1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=.. 13. $SYSTEMTESTTOP/conf.sh 14 15DIGOPTS="-p ${PORT}" 16RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" 17 18status=0 19n=0 20 21for conf in conf/good*.conf 22do 23 n=`expr $n + 1` 24 echo_i "checking that $conf is accepted ($n)" 25 ret=0 26 $CHECKCONF "$conf" || ret=1 27 if [ $ret != 0 ]; then echo_i "failed"; fi 28 status=`expr $status + $ret` 29done 30 31for conf in conf/bad*.conf 32do 33 n=`expr $n + 1` 34 echo_i "checking that $conf is rejected ($n)" 35 ret=0 36 $CHECKCONF "$conf" >/dev/null && ret=1 37 if [ $ret != 0 ]; then echo_i "failed"; fi 38 status=`expr $status + $ret` 39done 40 41n=`expr $n + 1` 42echo_i "trying an axfr that should be denied (NOTAUTH) ($n)" 43ret=0 44$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr > dig.out.ns2.test$n || ret=1 45grep "; Transfer failed." dig.out.ns2.test$n > /dev/null || ret=1 46if [ $ret != 0 ]; then echo_i "failed"; fi 47status=`expr $status + $ret` 48 49n=`expr $n + 1` 50echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" 51ret=0 52 $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt > dig.out.ns2.test$n \ 53 || ret=1 54grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 55if [ $ret != 0 ]; then echo_i "failed"; fi 56status=`expr $status + $ret` 57 58n=`expr $n + 1` 59echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" 60ret=0 61$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n \ 62 || ret=1 63grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 64if [ $ret != 0 ]; then echo_i "failed"; fi 65status=`expr $status + $ret` 66 67n=`expr $n + 1` 68echo_i "allow-query ACL ($n)" 69ret=0 70$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 \ 71 > dig.out.ns2.test$n || ret=1 72grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 73if [ $ret != 0 ]; then echo_i "failed"; fi 74status=`expr $status + $ret` 75 76n=`expr $n + 1` 77echo_i "look for static-stub zone data with recursion (should be found) ($n)" 78ret=0 79$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 80digcomp knowngood.dig.out.rec dig.out.ns2.test$n || ret=1 81if [ $ret != 0 ]; then echo_i "failed"; fi 82status=`expr $status + $ret` 83 84n=`expr $n + 1` 85echo_i "checking authoritative NS is ignored for delegation ($n)" 86ret=0 87# the auth server returns a different (and incorrect) NS for .example. 88$DIG $DIGOPTS +tcp example. @10.53.0.2 ns > dig.out.ns2.test1.$n || ret=1 89grep "ns4.example." dig.out.ns2.test1.$n > /dev/null || ret=1 90# but static-stub configuration should still be used 91$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 92grep "2nd test data" dig.out.ns2.test2.$n > /dev/null || ret=1 93if [ $ret != 0 ]; then echo_i "failed"; fi 94status=`expr $status + $ret` 95 96n=`expr $n + 1` 97echo_i "checking queries for a child zone of the static-stub zone ($n)" 98ret=0 99# prime the delegation to a child zone of the static-stub zone 100$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt > dig.out.ns2.test1.$n || ret=1 101grep "1st sub test data" dig.out.ns2.test1.$n > /dev/null || ret=1 102# temporarily disable the the parent zone 103copy_setports ns3/named.conf.in tmp 104sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp > ns3/named.conf 105rndc_reload ns3 10.53.0.3 106# query the child zone again. this should directly go to the child and 107# succeed. 108for i in 0 1 2 3 4 5 6 7 8 9 109do 110 $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 111 grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null && break 112 sleep 1 113done 114grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null || ret=1 115# re-enable the parent 116copy_setports ns3/named.conf.in tmp 117sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type master; file "example.db.signed"; };/' tmp > ns3/named.conf 118rndc_reload ns3 10.53.0.3 119if [ $ret != 0 ]; then echo_i "failed"; fi 120status=`expr $status + $ret` 121 122n=`expr $n + 1` 123echo_i "checking authoritative NS addresses are ignored for delegation ($n)" 124ret=0 125# the auth server returns a different (and incorrect) A/AAA RR for .example. 