1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14SYSTEMTESTTOP=.. 15. $SYSTEMTESTTOP/conf.sh 16 17status=0 18n=0 19 20rm -f dig.out.* 21 22DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" 23 24n=`expr $n + 1` 25echo_i "checking that NSEC wildcard non-existence proof is returned auth ($n)" 26ret=0 27$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 28grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns1.test$n > /dev/null || ret=1 29if [ $ret != 0 ]; then echo_i "failed"; fi 30status=`expr $status + $ret` 31 32n=`expr $n + 1` 33echo_i "checking that NSEC wildcard non-existence proof is returned non-validating ($n)" 34ret=0 35$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 > dig.out.ns2.test$n || ret=1 36grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns2.test$n > /dev/null || ret=1 37grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 38if [ $ret != 0 ]; then echo_i "failed"; fi 39status=`expr $status + $ret` 40 41n=`expr $n + 1` 42echo_i "checking that NSEC wildcard non-existence proof is returned validating ($n)" 43ret=0 44$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 45grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 46grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 47if [ $ret != 0 ]; then echo_i "failed"; fi 48status=`expr $status + $ret` 49 50n=`expr $n + 1` 51echo_i "checking that NSEC wildcard non-existence proof is returned validating + CD ($n)" 52ret=0 53$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1 54grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns5.test$n > /dev/null || ret=1 55grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 56if [ $ret != 0 ]; then echo_i "failed"; fi 57status=`expr $status + $ret` 58n=`expr $n + 1` 59 60echo_i "checking that returned NSEC wildcard non-existence proof validates ($n)" 61ret=0 62$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 63grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 64grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 65if [ $ret != 0 ]; then echo_i "failed"; fi 66status=`expr $status + $ret` 67 68n=`expr $n + 1` 69echo_i "checking that NSEC wildcard non-existence proof is returned private, validating ($n)" 70ret=0 71$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 72grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 73grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 74if [ $ret != 0 ]; then echo_i "failed"; fi 75status=`expr $status + $ret` 76 77n=`expr $n + 1` 78echo_i "checking that returned NSEC wildcard non-existence proof for private zone validates ($n)" 79ret=0 80$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 81grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 82grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 83if [ $ret != 0 ]; then echo_i "failed"; fi 84status=`expr $status + $ret` 85 86n=`expr $n + 1` 87echo_i "checking that NSEC3 wildcard non-existence proof is returned auth ($n)" 88ret=0 89$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 90grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns1.test$n > /dev/null || ret=1 91if [ $ret != 0 ]; then echo_i "failed"; fi 92status=`expr $status + $ret` 93 94n=`expr $n + 1` 95echo_i "checking that NSEC3 wildcard non-existence proof is returned non-validating ($n)" 96ret=0 97$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 > dig.out.ns2.test$n || ret=1 98grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns2.test$n > /dev/null || ret=1 99grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 100if [ $ret != 0 ]; then echo_i "failed"; fi 101status=`expr $status + $ret` 102 103n=`expr $n + 1` 104echo_i "checking that NSEC3 wildcard non-existence proof is returned validating ($n)" 105ret=0 106$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 107grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns3.test$n > /dev/null || ret=1 108grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 109if [ $ret != 0 ]; then echo_i "failed"; fi 110status=`expr $status + $ret` 111 112n=`expr $n + 1` 113echo_i "checking that NSEC3 wildcard non-existence proof is returned validating + CD ($n)" 114ret=0 115$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1 116grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns5.test$n > /dev/null || ret=1 117grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 118if [ $ret != 0 ]; then echo_i "failed"; fi 119status=`expr $status + $ret` 120 121n=`expr $n + 1` 122echo_i "checking that returned NSEC3 wildcard non-existence proof validates ($n)" 123ret=0 124$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 125grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns4.test$n > /dev/null || ret=1 126grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 127if [ $ret != 0 ]; then echo_i "failed"; fi 128status=`expr $status + $ret` 129 130n=`expr $n + 1` 131echo_i "checking that NSEC3 wildcard non-existence proof is returned private, validating ($n)" 132ret=0 133$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 134grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n > /dev/null || ret=1 135grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 136if [ $ret != 0 ]; then echo_i "failed"; fi 137status=`expr $status + $ret` 138 139n=`expr $n + 1` 140echo_i "checking that returned NSEC3 wildcard non-existence proof for private zone validates ($n)" 141ret=0 142$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 143grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n > /dev/null || ret=1 144grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 145if [ $ret != 0 ]; then echo_i "failed"; fi 146status=`expr $status + $ret` 147 148echo_i "checking RFC 4592 responses ..." 