xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/synthfromdnssec/tests.sh (revision 8aaca124c0ad52af9550477f296b63debc7b4c98) 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14# set -e
15#
16# shellcheck source=conf.sh
17. ../conf.sh
18
19RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
20
21set -e
22
23status=0
24n=1
25synth_default=yes
26
27rm -f dig.out.*
28
29dig_with_opts() {
30  "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
31}
32
33check_ad_flag() {
34  if [ ${1} = yes ]; then
35    grep "flags:[^;]* ad[^;]*; QUERY" ${2} >/dev/null || return 1
36  else
37    grep "flags:[^;]* ad[^;]*; QUERY" ${2} >/dev/null && return 1
38  fi
39  return 0
40}
41
42check_status() {
43  grep "status: ${1}," ${2} >/dev/null || return 1
44  return 0
45}
46
47check_synth_soa() (
48  name=$(echo "$1" | sed 's/\./\\./g')
49  grep "^${name}.*[0-9]*.IN.SOA" ${2} >/dev/null || return 1
50  grep "^${name}.*3600.IN.SOA" ${2} >/dev/null && return 1
51  return 0
52)
53
54check_nosynth_soa() (
55  name=$(echo "$1" | sed 's/\./\\./g')
56  grep "^${name}.*3600.IN.SOA" ${2} >/dev/null || return 1
57  return 0
58)
59
60check_synth_a() (
61  name=$(echo "$1" | sed 's/\./\\./g')
62  grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} >/dev/null || return 1
63  grep "^${name}.*3600.IN.A.[0-2]" ${2} >/dev/null && return 1
64  return 0
65)
66
67check_nosynth_a() (
68  name=$(echo "$1" | sed 's/\./\\./g')
69  grep "^${name}.*3600.IN.A.[0-2]" ${2} >/dev/null || return 1
70  return 0
71)
72
73check_synth_aaaa() (
74  name=$(echo "$1" | sed 's/\./\\./g')
75  grep "^${name}.*[0-9]*.IN.AAAA" ${2} >/dev/null || return 1
76  grep "^${name}.*3600.IN.A" ${2} >/dev/null && return 1
77  return 0
78)
79
80check_nosynth_aaaa() (
81  name=$(echo "$1" | sed 's/\./\\./g')
82  grep "^${name}.*3600.IN.AAAA" ${2} >/dev/null || return 1
83  return 0
84)
85
86check_synth_cname() (
87  name=$(echo "$1" | sed 's/\./\\./g')
88  grep "^${name}.*[0-9]*.IN.CNAME" ${2} >/dev/null || return 1
89  grep "^${name}.*3600.IN.CNAME" ${2} >/dev/null && return 1
90  return 0
91)
92
93check_nosynth_cname() (
94  name=$(echo "$1" | sed 's/\./\\./g')
95  grep "^${name}.*3600.IN.CNAME" ${2} >/dev/null || return 1
96  return 0
97)
98
99check_auth_count() {
100  grep "AUTHORITY: ${1}," ${2} >/dev/null || return 1
101  return 0
102}
103
104for ns in 2 4 5 6; do
105  case $ns in
106    2)
107      ad=yes
108      description="<default>"
109      ;;
110    4)
111      ad=yes
112      description="no"
113      ;;
114    5)
115      ad=yes
116      description="yes"
117      ;;
118    6)
119      ad=no
120      description="yes; dnssec-validation no"
121      ;;
122    *) exit 1 ;;
123  esac
124  echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
125  ret=0
126  dig_with_opts a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
127  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
128  check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
129  check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
130  [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out
131  n=$((n + 1))
132  if [ $ret != 0 ]; then echo_i "failed"; fi
133  status=$((status + ret))
134
135  echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)"
136  ret=0
137  dig_with_opts nodata.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
138  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
139  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
140  check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
141  [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out
142  n=$((n + 1))
143  if [ $ret != 0 ]; then echo_i "failed"; fi
144  status=$((status + ret))
145
146  echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)"
147  ret=0
148  dig_with_opts a.wild-a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
149  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
150  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
151  check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1
152  [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wild.out
153  n=$((n + 1))
154  if [ $ret != 0 ]; then echo_i "failed"; fi
155  status=$((status + ret))
156
157  echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
158  ret=0
159  dig_with_opts a.wild-cname.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
160  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
161  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
162  check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
163  [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildcname.out
164  n=$((n + 1))
165  if [ $ret != 0 ]; then echo_i "failed"; fi
166  status=$((status + ret))
167
168  echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
169  ret=0
170  dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1
171  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
172  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
173  check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
174  check_auth_count 4 dig.out.ns${ns}.test$n || ret=1
175  [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildnodata1nsec.out
176  n=$((n + 1))
177  if [ $ret != 0 ]; then echo_i "failed"; fi
178  status=$((status + ret))
179
180  echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
181  ret=0
182  dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1
183  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
184  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
185  check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
186  check_auth_count 6 dig.out.ns${ns}.test$n || ret=1
187  [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildnodata2nsec.out
188  n=$((n + 1))
189  if [ $ret != 0 ]; then echo_i "failed"; fi
190  status=$((status + ret))
191
192  echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
193  ret=0
194  dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT >dig.out.txt.ns${ns}.test$n || ret=1
195  check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1
196  check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
197  check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1
198  check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
199  [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n >wildnodata2nsecafterdata.out
200  n=$((n + 1))
201  if [ $ret != 0 ]; then echo_i "failed"; fi
