` 284 if [ $actual -ne $expected ]; then 285 echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" 286 ret=1 287 fi 288done 289if [ $ret != 0 ]; then echo_i "failed"; fi 290status=`expr $status + $ret` 291 292n=`expr $n + 1` 293echo_i "RT21594 regression test check setup ($n)" 294ret=0 295# Check that "aa" is not being set by the authoritative server. 296$DIG $DIGOPTS +tcp . @10.53.0.4 soa > dig.ns4.out.${n} || ret=1 297grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1 298if [ $ret != 0 ]; then echo_i "failed"; fi 299status=`expr $status + $ret` 300 301n=`expr $n + 1` 302echo_i "RT21594 regression test positive answers ($n)" 303ret=0 304# Check that resolver accepts the non-authoritative positive answers. 305$DIG $DIGOPTS +tcp . @10.53.0.5 soa > dig.ns5.out.${n} || ret=1 306grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 307if [ $ret != 0 ]; then echo_i "failed"; fi 308status=`expr $status + $ret` 309 310n=`expr $n + 1` 311echo_i "RT21594 regression test NODATA answers ($n)" 312ret=0 313# Check that resolver accepts the non-authoritative nodata answers. 314$DIG $DIGOPTS +tcp . @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 315grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 316if [ $ret != 0 ]; then echo_i "failed"; fi 317status=`expr $status + $ret` 318 319n=`expr $n + 1` 320echo_i "RT21594 regression test NXDOMAIN answers ($n)" 321ret=0 322# Check that resolver accepts the non-authoritative positive answers. 323$DIG $DIGOPTS +tcp noexistent @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 324grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 325if [ $ret != 0 ]; then echo_i "failed"; fi 326status=`expr $status + $ret` 327 328n=`expr $n + 1` 329echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" 330ret=0 331$DIG $DIGOPTS +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=1 332grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 333if [ $ret = 1 ]; then echo_i "mx priming failed"; fi 334$NSUPDATE << EOF 335server 10.53.0.6 ${PORT} 336zone example.net 337update delete mail.example.net A 338update add mail.example.net 0 AAAA ::1 339send 340EOF 341$DIG $DIGOPTS +tcp a mail.example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 342grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2 343grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2 344if [ $ret = 2 ]; then echo_i "ncache priming failed"; fi 345$DIG $DIGOPTS +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=3 346grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3 347$DIG $DIGOPTS +tcp rrsig mail.example.net +norec @10.53.0.7 > dig.ns7.out.${n} || ret=4 348grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4 349grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4 350if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 351status=`expr $status + $ret` 352 353if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 354status=`expr $status + $ret` 355 356n=`expr $n + 1` 357echo_i "checking that update a nameservers address has immediate effects ($n)" 358ret=0 359$DIG $DIGOPTS +tcp TXT foo.moves @10.53.0.7 > dig.ns7.foo.${n} || ret=1 360grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 361$NSUPDATE << EOF 362server 10.53.0.7 ${PORT} 363zone server 364update delete ns.server A 365update add ns.server 300 A 10.53.0.4 366send 367EOF 368sleep 1 369$DIG $DIGOPTS +tcp TXT bar.moves @10.53.0.7 > dig.ns7.bar.${n} || ret=1 370grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 371 372if [ $ret != 0 ]; then echo_i "failed"; status=1; fi 373 374n=`expr $n + 1` 375echo_i "checking that update a nameservers glue has immediate effects ($n)" 376ret=0 377$DIG $DIGOPTS +tcp TXT foo.child.server @10.53.0.7 > dig.ns7.foo.${n} || ret=1 378grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 379$NSUPDATE << EOF 380server 10.53.0.7 ${PORT} 381zone server 382update delete ns.child.server A 383update add ns.child.server 300 A 10.53.0.4 384send 385EOF 386sleep 1 387$DIG $DIGOPTS +tcp TXT bar.child.server @10.53.0.7 > dig.ns7.bar.