bind/bin/tests/system/resolver/tests.sh

#!/bin/sh
#
# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000, 2001  Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.

# $Id: tests.sh,v 1.17 2010/11/16 06:46:44 marka Exp $

SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh

status=0
n=0

echo "I:checking non-cachable NXDOMAIN response handling"
ret=0
$DIG +tcp nxdomain.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: NXDOMAIN" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking non-cachable NODATA response handling"
ret=0
$DIG +tcp nodata.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: NOERROR" dig.out > /dev/null || ret=1

if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking handling of bogus referrals"
# If the server has the "INSIST(!external)" bug, this query will kill it.
$DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1

echo "I:check handling of cname + other data / 1"
$DIG +tcp cname1.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1

echo "I:check handling of cname + other data / 2"
$DIG +tcp cname2.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1

echo "I:check that server is still running"
$DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1

echo "I:checking answer IPv4 address filtering (deny)"
ret=0
$DIG +tcp www.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: SERVFAIL" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking answer IPv6 address filtering (deny)"
ret=0
$DIG +tcp www.example.net @10.53.0.1 aaaa -p 5300 > dig.out || ret=1
grep "status: SERVFAIL" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking answer IPv4 address filtering (accept)"
ret=0
$DIG +tcp www.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: NOERROR" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking answer IPv6 address filtering (accept)"
ret=0
$DIG +tcp www.example.org @10.53.0.1 aaaa -p 5300 > dig.out || ret=1
grep "status: NOERROR" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking CNAME target filtering (deny)"
ret=0
$DIG +tcp badcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: SERVFAIL" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking CNAME target filtering (accept)"
ret=0
$DIG +tcp goodcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: NOERROR" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking CNAME target filtering (accept due to subdomain)"
ret=0
$DIG +tcp cname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: NOERROR" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking DNAME target filtering (deny)"
ret=0
$DIG +tcp foo.baddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: SERVFAIL" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking DNAME target filtering (accept)"
ret=0
$DIG +tcp foo.gooddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: NOERROR" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

echo "I:checking DNAME target filtering (accept due to subdomain)"
ret=0
$DIG +tcp www.dname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
grep "status: NOERROR" dig.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I: RT21594 regression test check setup ($n)"
ret=0
# Check that "aa" is not being set by the authoritative server.
$DIG +tcp . @10.53.0.4 soa -p 5300 > dig.ns4.out.${n} || ret=1
grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I: RT21594 regression test positive answers ($n)"
ret=0
# Check that resolver accepts the non-authoritative positive answers.
$DIG +tcp . @10.53.0.5 soa -p 5300 > dig.ns5.out.${n} || ret=1
grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I: RT21594 regression test NODATA answers ($n)"
ret=0
# Check that resolver accepts the non-authoritative nodata answers.
$DIG +tcp . @10.53.0.5 txt -p 5300 > dig.ns5.out.${n} || ret=1
grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I: RT21594 regression test NXDOMAIN answers ($n)"
ret=0
# Check that resolver accepts the non-authoritative positive answers.
$DIG +tcp noexistant @10.53.0.5 txt -p 5300 > dig.ns5.out.${n} || ret=1
grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo "I:check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
ret=0
$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=1
grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1
if [ $ret = 1 ]; then echo "I:mx priming failed"; fi
$NSUPDATE << EOF
server 10.53.0.6 5300
zone example.net
update delete mail.example.net A
update add mail.example.net 0 AAAA ::1
send
EOF
$DIG +tcp a mail.example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=2
grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2
grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2
if [ $ret = 2 ]; then echo "I:ncache priming failed"; fi
$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} || ret=3
grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3
$DIG +tcp rrsig mail.example.net +norec @10.53.0.7 -p 5300 > dig.ns7.out.${n}  || ret=4
grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4
grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`

echo "I:exit status: $status"
exit $status
added resolver/ test directory, with a single regression test for the INSIST(!external) bug 2000-07-14 23:38:14 +00:00			`#!/bin/sh`
			`#`
update copyright notice 2010-05-19 09:33:50 +00:00			`# Copyright (C) 2004, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")`
copyright update 2001-01-09 22:01:04 +00:00			`# Copyright (C) 2000, 2001 Internet Software Consortium.`
Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your own CVS tree will help minimize CVS conflicts. Maybe not. Blame Graff for getting me to trim all trailing whitespace. 2000-08-01 01:33:37 +00:00			`#`
update copyright notice 2007-06-18 23:47:57 +00:00			`# Permission to use, copy, modify, and/or distribute this software for any`
added resolver/ test directory, with a single regression test for the INSIST(!external) bug 2000-07-14 23:38:14 +00:00			`# purpose with or without fee is hereby granted, provided that the above`
			`# copyright notice and this permission notice appear in all copies.`
Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your own CVS tree will help minimize CVS conflicts. Maybe not. Blame Graff for getting me to trim all trailing whitespace. 2000-08-01 01:33:37 +00:00			`#`
update copyright notice 2004-03-05 05:14:21 +00:00			`# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH`
			`# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY`
			`# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,`
			`# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM`
			`# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE`
			`# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR`
			`# PERFORMANCE OF THIS SOFTWARE.`

