1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16. ../conf.sh 17 18DIGOPTS="-p ${PORT}" 19RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" 20 21status=0 22n=0 23 24for conf in conf/good*.conf; do 25 n=$((n + 1)) 26 echo_i "checking that $conf is accepted ($n)" 27 ret=0 28 $CHECKCONF "$conf" || ret=1 29 if [ $ret != 0 ]; then echo_i "failed"; fi 30 status=$((status + ret)) 31done 32 33for conf in conf/bad*.conf; do 34 n=$((n + 1)) 35 echo_i "checking that $conf is rejected ($n)" 36 ret=0 37 $CHECKCONF "$conf" >/dev/null && ret=1 38 if [ $ret != 0 ]; then echo_i "failed"; fi 39 status=$((status + ret)) 40done 41 42n=$((n + 1)) 43echo_i "trying an axfr that should be denied (NOTAUTH) ($n)" 44ret=0 45$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr >dig.out.ns2.test$n || ret=1 46grep "; Transfer failed." dig.out.ns2.test$n >/dev/null || ret=1 47if [ $ret != 0 ]; then echo_i "failed"; fi 48status=$((status + ret)) 49 50n=$((n + 1)) 51echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" 52ret=0 53$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt >dig.out.ns2.test$n \ 54 || ret=1 55grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 56if [ $ret != 0 ]; then echo_i "failed"; fi 57status=$((status + ret)) 58 59n=$((n + 1)) 60echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" 61ret=0 62$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt >dig.out.ns2.test$n \ 63 || ret=1 64grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 65if [ $ret != 0 ]; then echo_i "failed"; fi 66status=$((status + ret)) 67 68n=$((n + 1)) 69echo_i "allow-query ACL ($n)" 70ret=0 71$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 \ 72 >dig.out.ns2.test$n || ret=1 73grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 74if [ $ret != 0 ]; then echo_i "failed"; fi 75status=$((status + ret)) 76 77n=$((n + 1)) 78echo_i "look for static-stub zone data with recursion (should be found) ($n)" 79ret=0 80$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 81digcomp knowngood.dig.out.rec dig.out.ns2.test$n || ret=1 82if [ $ret != 0 ]; then echo_i "failed"; fi 83status=$((status + ret)) 84 85n=$((n + 1)) 86echo_i "checking authoritative NS is ignored for delegation ($n)" 87ret=0 88# the auth server returns a different (and incorrect) NS for .example. 89$DIG $DIGOPTS +tcp example. @10.53.0.2 ns >dig.out.ns2.test1.$n || ret=1 90grep "ns4.example." dig.out.ns2.test1.$n >/dev/null || ret=1 91# but static-stub configuration should still be used 92$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt >dig.out.ns2.test2.$n || ret=1 93grep "2nd test data" dig.out.ns2.test2.$n >/dev/null || ret=1 94if [ $ret != 0 ]; then echo_i "failed"; fi 95status=$((status + ret)) 96 97n=$((n + 1)) 98echo_i "checking queries for a child zone of the static-stub zone ($n)" 99ret=0 100# prime the delegation to a child zone of the static-stub zone 101$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt >dig.out.ns2.test1.$n || ret=1 102grep "1st sub test data" dig.out.ns2.test1.$n >/dev/null || ret=1 103# temporarily disable the the parent zone 104copy_setports ns3/named.conf.in tmp 105sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp >ns3/named.conf 106rndc_reload ns3 10.53.0.3 107# query the child zone again. this should directly go to the child and 108# succeed. 109for i in 0 1 2 3 4 5 6 7 8 9; do 110 $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt >dig.out.ns2.test2.$n || ret=1 111 grep "2nd sub test data" dig.out.ns2.test2.$n >/dev/null && break 112 sleep 1 113done 114grep "2nd sub test data" dig.out.ns2.test2.$n >/dev/null || ret=1 115# re-enable the parent 116copy_setports ns3/named.conf.in tmp 117sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp >ns3/named.conf 118rndc_reload ns3 10.53.0.3 119if [ $ret != 0 ]; then echo_i "failed"; fi 120status=$((status + ret)) 121 122n=$((n + 1)) 123echo_i "checking authoritative NS addresses are ignored for delegation ($n)" 124ret=0 125# the auth server returns a different (and incorrect) A/AAA RR for .example. 126$DIG $DIGOPTS +tcp example. @10.53.0.2 a >dig.out.ns2.test1.$n || ret=1 127grep "10.53.0.4" dig.out.ns2.test1.$n >/dev/null || ret=1 128$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa >dig.out.ns2.test2.$n || ret=1 129grep "::1" dig.out.ns2.test2.$n >/dev/null || ret=1 130# reload the server. this will flush the ADB. 131rndc_reload ns2 10.53.0.2 132# ask another RR that would require delegation. static-stub configuration 133# should still be used instead of the authoritative A/AAAA cached above. 