${n} || ret=1 388grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 389 390if [ $ret != 0 ]; then echo_i "failed"; status=1; fi 391 392n=`expr $n + 1` 393echo_i "checking empty RFC 1918 reverse zones ($n)" 394ret=0 395# Check that "aa" is being set by the resolver for RFC 1918 zones 396# except the one that has been deliberately disabled 397$DIG $DIGOPTS @10.53.0.7 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1 398grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1 399$DIG $DIGOPTS @10.53.0.7 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1 400grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1 401$DIG $DIGOPTS @10.53.0.7 -x 172.16.1.1 > dig.ns4.out.3.${n} || ret=1 402grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1 403$DIG $DIGOPTS @10.53.0.7 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1 404grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1 405$DIG $DIGOPTS @10.53.0.7 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1 406grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1 407$DIG $DIGOPTS @10.53.0.7 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1 408grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1 409$DIG $DIGOPTS @10.53.0.7 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1 410grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1 411$DIG $DIGOPTS @10.53.0.7 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1 412grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1 413$DIG $DIGOPTS @10.53.0.7 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1 414grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1 415$DIG $DIGOPTS @10.53.0.7 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1 416grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1 417$DIG $DIGOPTS @10.53.0.7 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1 418grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1 419$DIG $DIGOPTS @10.53.0.7 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1 420grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1 421$DIG $DIGOPTS @10.53.0.7 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1 422grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1 423$DIG $DIGOPTS @10.53.0.7 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1 424grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1 425$DIG $DIGOPTS @10.53.0.7 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1 426grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1 427$DIG $DIGOPTS @10.53.0.7 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1 428grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1 429$DIG $DIGOPTS @10.53.0.7 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1 430grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1 431# but this one should NOT be authoritative 432$DIG $DIGOPTS @10.53.0.7 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1 433grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1 434if [ $ret != 0 ]; then echo_i "failed"; status=1; fi 435 436n=`expr $n + 1` 437echo_i "checking that removal of a delegation is honoured ($n)" 438ret=0 439$DIG $DIGOPTS @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n} 440grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo_i "priming failed"; } 441cp ns4/tld2.db ns4/tld.db 442rndc_reload ns4 10.53.0.4 tld 443old= 444for i in 0 1 2 3 4 5 6 7 8 9 445do 446 foo=0 447 $DIG $DIGOPTS @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null 448 $DIG $DIGOPTS @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n} 449 grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1 450 [ $foo = 0 ] && break 451 $NSUPDATE << EOF 452server 10.53.0.6 ${PORT} 453zone to-be-removed.tld 454update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld 455update delete to-be-removed.tld NS ns${old}.to-be-removed.tld 456send 457EOF 458 old=$i 459 sleep 1 460done 461[ $ret = 0 ] && ret=$foo; 462if [ $ret != 0 ]; then echo_i "failed"; status=1; fi 463 464n=`expr $n + 1` 465echo_i "check for improved error message with SOA mismatch ($n)" 466ret=0 467$DIG $DIGOPTS @10.53.0.1 www.sub.broken aaaa > dig.out.ns1.test${n} || ret=1 468grep "not subdomain of zone" ns1/named.run > /dev/null || ret=1 469if [ $ret != 0 ]; then echo_i "failed"; fi 470status=`expr $status + $ret` 471 472copy_setports ns7/named2.conf.in ns7/named.conf 473$RNDCCMD 10.53.0.7 reconfig 2>&1 | sed 's/^/ns7 /' | cat_i 474 475n=`expr $n + 1` 476echo_i "check resolution on the listening port ($n)" 477ret=0 478$DIG $DIGOPTS +tcp +tries=2 +time=5 mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 479grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 480grep "ANSWER: 1" dig.ns7.out.