126$DIG $DIGOPTS +tcp example. @10.53.0.2 a > dig.out.ns2.test1.$n || ret=1 127grep "10.53.0.4" dig.out.ns2.test1.$n > /dev/null || ret=1 128$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa > dig.out.ns2.test2.$n || ret=1 129grep "::1" dig.out.ns2.test2.$n > /dev/null || ret=1 130# reload the server. this will flush the ADB. 131rndc_reload ns2 10.53.0.2 132# ask another RR that would require delegation. static-stub configuration 133# should still be used instead of the authoritative A/AAAA cached above. 134$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt > dig.out.ns2.test3.$n || ret=1 135grep "3rd test data" dig.out.ns2.test3.$n > /dev/null || ret=1 136if [ $ret != 0 ]; then echo_i "failed"; fi 137status=`expr $status + $ret` 138 139# the authoritative server of the query domain (example.com) is the apex 140# name of the static-stub zone (example). in this case the static-stub 141# configuration must be ignored and cached information must be used. 142n=`expr $n + 1` 143echo_i "checking NS of static-stub is ignored when referenced from other domain ($n)" 144ret=0 145$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 146grep "example com data" dig.out.ns2.test$n > /dev/null || ret=1 147if [ $ret != 0 ]; then echo_i "failed"; fi 148status=`expr $status + $ret` 149 150# check server-names 151n=`expr $n + 1` 152echo_i "checking static-stub with a server-name ($n)" 153ret=0 154$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 155grep "example org data" dig.out.ns2.test$n > /dev/null || ret=1 156if [ $ret != 0 ]; then echo_i "failed"; fi 157status=`expr $status + $ret` 158 159n=`expr $n + 1` 160# Note: for a short term workaround we use ::1, assuming it's configured and 161# usable for our tests. We should eventually use the test ULA and available 162# checks introduced in change 2916. 163if testsock6 ::1 164then 165 echo_i "checking IPv6 static-stub address ($n)" 166 ret=0 167 $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 168 grep "example info data" dig.out.ns2.test$n > /dev/null || ret=1 169 if [ $ret != 0 ]; then echo_i "failed"; fi 170 status=`expr $status + $ret` 171else 172 echo_i "SKIPPED: checking IPv6 static-stub address ($n)" 173fi 174 175n=`expr $n + 1` 176echo_i "look for static-stub zone data with DNSSEC validation ($n)" 177ret=0 178$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 179grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 180grep "4th test data" dig.out.ns2.test$n > /dev/null || ret=1 181if [ $ret != 0 ]; then echo_i "failed"; fi 182status=`expr $status + $ret` 183 184n=`expr $n + 1` 185echo_i "look for a child of static-stub zone data with DNSSEC validation ($n)" 186ret=0 187$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 188grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 189grep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1 190if [ $ret != 0 ]; then echo_i "failed"; fi 191status=`expr $status + $ret` 192 193# reload with a different name server: existing zone shouldn't be reused. 194n=`expr $n + 1` 195echo_i "checking server reload with a different static-stub config ($n)" 196ret=0 197copy_setports ns2/named.conf.in tmp 198sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp > ns2/named.conf 199rndc_reload ns2 10.53.0.2 200$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 201grep "2nd example org data" dig.out.ns2.test$n > /dev/null || ret=1 202if [ $ret != 0 ]; then echo_i "failed"; fi 203status=`expr $status + $ret` 204 205n=`expr $n + 1` 206echo_i "checking static-stub of a undelegated tld resolves after DS query ($n)" 207ret=0 208$DIG $DIGOPTS undelegated. @10.53.0.2 ds > dig.out.ns2.ds.test$n 209$DIG $DIGOPTS undelegated. @10.53.0.2 soa > dig.out.ns2.soa.test$n 210grep "status: NXDOMAIN" dig.out.ns2.ds.test$n > /dev/null || ret=1 211grep "status: NOERROR" dig.out.ns2.soa.test$n > /dev/null || ret=1 212if [ $ret != 0 ]; then echo_i "failed"; fi 213status=`expr $status + $ret` 214 215echo_i "exit status: $status" 216[ $status -eq 0 ] || exit 1 217