2970. [security] Adding a NO DATA negative cache entry failed to clear any matching RRSIG records. A subsequent lookup of of NO DATA cache entry could trigger a INSIST when the unexpected RRSIG was also returned with the NO DATA cache entry. [RT #22288] 2010-11-16 06:46:44 +00:00			`# $Id: tests.sh,v 1.17 2010/11/16 06:46:44 marka Exp $`
added resolver/ test directory, with a single regression test for the INSIST(!external) bug 2000-07-14 23:38:14 +00:00
			`SYSTEMTESTTOP=..`
			`. $SYSTEMTESTTOP/conf.sh`

			`status=0`
2960. [func] Check that named accepts non-authoritative answers. [RT #21594] 2010-09-15 12:07:56 +00:00			`n=0`
added resolver/ test directory, with a single regression test for the INSIST(!external) bug 2000-07-14 23:38:14 +00:00
2900. [bug] The placeholder negative caching element was not properly constructed triggering a INSIST in dns_ncache_towire(). [RT #21346] 2010-05-19 06:39:50 +00:00			`echo "I:checking non-cachable NXDOMAIN response handling"`
			`ret=0`
			`$DIG +tcp nxdomain.example.net @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: NXDOMAIN" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking non-cachable NODATA response handling"`
			`ret=0`
			`$DIG +tcp nodata.example.net @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: NOERROR" dig.out > /dev/null \|\| ret=1`

			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`
check that the server copes with responses containing a CNAME and other data 2000-07-28 22:42:42 +00:00			`echo "I:checking handling of bogus referrals"`
do two queries; added comments 2000-07-18 17:13:40 +00:00			`# If the server has the "INSIST(!external)" bug, this query will kill it.`
check that the server copes with responses containing a CNAME and other data 2000-07-28 22:42:42 +00:00			`$DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null \|\| status=1`

			`echo "I:check handling of cname + other data / 1"`
			`$DIG +tcp cname1.example.com. a @10.53.0.1 -p 5300 >/dev/null \|\| status=1`

			`echo "I:check handling of cname + other data / 2"`
			`$DIG +tcp cname2.example.com. a @10.53.0.1 -p 5300 >/dev/null \|\| status=1`
do two queries; added comments 2000-07-18 17:13:40 +00:00
check that the server copes with responses containing a CNAME and other data 2000-07-28 22:42:42 +00:00			`echo "I:check that server is still running"`
			`$DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null \|\| status=1`
added resolver/ test directory, with a single regression test for the INSIST(!external) bug 2000-07-14 23:38:14 +00:00
2604. [func] Add support for DNS rebinding attack prevention through new options, deny-answer-addresses and deny-answer-aliases. Based on contributed code from JD Nurmi, Google. [RT #18192] 2009-05-29 22:22:37 +00:00			`echo "I:checking answer IPv4 address filtering (deny)"`
			`ret=0`
			`$DIG +tcp www.example.net @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: SERVFAIL" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking answer IPv6 address filtering (deny)"`
			`ret=0`
			`$DIG +tcp www.example.net @10.53.0.1 aaaa -p 5300 > dig.out \|\| ret=1`
			`grep "status: SERVFAIL" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking answer IPv4 address filtering (accept)"`
			`ret=0`
			`$DIG +tcp www.example.org @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: NOERROR" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking answer IPv6 address filtering (accept)"`
			`ret=0`
			`$DIG +tcp www.example.org @10.53.0.1 aaaa -p 5300 > dig.out \|\| ret=1`
			`grep "status: NOERROR" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking CNAME target filtering (deny)"`
			`ret=0`
			`$DIG +tcp badcname.example.net @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: SERVFAIL" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking CNAME target filtering (accept)"`
			`ret=0`
			`$DIG +tcp goodcname.example.net @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: NOERROR" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking CNAME target filtering (accept due to subdomain)"`
			`ret=0`
			`$DIG +tcp cname.sub.example.org @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: NOERROR" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking DNAME target filtering (deny)"`
			`ret=0`
			`$DIG +tcp foo.baddname.example.net @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: SERVFAIL" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking DNAME target filtering (accept)"`
			`ret=0`
			`$DIG +tcp foo.gooddname.example.net @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: NOERROR" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			`echo "I:checking DNAME target filtering (accept due to subdomain)"`
			`ret=0`
			`$DIG +tcp www.dname.sub.example.org @10.53.0.1 a -p 5300 > dig.out \|\| ret=1`
			`grep "status: NOERROR" dig.out > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