${n} > /dev/null || ret=1 481if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 482status=`expr $status + $ret` 483 484n=`expr $n + 1` 485echo_i "check prefetch (${n})" 486ret=0 487# read prefetch value from config. 488PREFETCH=`sed -n "s/[[:space:]]*prefetch \([0-9]\).*/\1/p" ns5/named.conf` 489$DIG $DIGOPTS @10.53.0.5 fetch.tld txt > dig.out.1.${n} || ret=1 490ttl1=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}` 491interval=$((ttl1 - PREFETCH + 1)) 492# sleep so we are in prefetch range 493sleep ${interval:-0} 494# trigger prefetch 495$DIG $DIGOPTS @10.53.0.5 fetch.tld txt > dig.out.2.${n} || ret=1 496ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}` 497sleep 1 498# check that prefetch occurred 499$DIG $DIGOPTS @10.53.0.5 fetch.tld txt > dig.out.3.${n} || ret=1 500ttl=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}` 501test ${ttl:-0} -gt ${ttl2:-1} || ret=1 502if [ $ret != 0 ]; then echo_i "failed"; fi 503status=`expr $status + $ret` 504 505n=`expr $n + 1` 506echo_i "check prefetch of validated DS's RRSIG TTL is updated (${n})" 507ret=0 508$DIG $DIGOPTS +dnssec @10.53.0.5 ds.example.net ds > dig.out.1.${n} || ret=1 509dsttl1=`awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.1.${n}` 510interval=$((dsttl1 - PREFETCH + 1)) 511# sleep so we are in prefetch range 512sleep ${interval:-0} 513# trigger prefetch 514$DIG $DIGOPTS @10.53.0.5 ds.example.net ds > dig.out.2.${n} || ret=1 515dsttl2=`awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.2.${n}` 516sleep 1 517# check that prefetch occurred 518$DIG $DIGOPTS @10.53.0.5 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1 519dsttl=`awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.3.${n}` 520sigttl=`awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}` 521test ${dsttl:-0} -gt ${dsttl2:-1} || ret=1 522test ${sigttl:-0} -gt ${dsttl2:-1} || ret=1 523test ${dsttl:-0} -eq ${sigttl:-1} || ret=1 524if [ $ret != 0 ]; then echo_i "failed"; fi 525status=`expr $status + $ret` 526 527n=`expr $n + 1` 528echo_i "check prefetch disabled (${n})" 529ret=0 530$DIG $DIGOPTS @10.53.0.7 fetch.example.net txt > dig.out.1.${n} || ret=1 531ttl1=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}` 532interval=$((ttl1 - PREFETCH + 1)) 533# sleep so we are in expire range 534sleep ${interval:-0} 535tmp_ttl=$ttl1 536no_prefetch() { 537 # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. 538 # since prefetch is disabled, updated ttl must be a lower value than 539 # the previous one. 540 $DIG $DIGOPTS @10.53.0.7 fetch.example.net txt > dig.out.2.${n} || return 1 541 ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}` 542 # check that prefetch has not occurred 543 if [ $ttl2 -ge $tmp_ttl ]; then 544 return 1 545 fi 546 tmp_ttl=$ttl2 547} 548retry_quiet 3 no_prefetch || ret=1 549if [ $ret != 0 ]; then echo_i "failed"; fi 550status=`expr $status + $ret` 551 552n=`expr $n + 1` 553echo_i "check prefetch qtype * (${n})" 554ret=0 555$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.1.${n} || ret=1 556ttl1=`awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n}` 557# sleep so we are in prefetch range 558sleep ${ttl1:-0} 559# trigger prefetch 560$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.2.${n} || ret=1 561ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}` 562sleep 1 563# check that the nameserver is still alive 564$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.3.