xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/rootkeysentinel/tests.sh (revision b5c47949a45ac972130c38cf13dfd8afb1f09285) 
1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12SYSTEMTESTTOP=..
13. $SYSTEMTESTTOP/conf.sh
14
15status=0
16n=0
17
18rm -f dig.out.*
19
20DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
21
22newtest() {
23	n=`expr $n + 1`
24	case $# in
25	1)
26		echo_i "$1 ($n)"
27		;;
28	2)
29		echo_i "$1"
30		echo_ic "$2 ($n)"
31		;;
32	esac
33	ret=0
34}
35
36newtest "get test ids"
37$DIG $DIGOPTS . dnskey +short +rrcomm @10.53.0.1 > dig.out.ns1.test$n || ret=1
38oldid=`sed -n 's/.*key id = //p' < dig.out.ns1.test$n`
39oldid=`expr "0000${oldid}" : '.*\(.....\)$'`
40newid=`expr \( ${oldid} + 1000 \) % 65536`
41newid=`expr "0000${newid}" : '.*\(.....\)$'`
42badid=`expr \( ${oldid} + 7777 \) % 65536`
43badid=`expr "0000${badid}" : '.*\(.....\)$'`
44echo_i "test id: oldid=${oldid} (configured)"
45echo_i "test id: newid=${newid} (not configured)"
46echo_i "test id: badid=${badid}"
47if [ $ret != 0 ]; then echo_i "failed"; fi
48status=`expr $status + $ret`
49
50newtest "check authoritative server (expect NOERROR)"
51$DIG $DIGOPTS @10.53.0.2 example SOA > dig.out.ns2.test$n
52grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
53if [ $ret != 0 ]; then echo_i "failed"; fi
54status=`expr $status + $ret`
55
56newtest "check test zone resolves with 'root-key-sentinel yes;'" " (expect NOERROR)"
57$DIG $DIGOPTS @10.53.0.3 example SOA > dig.out.ns3.test$n
58grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
59if [ $ret != 0 ]; then echo_i "failed"; fi
60status=`expr $status + $ret`
61
62newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
63$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1
64grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
65if [ $ret != 0 ]; then echo_i "failed"; fi
66status=`expr $status + $ret`
67
68newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)"
69$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1
70grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1
71grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1
72if [ $ret != 0 ]; then echo_i "failed"; fi
73status=`expr $status + $ret`
74
75newtest "check root-key-sentinel-not-ta with old ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)"
76$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1
77grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
78if [ $ret != 0 ]; then echo_i "failed"; fi
79status=`expr $status + $ret`
80
81newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)"
82$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1
83grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1
84grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1
85if [ $ret != 0 ]; then echo_i "failed"; fi
86status=`expr $status + $ret`
87
88newtest "check root-key-sentinel-is-ta with new ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)"
89$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1
90grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
91if [ $ret != 0 ]; then echo_i "failed"; fi
92status=`expr $status + $ret`
93
94newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
95$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns3.test$n || ret=1
96grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
97if [ $ret != 0 ]; then echo_i "failed"; fi
98status=`expr $status + $ret`
99
100newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)"
101$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1
102grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1
103grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1
104if [ $ret != 0 ]; then echo_i "failed"; fi
105status=`expr $status + $ret`
106
107newtest "check root-key-sentinel-is-ta with bad ta, CD=1 and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
108$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1
109grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
110if [ $ret != 0 ]; then echo_i "failed"; fi
111status=`expr $status + $ret`
112
113newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
114$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns3.test$n || ret=1
115grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
116if [ $ret != 0 ]; then echo_i "failed"; fi
117status=`expr $status + $ret`
118
119newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
120$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-72345.example A > dig.out.ns3.test$n || ret=1
121grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
122if [ $ret != 0 ]; then echo_i "failed"; fi
123status=`expr $status + $ret`
124
125newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
126$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-72345.example A > dig.out.ns3.test$n || ret=1
127grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
128if [ $ret != 0 ]; then echo_i "failed"; fi
129status=`expr $status + $ret`
130
131newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
132$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-1234.example A > dig.out.ns3.test$n || ret=1
133grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
134if [ $ret != 0 ]; then echo_i "failed"; fi
135status=`expr $status + $ret`
136
137newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
138$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-1234.example A > dig.out.ns3.test$n || ret=1
139grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
140if [ $ret != 0 ]; then echo_i "failed"; fi
141status=`expr $status + $ret`
142
143newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
144$DIG $DIGOPTS @10.53.0.3 old-is-ta.example A > dig.out.ns3.test$n || ret=1
145grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
146grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1
147if [ $ret != 0 ]; then echo_i "failed"; fi
148status=`expr $status + $ret`
149
150newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
151$DIG $DIGOPTS @10.53.0.3 old-not-ta.example A > dig.out.ns3.test$n || ret=1
152grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
153grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1
154if [ $ret != 0 ]; then echo_i "failed"; fi
155status=`expr $status + $ret`
156
157newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
158$DIG $DIGOPTS @10.53.0.3 new-is-ta.example A > dig.out.ns3.test$n || ret=1
159grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
160grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1