2960. [func] Check that named accepts non-authoritative answers. [RT #21594] 2010-09-15 12:07:56 +00:00			n=`expr $n + 1`
			`echo "I: RT21594 regression test check setup ($n)"`
			`ret=0`
			`# Check that "aa" is not being set by the authoritative server.`
			`$DIG +tcp . @10.53.0.4 soa -p 5300 > dig.ns4.out.${n} \|\| ret=1`
simplify grep 2010-09-15 23:22:02 +00:00			`grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null \|\| ret=1`
2960. [func] Check that named accepts non-authoritative answers. [RT #21594] 2010-09-15 12:07:56 +00:00			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			n=`expr $n + 1`
			`echo "I: RT21594 regression test positive answers ($n)"`
			`ret=0`
			`# Check that resolver accepts the non-authoritative positive answers.`
			`$DIG +tcp . @10.53.0.5 soa -p 5300 > dig.ns5.out.${n} \|\| ret=1`
			`grep "status: NOERROR" dig.ns5.out.${n} > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			n=`expr $n + 1`
			`echo "I: RT21594 regression test NODATA answers ($n)"`
			`ret=0`
			`# Check that resolver accepts the non-authoritative nodata answers.`
			`$DIG +tcp . @10.53.0.5 txt -p 5300 > dig.ns5.out.${n} \|\| ret=1`
			`grep "status: NOERROR" dig.ns5.out.${n} > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`

			n=`expr $n + 1`
			`echo "I: RT21594 regression test NXDOMAIN answers ($n)"`
			`ret=0`
			`# Check that resolver accepts the non-authoritative positive answers.`
			`$DIG +tcp noexistant @10.53.0.5 txt -p 5300 > dig.ns5.out.${n} \|\| ret=1`
			`grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null \|\| ret=1`
			`if [ $ret != 0 ]; then echo "I:failed"; fi`
			status=`expr $status + $ret`
2900. [bug] The placeholder negative caching element was not properly constructed triggering a INSIST in dns_ncache_towire(). [RT #21346] 2010-05-19 06:39:50 +00:00
2970. [security] Adding a NO DATA negative cache entry failed to clear any matching RRSIG records. A subsequent lookup of of NO DATA cache entry could trigger a INSIST when the unexpected RRSIG was also returned with the NO DATA cache entry. [RT #22288] 2010-11-16 06:46:44 +00:00			n=`expr $n + 1`
			`echo "I:check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"`
			`ret=0`
			`$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} \|\| ret=1`
			`grep "status: NOERROR" dig.ns7.out.${n} > /dev/null \|\| ret=1`
			`if [ $ret = 1 ]; then echo "I:mx priming failed"; fi`
			`$NSUPDATE << EOF`
			`server 10.53.0.6 5300`
			`zone example.net`
			`update delete mail.example.net A`
			`update add mail.example.net 0 AAAA ::1`
			`send`
			`EOF`
			`$DIG +tcp a mail.example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} \|\| ret=2`
			`grep "status: NOERROR" dig.ns7.out.${n} > /dev/null \|\| ret=2`
			`grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null \|\| ret=2`
			`if [ $ret = 2 ]; then echo "I:ncache priming failed"; fi`
			`$DIG +tcp mx example.net @10.53.0.7 -p 5300 > dig.ns7.out.${n} \|\| ret=3`
			`grep "status: NOERROR" dig.ns7.out.${n} > /dev/null \|\| ret=3`
			`$DIG +tcp rrsig mail.example.net +norec @10.53.0.7 -p 5300 > dig.ns7.out.${n} \|\| ret=4`
			`grep "status: NOERROR" dig.ns7.out.${n} > /dev/null \|\| ret=4`
			`grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null \|\| ret=4`
			`if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi`
			status=`expr $status + $ret`

added resolver/ test directory, with a single regression test for the INSIST(!external) bug 2000-07-14 23:38:14 +00:00			`echo "I:exit status: $status"`
			`exit $status`