202  status=$((status + ret))
203
204  echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
205  ret=0
206  dig_with_opts a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
207  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
208  check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
209  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
210  [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out
211  n=$((n + 1))
212  if [ $ret != 0 ]; then echo_i "failed"; fi
213  status=$((status + ret))
214
215  echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)"
216  ret=0
217  dig_with_opts nodata.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
218  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
219  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
220  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
221  [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out
222  n=$((n + 1))
223  if [ $ret != 0 ]; then echo_i "failed"; fi
224  status=$((status + ret))
225
226  echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)"
227  ret=0
228  dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
229  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
230  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
231  check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1
232  [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >insecure.wild.out
233  n=$((n + 1))
234  if [ $ret != 0 ]; then echo_i "failed"; fi
235  status=$((status + ret))
236
237  echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
238  ret=0
239  dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
240  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
241  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
242  check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1
243  [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >insecure.wildcname.out
244  n=$((n + 1))
245  if [ $ret != 0 ]; then echo_i "failed"; fi
246  status=$((status + ret))
247
248  echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
249  ret=0
250  dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1
251  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
252  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
253  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
254  check_auth_count 4 dig.out.ns${ns}.test$n || ret=1
255  [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out
256  n=$((n + 1))
257  if [ $ret != 0 ]; then echo_i "failed"; fi
258  status=$((status + ret))
259
260  echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
261  ret=0
262  dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1
263  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
264  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
265  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
266  check_auth_count 6 dig.out.ns${ns}.test$n || ret=1
267  [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out
268  n=$((n + 1))
269  if [ $ret != 0 ]; then echo_i "failed"; fi
270  status=$((status + ret))
271
272  echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
273  ret=0
274  dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT >dig.out.txt.ns${ns}.test$n || ret=1
275  check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1
276  check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
277  check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1
278  check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
279  [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n >insecure.wildnodata2nsecafterdata.out
280  n=$((n + 1))
281  if [ $ret != 0 ]; then echo_i "failed"; fi
282  status=$((status + ret))
283
284  echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
285  ret=0
286  dig_with_opts nxdomain.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
287  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
288  check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
289  check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
290  grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n >/dev/null || ret=1
291  [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out
292  n=$((n + 1))
293  if [ $ret != 0 ]; then echo_i "failed"; fi
294  status=$((status + ret))
295
296  echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)"
297  ret=0
298  dig_with_opts black.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
299  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
300  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
301  check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
302  grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n >/dev/null || ret=1
303  [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out
304  n=$((n + 1))
305  if [ $ret != 0 ]; then echo_i "failed"; fi
306  status=$((status + ret))
307
308  echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
309  ret=0
310  dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1
311  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
312  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
313  check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
314  grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n >/dev/null || ret=1
315  n=$((n + 1))
316  if [ $ret != 0 ]; then echo_i "failed"; fi
317  status=$((status + ret))
318
319  echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
320  ret=0
321  dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1
322  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
323  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
324  check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
325  grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n >/dev/null || ret=1
326  n=$((n + 1))
327  if [ $ret != 0 ]; then echo_i "failed"; fi
328  status=$((status + ret))
329
330done
331
332echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
333ret=0
334dig_with_opts +nodnssec a.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
335check_ad_flag no dig.out.ns3.test$n || ret=1
336check_status NOERROR dig.out.ns3.test$n || ret=1
337grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n >/dev/null || ret=1
338n=$((n + 1))
339if [ $ret != 0 ]; then echo_i "failed"; fi
340status=$((status + ret))
341
342#
343# ensure TTL of synthesised answers differs from direct answers.