149 150n=`expr $n + 1` 151echo_i "checking RFC 4592: host3.example. QTYPE=MX, QCLASS=IN ($n)" 152ret=0 153$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN > dig.out.ns1.test$n || ret=1 154grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n > /dev/null || ret=1 155grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 156grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 157if [ $ret != 0 ]; then echo_i "failed"; fi 158status=`expr $status + $ret` 159 160n=`expr $n + 1` 161echo_i "checking RFC 4592: host3.example. QTYPE=A, QCLASS=IN ($n)" 162ret=0 163$DIG $DIGOPTS @10.53.0.1 host3.example. A IN > dig.out.ns1.test$n || ret=1 164grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 165grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 166if [ $ret != 0 ]; then echo_i "failed"; fi 167status=`expr $status + $ret` 168 169n=`expr $n + 1` 170echo_i "checking RFC 4592: foo.bar.example. QTYPE=TXT, QCLASS=IN ($n)" 171ret=0 172$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN > dig.out.ns1.test$n || ret=1 173grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n > /dev/null || ret=1 174grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 175grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 176if [ $ret != 0 ]; then echo_i "failed"; fi 177status=`expr $status + $ret` 178 179n=`expr $n + 1` 180echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" 181ret=0 182$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 183grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 184grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 185if [ $ret != 0 ]; then echo_i "failed"; fi 186status=`expr $status + $ret` 187 188n=`expr $n + 1` 189echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" 190ret=0 191$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 192grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 193grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 194if [ $ret != 0 ]; then echo_i "failed"; fi 195status=`expr $status + $ret` 196 197n=`expr $n + 1` 198echo_i "checking RFC 4592: sub.*.example. QTYPE=MX, QCLASS=IN ($n)" 199ret=0 200$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN > dig.out.ns1.test$n || ret=1 201grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 202grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 203if [ $ret != 0 ]; then echo_i "failed"; fi 204status=`expr $status + $ret` 205 206n=`expr $n + 1` 207echo_i "checking RFC 4592: _telnet._tcp.host1.example. QTYPE=SRV, QCLASS=IN ($n)" 208ret=0 209$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN > dig.out.ns1.test$n || ret=1 210grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 211grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 212if [ $ret != 0 ]; then echo_i "failed"; fi 213status=`expr $status + $ret` 214 215n=`expr $n + 1` 216echo_i "checking RFC 4592: host.subdel.example. QTYPE=A, QCLASS=IN ($n)" 217ret=0 218$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN > dig.out.ns1.test$n || ret=1 219grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 220grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 221grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 222grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n > /dev/null || ret=1 223grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n > /dev/null || ret=1 224if [ $ret != 0 ]; then echo_i "failed"; fi 225status=`expr $status + $ret` 226 227n=`expr $n + 1` 228echo_i "checking RFC 4592: ghost.*.example. QTYPE=MX, QCLASS=IN ($n)" 229ret=0 230$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN > dig.out.ns1.test$n || ret=1 231grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 232grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 233if [ $ret != 0 ]; then echo_i "failed"; fi 234status=`expr $status + $ret` 235 236n=`expr $n + 1` 237echo_i "check wild card expansions by code point ($n)" 238ret=0 239i=0 240while test $i -lt 256 241do 242 x=`expr 00$i : '.*\(...\)$'` 243 $DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT > dig.out.ns1.$x.test$n 244 if test $i -le 32 -o $i -ge 127 245 then 246 grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } 247 # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64 248 elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \ 249 $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92 250 then 251 case $i in 252 34) a='"';; 253 36) a='$';; 254 40) a='(';; 255 41) a=')';; 256 46) a='\.';; 257 59) a=';';; 258 64) a='@';; 259 92) a='\\';; 260 *) a=''; echo_i "code point $x failed" ; ret=1 ;; 261 esac 262 grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } 263 else 264 grep '^\\' dig.out.ns1.$x.test$n && { echo_i "code point $x failed" ; ret=1; } 265 fi 266 i=`expr $i + 1` 267done 268if [ $ret != 0 ]; then echo_i "failed"; fi 269status=`expr $status + $ret` 270 271echo_i "exit status: $status" 272[ $status -eq 0 ] || exit 1 273