1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14SYSTEMTESTTOP=.. 15. $SYSTEMTESTTOP/conf.sh 16 17DIGOPTS="-p ${PORT}" 18RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" 19 20status=0 21n=0 22 23for conf in conf/good*.conf 24do 25 n=`expr $n + 1` 26 echo_i "checking that $conf is accepted ($n)" 27 ret=0 28 $CHECKCONF "$conf" || ret=1 29 if [ $ret != 0 ]; then echo_i "failed"; fi 30 status=`expr $status + $ret` 31done 32 33for conf in conf/bad*.conf 34do 35 n=`expr $n + 1` 36 echo_i "checking that $conf is rejected ($n)" 37 ret=0 38 $CHECKCONF "$conf" >/dev/null && ret=1 39 if [ $ret != 0 ]; then echo_i "failed"; fi 40 status=`expr $status + $ret` 41done 42 43n=`expr $n + 1` 44echo_i "trying an axfr that should be denied (NOTAUTH) ($n)" 45ret=0 46$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr > dig.out.ns2.test$n || ret=1 47grep "; Transfer failed." dig.out.ns2.test$n > /dev/null || ret=1 48if [ $ret != 0 ]; then echo_i "failed"; fi 49status=`expr $status + $ret` 50 51n=`expr $n + 1` 52echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" 53ret=0 54 $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt > dig.out.ns2.test$n \ 55 || ret=1 56grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 57if [ $ret != 0 ]; then echo_i "failed"; fi 58status=`expr $status + $ret` 59 60n=`expr $n + 1` 61echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" 62ret=0 63$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n \ 64 || ret=1 65grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 66if [ $ret != 0 ]; then echo_i "failed"; fi 67status=`expr $status + $ret` 68 69n=`expr $n + 1` 70echo_i "allow-query ACL ($n)" 71ret=0 72$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 \ 73 > dig.out.ns2.test$n || ret=1 74grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 75if [ $ret != 0 ]; then echo_i "failed"; fi 76status=`expr $status + $ret` 77 78n=`expr $n + 1` 79echo_i "look for static-stub zone data with recursion (should be found) ($n)" 80ret=0 81$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 82digcomp knowngood.dig.out.rec dig.out.ns2.test$n || ret=1 83if [ $ret != 0 ]; then echo_i "failed"; fi 84status=`expr $status + $ret` 85 86n=`expr $n + 1` 87echo_i "checking authoritative NS is ignored for delegation ($n)" 88ret=0 89# the auth server returns a different (and incorrect) NS for .example. 90$DIG $DIGOPTS +tcp example. @10.53.0.2 ns > dig.out.ns2.test1.$n || ret=1 91grep "ns4.example." dig.out.ns2.test1.$n > /dev/null || ret=1 92# but static-stub configuration should still be used 93$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 94grep "2nd test data" dig.out.ns2.test2.$n > /dev/null || ret=1 95if [ $ret != 0 ]; then echo_i "failed"; fi 96status=`expr $status + $ret` 97 98n=`expr $n + 1` 99echo_i "checking queries for a child zone of the static-stub zone ($n)" 100ret=0 101# prime the delegation to a child zone of the static-stub zone 102$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt > dig.out.ns2.test1.$n || ret=1 103grep "1st sub test data" dig.out.ns2.test1.$n > /dev/null || ret=1 104# temporarily disable the the parent zone 105copy_setports ns3/named.conf.in tmp 106sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp > ns3/named.conf 107rndc_reload ns3 10.53.0.3 108# query the child zone again. this should directly go to the child and 109# succeed. 110for i in 0 1 2 3 4 5 6 7 8 9 111do 112 $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 113 grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null && break 114 sleep 1 115done 116grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null || ret=1 117# re-enable the parent 118copy_setports ns3/named.conf.in tmp 119sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type master; file "example.db.signed"; };/' tmp > ns3/named.conf 120rndc_reload ns3 10.53.0.3 121if [ $ret != 0 ]; then echo_i "failed"; fi 122status=`expr $status + $ret` 123 124n=`expr $n + 1` 125echo_i "checking authoritative NS addresses are ignored for delegation ($n)" 126ret=0 127# the auth server returns a different (and incorrect) A/AAA RR for .example. 