344#
345sleep 1
346
347for ns in 2 4 5 6; do
348  case $ns in
349    2) ad=yes synth=${synth_default} description="<default>" ;;
350    4) ad=yes synth=no description="no" ;;
351    5) ad=yes synth=yes description="yes" ;;
352    6) ad=no synth=no description="yes; dnssec-validation no" ;;
353    *) exit 1 ;;
354  esac
355  echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
356  ret=0
357  nextpart ns1/named.run >/dev/null
358  dig_with_opts b.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
359  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
360  check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
361  if [ ${synth} = yes ]; then
362    check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
363    nextpart ns1/named.run | grep b.example/A >/dev/null && ret=1
364  else
365    check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
366    nextpart ns1/named.run | grep b.example/A >/dev/null || ret=1
367  fi
368  digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1
369  n=$((n + 1))
370  if [ $ret != 0 ]; then echo_i "failed"; fi
371  status=$((status + ret))
372
373  echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)"
374  ret=0
375  nextpart ns1/named.run >/dev/null
376  dig_with_opts nodata.example. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1
377  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
378  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
379  if [ ${synth} = yes ]; then
380    check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
381    nextpart ns1/named.run | grep nodata.example/AAAA >/dev/null && ret=1
382  else
383    check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
384    nextpart ns1/named.run | grep nodata.example/AAAA >/dev/null || ret=1
385  fi
386  digcomp nodata.out dig.out.ns${ns}.test$n || ret=1
387  n=$((n + 1))
388  if [ $ret != 0 ]; then echo_i "failed"; fi
389  status=$((status + ret))
390
391  echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)"
392  ret=0
393  nextpart ns1/named.run >/dev/null
394  dig_with_opts b.wild-a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
395  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
396  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
397  if [ ${synth} = yes ]; then
398    check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1
399    nextpart ns1/named.run | grep b.wild-a.example/A >/dev/null && ret=1
400  else
401    check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1
402    nextpart ns1/named.run | grep b.wild-a.example/A >/dev/null || ret=1
403  fi
404  digcomp wild.out dig.out.ns${ns}.test$n || ret=1
405  n=$((n + 1))
406  if [ $ret != 0 ]; then echo_i "failed"; fi
407  status=$((status + ret))
408
409  echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
410  ret=0
411  nextpart ns1/named.run >/dev/null
412  dig_with_opts b.wild-cname.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
413  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
414  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
415  if [ ${synth} = yes ]; then
416    check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
417    nextpart ns1/named.run | grep b.wild-cname.example/A >/dev/null && ret=1
418  else
419    check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
420    nextpart ns1/named.run | grep b.wild-cname.example/A >/dev/null || ret=1
421  fi
422  grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1
423  digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1
424  n=$((n + 1))
425  if [ $ret != 0 ]; then echo_i "failed"; fi
426  status=$((status + ret))
427
428  echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
429  ret=0
430  nextpart ns1/named.run >/dev/null
431  dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1
432  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
433  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
434  if [ ${synth} = yes ]; then
435    check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
436    nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA >/dev/null && ret=1
437  else
438    check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
439    nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA >/dev/null || ret=1
440  fi
441  digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1
442  n=$((n + 1))
443  if [ $ret != 0 ]; then echo_i "failed"; fi
444  status=$((status + ret))
445
446  echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
447  ret=0
448  nextpart ns1/named.run >/dev/null
449  dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1
450  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
451  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
452  if [ ${synth} = yes ]; then
453    check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
454    nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA >/dev/null && ret=1
455  else
456    check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
457    nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA >/dev/null || ret=1
458  fi
459  digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1
460  n=$((n + 1))
461  if [ $ret != 0 ]; then echo_i "failed"; fi
462  status=$((status + ret))
463
464  echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
465  ret=0
466  # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record
467  dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA >dig.out.a.ns${ns}.test$n || ret=1
468  check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1
469  check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
470  check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1
471  #
472  nextpart ns1/named.run >/dev/null