${n} || ret=1 565if [ $ret != 0 ]; then echo_i "failed"; fi 566status=`expr $status + $ret` 567 568n=`expr $n + 1` 569echo_i "check that E was logged on EDNS queries in the query log (${n})" 570ret=0 571$DIG $DIGOPTS @10.53.0.5 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1 572grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null || ret=1 573$DIG $DIGOPTS @10.53.0.5 +noedns noedns.fetchall.tld any > dig.out.2.${n} || ret=1 574grep "query: noedns.fetchall.tld IN ANY" ns5/named.run > /dev/null || ret=1 575grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null && ret=1 576if [ $ret != 0 ]; then echo_i "failed"; fi 577status=`expr $status + $ret` 578 579n=`expr $n + 1` 580echo_i "check that '-t aaaa' in .digrc does not have unexpected side effects ($n)" 581ret=0 582echo "-t aaaa" > .digrc 583env HOME=`pwd` $DIG $DIGOPTS @10.53.0.4 . > dig.out.1.${n} || ret=1 584env HOME=`pwd` $DIG $DIGOPTS @10.53.0.4 . A > dig.out.2.${n} || ret=1 585env HOME=`pwd` $DIG $DIGOPTS @10.53.0.4 -x 127.0.0.1 > dig.out.3.${n} || ret=1 586grep ';\..*IN.*AAAA$' dig.out.1.${n} > /dev/null || ret=1 587grep ';\..*IN.*A$' dig.out.2.${n} > /dev/null || ret=1 588grep 'extra type option' dig.out.2.${n} > /dev/null && ret=1 589grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || ret=1 590if [ $ret != 0 ]; then echo_i "failed"; fi 591status=`expr $status + $ret` 592 593edns=`$FEATURETEST --edns-version` 594 595n=`expr $n + 1` 596echo_i "check that EDNS version is logged (${n})" 597ret=0 598$DIG $DIGOPTS @10.53.0.5 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1 599grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1 600if test ${edns:-0} != 0; then 601 $DIG $DIGOPTS @10.53.0.5 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1 602 grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1 603fi 604if [ $ret != 0 ]; then echo_i "failed"; fi 605status=`expr $status + $ret` 606 607if test ${edns:-0} != 0; then 608 n=`expr $n + 1` 609 echo_i "check that edns-version is honoured (${n})" 610 ret=0 611 $DIG $DIGOPTS @10.53.0.5 +edns no-edns-version.tld > dig.out.1.${n} || ret=1 612 grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1 613 $DIG $DIGOPTS @10.53.0.5 +edns edns-version.tld > dig.out.2.${n} || ret=1 614 grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1 615 if [ $ret != 0 ]; then echo_i "failed"; fi 616 status=`expr $status + $ret` 617fi 618 619n=`expr $n + 1` 620echo_i "check that CNAME nameserver is logged correctly (${n})" 621ret=0 622$DIG $DIGOPTS soa all-cnames @10.53.0.5 > dig.out.ns5.test${n} || ret=1 623grep "status: SERVFAIL" dig.out.ns5.test${n} > /dev/null || ret=1 624grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run > /dev/null || ret=1 625if [ $ret != 0 ]; then echo_i "failed"; fi 626status=`expr $status + $ret` 627 628n=`expr $n + 1` 629echo_i "check that unexpected opcodes are handled correctly (${n})" 630ret=0 631$DIG $DIGOPTS soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag > dig.out.ns5.test${n} || ret=1 632grep "status: NOTIMP" dig.out.ns5.test${n} > /dev/null || ret=1 633grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} > /dev/null || ret=1 634grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 635grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 636grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 637grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 638grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} > /dev/null && ret=1 639if [ $ret != 0 ]; then echo_i "failed"; fi 640status=`expr $status + $ret` 641 642n=`expr $n + 1` 643echo_i "check that EDNS client subnet with non-zeroed bits is handled correctly (${n})" 644ret=0 645# 0001 (IPv4) 1f (31 significant bits) 00 (0) ffffffff (255.255.255.255) 646$DIG $DIGOPTS soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff > dig.out.ns5.test${n} || ret=1 647grep "status: FORMERR" dig.out.ns5.test${n} > /dev/null || ret=1 648grep "; EDNS: version:" dig.out.ns5.test${n} > /dev/null || ret=1 649if [ $ret != 0 ]; then echo_i "failed"; fi 650status=`expr $status + $ret` 651 652n=`expr $n + 1` 653echo_i "check that dig +subnet zeros address