161if [ $ret != 0 ]; then echo_i "failed"; fi
162status=`expr $status + $ret`
163
164newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
165$DIG $DIGOPTS @10.53.0.3 new-not-ta.example A > dig.out.ns3.test$n || ret=1
166grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
167grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1
168if [ $ret != 0 ]; then echo_i "failed"; fi
169status=`expr $status + $ret`
170
171newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
172$DIG $DIGOPTS @10.53.0.3 bad-is-ta.example A > dig.out.ns3.test$n || ret=1
173grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
174grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns3.test$n > /dev/null || ret=1
175if [ $ret != 0 ]; then echo_i "failed"; fi
176status=`expr $status + $ret`
177
178newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
179$DIG $DIGOPTS @10.53.0.3 bad-not-ta.example A > dig.out.ns3.test$n || ret=1
180grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
181grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns3.test$n > /dev/null || ret=1
182if [ $ret != 0 ]; then echo_i "failed"; fi
183status=`expr $status + $ret`
184
185newtest "check test zone resolves with 'root-key-sentinel no;'" " (expect NOERROR)"
186$DIG $DIGOPTS @10.53.0.4 example SOA > dig.out.ns4.test$n
187grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
188if [ $ret != 0 ]; then echo_i "failed"; fi
189status=`expr $status + $ret`
190
191newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)"
192$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1
193grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
194if [ $ret != 0 ]; then echo_i "failed"; fi
195status=`expr $status + $ret`
196
197newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)"
198$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1
199grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
200if [ $ret != 0 ]; then echo_i "failed"; fi
201status=`expr $status + $ret`
202
203newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)"
204$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns4.test$n || ret=1
205grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
206if [ $ret != 0 ]; then echo_i "failed"; fi
207status=`expr $status + $ret`
208
209newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)"
210$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns4.test$n || ret=1
211grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
212if [ $ret != 0 ]; then echo_i "failed"; fi
213status=`expr $status + $ret`
214
215newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
216$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns4.test$n || ret=1
217grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
218if [ $ret != 0 ]; then echo_i "failed"; fi
219status=`expr $status + $ret`
220
221newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
222$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns4.test$n || ret=1
223grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
224if [ $ret != 0 ]; then echo_i "failed"; fi
225status=`expr $status + $ret`
226
227newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
228$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-72345.example A > dig.out.ns4.test$n || ret=1
229grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
230if [ $ret != 0 ]; then echo_i "failed"; fi
231status=`expr $status + $ret`
232
233newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
234$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-72345.example A > dig.out.ns4.test$n || ret=1
235grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
236if [ $ret != 0 ]; then echo_i "failed"; fi
237status=`expr $status + $ret`
238
239newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
240$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-1234.example A > dig.out.ns4.test$n || ret=1
241grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
242if [ $ret != 0 ]; then echo_i "failed"; fi
243status=`expr $status + $ret`
244
245newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
246$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-1234.example A > dig.out.ns4.test$n || ret=1
247grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
248if [ $ret != 0 ]; then echo_i "failed"; fi
249status=`expr $status + $ret`
250
251newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)"
252$DIG $DIGOPTS @10.53.0.4 old-is-ta.example A > dig.out.ns4.test$n || ret=1
253grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
254grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1
255if [ $ret != 0 ]; then echo_i "failed"; fi
256status=`expr $status + $ret`
257
258newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)"
259$DIG $DIGOPTS @10.53.0.4 old-not-ta.example A > dig.out.ns4.test$n || ret=1
260grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
261grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1
262if [ $ret != 0 ]; then echo_i "failed"; fi
263status=`expr $status + $ret`
264
265newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)"
266$DIG $DIGOPTS @10.53.0.4 new-is-ta.example A > dig.out.ns4.test$n || ret=1
267grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
268grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1
269if [ $ret != 0 ]; then echo_i "failed"; fi
270status=`expr $status + $ret`
271
272newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)"
273$DIG $DIGOPTS @10.53.0.4 new-not-ta.example A > dig.out.ns4.test$n || ret=1
274grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
275grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1
276if [ $ret != 0 ]; then echo_i "failed"; fi
277status=`expr $status + $ret`
278
279newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
280$DIG $DIGOPTS @10.53.0.4 bad-is-ta.example A > dig.out.ns4.test$n || ret=1
281grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
282grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns4.test$n > /dev/null || ret=1
283if [ $ret != 0 ]; then echo_i "failed"; fi
284status=`expr $status + $ret`
285
286newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
287$DIG $DIGOPTS @10.53.0.4 bad-not-ta.example A > dig.out.ns4.test$n || ret=1
288grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
289grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns4.test$n > /dev/null || ret=1
290if [ $ret != 0 ]; then echo_i "failed"; fi
291status=`expr $status + $ret`
292
293echo_i "exit status: $status"
294[ $status -eq 0 ] || exit 1
295