473  dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA >dig.out.ns${ns}.test$n || ret=1
474  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
475  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
476  if [ ${synth} = yes ]; then
477    check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
478    nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA >/dev/null && ret=1
479  else
480    check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
481    nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA >/dev/null || ret=1
482  fi
483  digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
484  n=$((n + 1))
485  if [ $ret != 0 ]; then echo_i "failed"; fi
486  status=$((status + ret))
487
488  echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
489  ret=0
490  nextpart ns1/named.run >/dev/null
491  dig_with_opts b.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
492  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
493  check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
494  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
495  nextpart ns1/named.run | grep b.insecure.example/A >/dev/null || ret=1
496  digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1
497  n=$((n + 1))
498  if [ $ret != 0 ]; then echo_i "failed"; fi
499  status=$((status + ret))
500
501  echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)"
502  ret=0
503  nextpart ns1/named.run >/dev/null
504  dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1
505  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
506  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
507  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
508  nextpart ns1/named.run | grep nodata.insecure.example/AAAA >/dev/null || ret=1
509  digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1
510  n=$((n + 1))
511  if [ $ret != 0 ]; then echo_i "failed"; fi
512  status=$((status + ret))
513
514  echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)"
515  ret=0
516  nextpart ns1/named.run >/dev/null
517  dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
518  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
519  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
520  grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1
521  nextpart ns1/named.run | grep b.wild-a.insecure.example/A >/dev/null || ret=1
522  digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1
523  n=$((n + 1))
524  if [ $ret != 0 ]; then echo_i "failed"; fi
525  status=$((status + ret))
526
527  echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
528  ret=0
529  nextpart ns1/named.run >/dev/null
530  dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
531  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
532  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
533  check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1
534  nextpart ns1/named.run | grep b.wild-cname.insecure.example/A >/dev/null || ret=1
535  grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1
536  digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1
537  n=$((n + 1))
538  if [ $ret != 0 ]; then echo_i "failed"; fi
539  status=$((status + ret))
540
541  echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
542  ret=0
543  nextpart ns1/named.run >/dev/null
544  dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1
545  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
546  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
547  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
548  digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1
549  n=$((n + 1))
550  if [ $ret != 0 ]; then echo_i "failed"; fi
551  status=$((status + ret))
552
553  echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
554  ret=0
555  nextpart ns1/named.run >/dev/null
556  dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1
557  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
558  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
559  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
560  digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1
561  n=$((n + 1))
562  if [ $ret != 0 ]; then echo_i "failed"; fi
563  status=$((status + ret))
564
565  echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
566  ret=0
567  nextpart ns1/named.run >/dev/null
568  dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA >dig.out.a.ns${ns}.test$n || ret=1
569  check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1
570  check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
571  check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1
572  #
573  dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA >dig.out.ns${ns}.test$n || ret=1
574  check_ad_flag no dig.out.ns${ns}.test$n || ret=1
575  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
576  check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
577  digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
578  n=$((n + 1))
579  if [ $ret != 0 ]; then echo_i "failed"; fi
580  status=$((status + ret))
581
582  echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
583  ret=0
584  nextpart ns1/named.run >/dev/null
585  dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1
586  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
587  check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
588  check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
589  nextpart ns1/named.run | grep nxdomaic.minimal/A >/dev/null || ret=1
590  digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1
591  n=$((n + 1))
592  if [ $ret != 0 ]; then echo_i "failed"; fi
593  status=$((status + ret))
594
595  echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)"
596  ret=0
597  nextpart ns1/named.run >/dev/null