128$DIG $DIGOPTS +tcp example. @10.53.0.2 a > dig.out.ns2.test1.$n || ret=1 129grep "10.53.0.4" dig.out.ns2.test1.$n > /dev/null || ret=1 130$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa > dig.out.ns2.test2.$n || ret=1 131grep "::1" dig.out.ns2.test2.$n > /dev/null || ret=1 132# reload the server. this will flush the ADB. 133rndc_reload ns2 10.53.0.2 134# ask another RR that would require delegation. static-stub configuration 135# should still be used instead of the authoritative A/AAAA cached above. 136$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt > dig.out.ns2.test3.$n || ret=1 137grep "3rd test data" dig.out.ns2.test3.$n > /dev/null || ret=1 138if [ $ret != 0 ]; then echo_i "failed"; fi 139status=`expr $status + $ret` 140 141# the authoritative server of the query domain (example.com) is the apex 142# name of the static-stub zone (example). in this case the static-stub 143# configuration must be ignored and cached information must be used. 144n=`expr $n + 1` 145echo_i "checking NS of static-stub is ignored when referenced from other domain ($n)" 146ret=0 147$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 148grep "example com data" dig.out.ns2.test$n > /dev/null || ret=1 149if [ $ret != 0 ]; then echo_i "failed"; fi 150status=`expr $status + $ret` 151 152# check server-names 153n=`expr $n + 1` 154echo_i "checking static-stub with a server-name ($n)" 155ret=0 156$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 157grep "example org data" dig.out.ns2.test$n > /dev/null || ret=1 158if [ $ret != 0 ]; then echo_i "failed"; fi 159status=`expr $status + $ret` 160 161n=`expr $n + 1` 162# Note: for a short term workaround we use ::1, assuming it's configured and 163# usable for our tests. We should eventually use the test ULA and available 164# checks introduced in change 2916. 165if testsock6 ::1 166then 167 echo_i "checking IPv6 static-stub address ($n)" 168 ret=0 169 $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 170 grep "example info data" dig.out.ns2.test$n > /dev/null || ret=1 171 if [ $ret != 0 ]; then echo_i "failed"; fi 172 status=`expr $status + $ret` 173else 174 echo_i "SKIPPED: checking IPv6 static-stub address ($n)" 175fi 176 177n=`expr $n + 1` 178echo_i "look for static-stub zone data with DNSSEC validation ($n)" 179ret=0 180$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 181grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 182grep "4th test data" dig.out.ns2.test$n > /dev/null || ret=1 183if [ $ret != 0 ]; then echo_i "failed"; fi 184status=`expr $status + $ret` 185 186n=`expr $n + 1` 187echo_i "look for a child of static-stub zone data with DNSSEC validation ($n)" 188ret=0 189$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 190grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 191grep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1 192if [ $ret != 0 ]; then echo_i "failed"; fi 193status=`expr $status + $ret` 194 195# reload with a different name server: existing zone shouldn't be reused. 196n=`expr $n + 1` 197echo_i "checking server reload with a different static-stub config ($n)" 198ret=0 199copy_setports ns2/named.conf.in tmp 200sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp > ns2/named.conf 201rndc_reload ns2 10.53.0.2 202$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 203grep "2nd example org data" dig.out.ns2.test$n > /dev/null || ret=1 204if [ $ret != 0 ]; then echo_i "failed"; fi 205status=`expr $status + $ret` 206 207n=`expr $n + 1` 208echo_i "checking static-stub of a undelegated tld resolves after DS query ($n)" 209ret=0 210$DIG $DIGOPTS undelegated. @10.53.0.2 ds > dig.out.ns2.ds.test$n 211$DIG $DIGOPTS undelegated. @10.53.0.2 soa > dig.out.ns2.soa.test$n 212grep "status: NXDOMAIN" dig.out.ns2.ds.test$n > /dev/null || ret=1 213grep "status: NOERROR" dig.out.ns2.soa.test$n > /dev/null || ret=1 214if [ $ret != 0 ]; then echo_i "failed"; fi 215status=`expr $status + $ret` 216 217echo_i "exit status: $status" 218[ $status -eq 0 ] || exit 1 219