bits correctly (${n})" 654ret=0 655$DIG $DIGOPTS soa . @10.53.0.5 +subnet=255.255.255.255/23 > dig.out.ns5.test${n} || ret=1 656grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 657grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret=1 658if [ $ret != 0 ]; then echo_i "failed"; fi 659status=`expr $status + $ret` 660 661n=`expr $n + 1` 662echo_i "check that SOA query returns data for delegation-only apex (${n})" 663ret=0 664$DIG $DIGOPTS soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 665grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 666grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 667if [ $ret != 0 ]; then echo_i "failed"; fi 668status=`expr $status + $ret` 669n=`expr $n + 1` 670 671n=`expr $n + 1` 672echo_i "check that NS query returns data for delegation-only apex (${n})" 673ret=0 674$DIG $DIGOPTS ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 675grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 676grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 677if [ $ret != 0 ]; then echo_i "failed"; fi 678status=`expr $status + $ret` 679 680n=`expr $n + 1` 681echo_i "check that A query returns data for delegation-only A apex (${n})" 682ret=0 683$DIG $DIGOPTS a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 684grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 685grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 686if [ $ret != 0 ]; then echo_i "failed"; fi 687status=`expr $status + $ret` 688 689n=`expr $n + 1` 690echo_i "check that CDS query returns data for delegation-only apex (${n})" 691ret=0 692$DIG $DIGOPTS cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 693grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 694grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 695if [ $ret != 0 ]; then echo_i "failed"; fi 696status=`expr $status + $ret` 697 698n=`expr $n + 1` 699echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})" 700ret=0 701$DIG $DIGOPTS a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 702grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 703grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 704if [ $ret != 0 ]; then echo_i "failed"; fi 705status=`expr $status + $ret` 706n=`expr $n + 1` 707 708echo_i "check that DNSKEY query returns data for delegation-only apex (${n})" 709ret=0 710$DIG $DIGOPTS dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 711grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 712grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 713if [ $ret != 0 ]; then echo_i "failed"; fi 714status=`expr $status + $ret` 715 716n=`expr $n + 1` 717echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})" 718ret=0 719$DIG $DIGOPTS cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 720grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 721grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 722if [ $ret != 0 ]; then echo_i "failed"; fi 723status=`expr $status + $ret` 724 725n=`expr $n + 1` 726echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})" 727ret=0 728$DIG $DIGOPTS a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 729grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 730if [ $ret != 0 ]; then echo_i "failed"; fi 731status=`expr $status + $ret` 732 733n=`expr $n + 1` 734echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})" 735ret=0 736$DIG $DIGOPTS cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 737grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 738if [ $ret != 0 ]; then echo_i "failed"; fi 739status=`expr $status + $ret` 740 741n=`expr $n + 1` 742echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})" 743ret=0 744$DIG $DIGOPTS aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 745grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 746if [ $ret != 0 ]; then echo_i "failed"; fi 747status=`expr $status + $ret` 748n=`expr $n + 1` 749 750echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})" 751ret=0 752$DIG $DIGOPTS cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 753grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 754if [ $ret != 0 ]; then echo_i "failed"; fi 755status=`expr $status + $ret` 756 757n=`expr $n + 1` 758echo_i "check zero ttl not returned for learnt non zero ttl records (${n})" 759ret=0 760# use prefetch disabled server 761$DIG $DIGOPTS @10.53.0.7 non-zero.example.net txt > dig.out.1.