598  dig_with_opts black.minimal. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1
599  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
600  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
601  check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
602  nextpart ns1/named.run | grep black.minimal/AAAA >/dev/null || ret=1
603  digcomp black.out dig.out.ns${ns}.test$n || ret=1
604  n=$((n + 1))
605  if [ $ret != 0 ]; then echo_i "failed"; fi
606  status=$((status + ret))
607
608  echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
609  ret=0
610  dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO >dig.out.ns${ns}.test$n || ret=1
611  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
612  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
613  check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
614  grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n >/dev/null || ret=1
615  n=$((n + 1))
616  if [ $ret != 0 ]; then echo_i "failed"; fi
617  status=$((status + ret))
618
619  echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)"
620  ret=0
621  dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1
622  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
623  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
624  check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1
625  n=$((n + 1))
626  if [ $ret != 0 ]; then echo_i "failed"; fi
627  status=$((status + ret))
628
629  echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
630  ret=0
631  dig_with_opts soa-without-dnskey. @10.53.0.${ns} A >dig.out.ns${ns}.test$n || ret=1
632  check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
633  check_status NOERROR dig.out.ns${ns}.test$n || ret=1
634  check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
635  grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n >/dev/null || ret=1
636  n=$((n + 1))
637  if [ $ret != 0 ]; then echo_i "failed"; fi
638  status=$((status + ret))
639
640  echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)"
641  ret=0
642  ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i
643  # 2 views, _bind should always be '0 covering nsec returned'
644  count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l)
645  test $count = 2 || ret=1
646  zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l)
647  if [ ${synth} = yes ]; then
648    test $zero = 1 || ret=1
649  else
650    test $zero = 2 || ret=1
651  fi
652  n=$((n + 1))
653  if [ $ret != 0 ]; then echo_i "failed"; fi
654  status=$((status + ret))
655
656  echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)"
657  ret=0
658  # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes'
659  count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
660  test $count = 2 || ret=1
661  zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
662  if [ ${ad} = yes ]; then
663    test $zero = 1 || ret=1
664  else
665    test $zero = 2 || ret=1
666  fi
667  n=$((n + 1))
668  if [ $ret != 0 ]; then echo_i "failed"; fi
669  status=$((status + ret))
670
671  for synthesized in NXDOMAIN no-data wildcard; do
672    case $synthesized in
673      NXDOMAIN) count=1 ;;
674      no-data) count=4 ;;
675      wildcard) count=2 ;;
676    esac
677    echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)"
678    ret=0
679    if [ ${synth} = yes ]; then
680      grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats >/dev/null || ret=1
681    else
682      grep "synthesized a ${synthesized} response" ns${ns}/named.stats >/dev/null && ret=1
683    fi
684    n=$((n + 1))
685    if [ $ret != 0 ]; then echo_i "failed"; fi
686    status=$((status + ret))
687  done
688
689  if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ]; then
690    echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)"
691    ret=0
692    xml=xml.out$n
693    ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server >$xml 2>/dev/null || ret=1
694    n=$((n + 1))
695    if [ $ret != 0 ]; then echo_i "failed"; fi
696    status=$((status + ret))
697
698    echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)"
699    ret=0
700    counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CoveringNSEC">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml)
701    count=$(echo "$counter" | grep CoveringNSEC | wc -l)
702    test $count = 1 || ret=1
703    zero=$(echo "$counter" | grep ">0<" | wc -l)
704    if [ ${synth} = yes ]; then
705      test $zero = 0 || ret=1
706    else
707      test $zero = 1 || ret=1
708    fi
709    n=$((n + 1))
710    if [ $ret != 0 ]; then echo_i "failed"; fi
711    status=$((status + ret))
712
713    echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)"
714    ret=0
715    counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CacheNSECNodes">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml)
716    count=$(echo "$counter" | grep CacheNSECNodes | wc -l)
717    test $count = 1 || ret=1
718    zero=$(echo "$counter" | grep ">0<" | wc -l)
719    if [ ${ad} = yes ]; then
720      test $zero = 0 || ret=1
721    else
722      test $zero = 1 || ret=1
723    fi
724    n=$((n + 1))
725    if [ $ret != 0 ]; then echo_i "failed"; fi
726    status=$((status + ret))
727
728    for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD; do
729      case $synthesized in
730        SynthNXDOMAIN) count=1 ;;
731        SynthNODATA) count=4 ;;
732        SynthWILDCARD) count=2 ;;
733      esac
734
735      echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)"
736      ret=0
737      if [ ${synth} = yes ]; then
738        grep '<counter name="'$synthesized'">'$count'</counter>' $xml >/dev/null || ret=1
739      else
740        grep '<counter name="'$synthesized'">'0'</counter>' $xml >/dev/null || ret=1