134$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt >dig.out.ns2.test3.$n || ret=1 135grep "3rd test data" dig.out.ns2.test3.$n >/dev/null || ret=1 136if [ $ret != 0 ]; then echo_i "failed"; fi 137status=$((status + ret)) 138 139# the authoritative server of the query domain (example.com) is the apex 140# name of the static-stub zone (example). in this case the static-stub 141# configuration must be ignored and cached information must be used. 142n=$((n + 1)) 143echo_i "checking NS of static-stub is ignored when referenced from other domain ($n)" 144ret=0 145$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 146grep "example com data" dig.out.ns2.test$n >/dev/null || ret=1 147if [ $ret != 0 ]; then echo_i "failed"; fi 148status=$((status + ret)) 149 150# check server-names 151n=$((n + 1)) 152echo_i "checking static-stub with a server-name ($n)" 153ret=0 154$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 155grep "example org data" dig.out.ns2.test$n >/dev/null || ret=1 156if [ $ret != 0 ]; then echo_i "failed"; fi 157status=$((status + ret)) 158 159n=$((n + 1)) 160# Note: for a short term workaround we use ::1, assuming it's configured and 161# usable for our tests. We should eventually use the test ULA and available 162# checks introduced in change 2916. 163if testsock6 ::1; then 164 echo_i "checking IPv6 static-stub address ($n)" 165 ret=0 166 $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 167 grep "example info data" dig.out.ns2.test$n >/dev/null || ret=1 168 if [ $ret != 0 ]; then echo_i "failed"; fi 169 status=$((status + ret)) 170else 171 echo_i "SKIPPED: checking IPv6 static-stub address ($n)" 172fi 173 174n=$((n + 1)) 175echo_i "look for static-stub zone data with DNSSEC validation ($n)" 176ret=0 177$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 178grep "ad; QUERY" dig.out.ns2.test$n >/dev/null || ret=1 179grep "4th test data" dig.out.ns2.test$n >/dev/null || ret=1 180if [ $ret != 0 ]; then echo_i "failed"; fi 181status=$((status + ret)) 182 183n=$((n + 1)) 184echo_i "look for a child of static-stub zone data with DNSSEC validation ($n)" 185ret=0 186$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 187grep "ad; QUERY" dig.out.ns2.test$n >/dev/null || ret=1 188grep "3rd sub test data" dig.out.ns2.test$n >/dev/null || ret=1 189if [ $ret != 0 ]; then echo_i "failed"; fi 190status=$((status + ret)) 191 192# reload with a different name server: existing zone shouldn't be reused. 193n=$((n + 1)) 194echo_i "checking server reload with a different static-stub config ($n)" 195ret=0 196copy_setports ns2/named.conf.in tmp 197sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp >ns2/named.conf 198rndc_reload ns2 10.53.0.2 199$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 200grep "2nd example org data" dig.out.ns2.test$n >/dev/null || ret=1 201if [ $ret != 0 ]; then echo_i "failed"; fi 202status=$((status + ret)) 203 204n=$((n + 1)) 205echo_i "checking static-stub of a undelegated tld resolves after DS query ($n)" 206ret=0 207$DIG $DIGOPTS undelegated. @10.53.0.2 ds >dig.out.ns2.ds.test$n || ret=1 208$DIG $DIGOPTS undelegated. @10.53.0.2 soa >dig.out.ns2.soa.test$n || ret=1 209grep "status: NXDOMAIN" dig.out.ns2.ds.test$n >/dev/null || ret=1 210grep "status: NOERROR" dig.out.ns2.soa.test$n >/dev/null || ret=1 211if [ $ret != 0 ]; then echo_i "failed"; fi 212status=$((status + ret)) 213 214n=$((n + 1)) 215echo_i "checking static-stub synthesised NS is not returned ($n)" 216ret=0 217$DIG $DIGOPTS unsigned. @10.53.0.2 ns >dig.out.ns2.ns.test$n || ret=1 218sleep 2 219$DIG $DIGOPTS data.unsigned @10.53.0.2 txt >dig.out.ns2.txt1.test$n || ret=1 220sleep 4 221$DIG $DIGOPTS data.unsigned @10.53.0.2 txt >dig.out.ns2.txt2.test$n || ret=1 222grep "status: NOERROR" dig.out.ns2.ns.test$n >/dev/null || ret=1 223grep "status: NOERROR" dig.out.ns2.txt1.test$n >/dev/null || ret=1 224# NS RRset from zone is returned 225grep '^unsigned\..*NS.ns\.unsigned\.$' dig.out.ns2.txt1.test$n >/dev/null || ret=1 226grep '^unsigned\..*NS.unsigned\.$' dig.out.ns2.txt1.test$n >/dev/null && ret=1 227# NS expired and synthesised response is not returned 228grep "status: NOERROR" dig.out.ns2.txt2.test$n >/dev/null || ret=1 229grep '^unsigned\..*NS.ns\.unsigned\.$' dig.out.ns2.txt2.test$n >/dev/null && ret=1 230grep '^unsigned\..*NS.unsigned\.$' dig.out.ns2.txt2.test$n >/dev/null && ret=1 231if [ $ret != 0 ]; then echo_i "failed"; fi 232status=$((status + ret)) 233 234echo_i "exit status: $status" 235[ $status -eq 0 ] || exit 1 236