${n} || ret=1 762ttl1=`awk '/"A" "short" "ttl"/ { print $2 - 2 }' dig.out.1.${n}` 763# sleep so we are in expire range 764sleep ${ttl1:-0} 765# look for ttl = 1, allow for one miss at getting zero ttl 766zerotonine="0 1 2 3 4 5 6 7 8 9" 767zerotonine="$zerotonine $zerotonine $zerotonine" 768for i in $zerotonine $zerotonine $zerotonine $zerotonine 769do 770 $DIG $DIGOPTS @10.53.0.7 non-zero.example.net txt > dig.out.2.${n} || ret=1 771 ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}` 772 test ${ttl2:-1} -eq 0 && break 773 test ${ttl2:-1} -ge ${ttl1:-0} && break 774 $PERL -e 'select(undef, undef, undef, 0.05);' 775done 776test ${ttl2:-1} -eq 0 && ret=1 777test ${ttl2:-1} -ge ${ttl1:-0} || break 778if [ $ret != 0 ]; then echo_i "failed"; fi 779status=`expr $status + $ret` 780 781n=`expr $n + 1` 782echo_i "check zero ttl is returned for learnt zero ttl records (${n})" 783ret=0 784$DIG $DIGOPTS @10.53.0.7 zero.example.net txt > dig.out.1.${n} || ret=1 785ttl=`awk '/"A" "zero" "ttl"/ { print $2 }' dig.out.1.${n}` 786test ${ttl:-1} -eq 0 || ret=1 787if [ $ret != 0 ]; then echo_i "failed"; fi 788status=`expr $status + $ret` 789 790n=`expr $n + 1` 791echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})" 792ret=0 793$DIG $DIGOPTS @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec > dig.out.$n 794grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 795if [ $ret != 0 ]; then echo_i "failed"; fi 796status=`expr $status + $ret` 797 798n=`expr $n + 1` 799echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})" 800ret=0 801$DIG $DIGOPTS @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec > dig.out.$n 802grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 803if [ $ret != 0 ]; then echo_i "failed"; fi 804status=`expr $status + $ret` 805 806n=`expr $n + 1` 807echo_i "check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP ($n)" 808ret=0 809$DIG $DIGOPTS @10.53.0.5 truncated.no-questions. a +tries=3 +time=5 > dig.ns5.out.${n} || ret=1 810grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 811grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null || ret=1 812grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null || ret=1 813if [ $ret != 0 ]; then echo_i "failed"; fi 814status=`expr $status + $ret` 815 816n=`expr $n + 1` 817echo_i "check that the resolver rejects a reply with empty question section with TC=0 ($n)" 818ret=0 819$DIG $DIGOPTS @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=5 > dig.ns5.out.${n} || ret=1 820grep "status: NOERROR" dig.ns5.out.${n} > /dev/null && ret=1 821grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null && ret=1 822grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null && ret=1 823if [ $ret != 0 ]; then echo_i "failed"; fi 824status=`expr $status + $ret` 825 826n=`expr $n + 1` 827echo_i "checking SERVFAIL is returned when all authoritative servers return FORMERR ($n)" 828ret=0 829$DIG $DIGOPTS @10.53.0.5 ns.formerr-to-all. a > dig.ns5.out.${n} || ret=1 830grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 831if [ $ret != 0 ]; then echo_i "failed"; fi 832status=`expr $status + $ret` 833 834n=`expr $n + 1` 835echo_i "check logged command line ($n)" 836ret=0 837grep "running as: .* -m record,size,mctx " ns1/named.run > /dev/null || ret=1 838if [ $ret != 0 ]; then echo_i "failed"; fi 839status=`expr $status + $ret` 840 841n=`expr $n + 1` 842echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)" 843ret=0 844$DIG $DIGOPTS @10.53.0.1 id.hostname txt ch > dig.ns1.out.${n} || ret=1 845grep "status: NXDOMAIN" dig.ns1.out.${n} > /dev/null || ret=1 846if [ $ret != 0 ]; then echo_i "failed"; fi 847status=`expr $status + $ret` 848 849echo_i "exit status: $status" 850[ $status -eq 0 ] || exit 1 851