741      fi
742      n=$((n + 1))
743      if [ $ret != 0 ]; then echo_i "failed"; fi
744      status=$((status + ret))
745    done
746  else
747    echo_i "Skipping XML statistics checks"
748  fi
749
750  if $FEATURETEST --have-json-c && [ -x "${CURL}" ]; then
751    echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)"
752    ret=0
753    json=json.out$n
754    ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server >$json 2>/dev/null || ret=1
755    n=$((n + 1))
756    if [ $ret != 0 ]; then echo_i "failed"; fi
757    status=$((status + ret))
758
759    echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)"
760    ret=0
761    count=$(grep '"CoveringNSEC":' $json | wc -l)
762    test $count = 2 || ret=1
763    zero=$(grep '"CoveringNSEC":0' $json | wc -l)
764    if [ ${synth} = yes ]; then
765      test $zero = 1 || ret=1
766    else
767      test $zero = 2 || ret=1
768    fi
769    n=$((n + 1))
770    if [ $ret != 0 ]; then echo_i "failed"; fi
771    status=$((status + ret))
772
773    echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)"
774    ret=0
775    count=$(grep '"CacheNSECNodes":' $json | wc -l)
776    test $count = 2 || ret=1
777    zero=$(grep '"CacheNSECNodes":0' $json | wc -l)
778    if [ ${ad} = yes ]; then
779      test $zero = 1 || ret=1
780    else
781      test $zero = 2 || ret=1
782    fi
783    n=$((n + 1))
784    if [ $ret != 0 ]; then echo_i "failed"; fi
785    status=$((status + ret))
786
787    for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD; do
788      case $synthesized in
789        SynthNXDOMAIN) count=1 ;;
790        SynthNODATA) count=4 ;;
791        SynthWILDCARD) count=2 ;;
792      esac
793
794      echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)"
795      ret=0
796      if [ ${synth} = yes ]; then
797        grep '"'$synthesized'":'$count'' $json >/dev/null || ret=1
798      else
799        grep '"'$synthesized'":' $json >/dev/null && ret=1
800      fi
801      n=$((n + 1))
802      if [ $ret != 0 ]; then echo_i "failed"; fi
803      status=$((status + ret))
804    done
805  else
806    echo_i "Skipping JSON statistics checks"
807  fi
808done
809
810echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
811ret=0
812synth=${synth_default}
813dig_with_opts b.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
814check_ad_flag yes dig.out.ns3.test$n || ret=1
815check_status NXDOMAIN dig.out.ns3.test$n || ret=1
816if [ ${synth} = yes ]; then
817  check_synth_soa . dig.out.ns3.test$n || ret=1
818else
819  check_nosynth_soa . dig.out.ns3.test$n || ret=1
820fi
821n=$((n + 1))
822if [ $ret != 0 ]; then echo_i "failed"; fi
823status=$((status + ret))
824
825echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
826ret=0
827dig_with_opts +nodnssec b.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
828check_ad_flag no dig.out.ns3.test$n || ret=1
829check_status NOERROR dig.out.ns3.test$n || ret=1
830grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n >/dev/null || ret=1
831n=$((n + 1))
832if [ $ret != 0 ]; then echo_i "failed"; fi
833status=$((status + ret))
834
835echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)"
836ret=0
837dig_with_opts dnamed.example. ns @10.53.0.5 >dig.out.ns5.test$n || ret=1
838dig_with_opts a.dnamed.example. a @10.53.0.5 >dig.out.ns5-1.test$n || ret=1
839check_status NOERROR dig.out.ns5-1.test$n || ret=1
840n=$((n + 1))
841if [ $ret != 0 ]; then echo_i "failed"; fi
842status=$((status + ret))
843
844echo_i "regression test for CVE-2022-0635 ($n)"
845ret=0
846# add DNAME to cache
847dig_with_opts dname.dnamed. dname @10.53.0.5 >dig.out.ns5-1.test$n || ret=1
848grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1
849# add A record to cache at name before DNAME owner
850dig_with_opts a.dnamed. a @10.53.0.5 >dig.out.ns5-2.test$n || ret=1
851grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
852# add NSEC record to cache at name before DNAME owner
853dig_with_opts a.dnamed. aaaa @10.53.0.5 >dig.out.ns5-3.test$n || ret=1
854grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1
855# wait for NSEC to timeout
856sleep 6
857# use DNAME for lookup
858dig_with_opts b.dname.dnamed a @10.53.0.5 >dig.out.ns5-4.test$n || ret=1
859grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1
860n=$((n + 1))
861if [ $ret != 0 ]; then echo_i "failed"; fi
862status=$((status + ret))
863
864echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)"
865ret=0
866#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
867dig_with_opts internal @10.53.0.5 >dig.out.ns5-1.test$n || ret=1
868grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
869grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
870#perform lookup in grafted zone
871dig_with_opts example.internal @10.53.0.5 >dig.out.ns5-2.test$n || ret=1
872grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
873grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
874n=$((n + 1))
875if [ $ret != 0 ]; then echo_i "failed"; fi
876status=$((status + ret))
877
878echo_i "check synth-from-dnssec with grafted zone (primary zone) ($n)"
879ret=0
880#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
881dig_with_opts internal @10.53.0.5 >dig.out.ns5-1.test$n || ret=1
882grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
883grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
884#perform lookup in grafted zone
885dig_with_opts example.internal2 @10.53.0.5 >dig.out.ns5-2.test$n || ret=1
886grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
887grep '^example\.internal2\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
888n=$((n + 1))
889if [ $ret != 0 ]; then echo_i "failed"; fi
890status=$((status + ret))
891
892echo_i "exit status: $status"
893[ $status -eq 0 ] || exit 1
894