1 #!/bin/sh 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 set -e 15 16 . ../conf.sh 17 18 DIGOPTS="-p ${PORT}" 19 RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" 20 21 status=0 22 n=0 23 24 getcookie() { 25 awk '$2 == "COOKIE:" { 26 print $3; 27 }' <$1 28 } 29 30 fullcookie() { 31 awk 'BEGIN { n = 0 } 32 // { v[n++] = length(); } 33 END { print (v[1] == v[2]); }' 34 } 35 36 havetc() { 37 grep 'flags:.* tc[^;]*;' $1 >/dev/null 38 } 39 40 for bad in bad*.conf; do 41 n=$((n + 1)) 42 echo_i "checking that named-checkconf detects error in $bad ($n)" 43 ret=0 44 $CHECKCONF $bad >/dev/null 2>&1 && ret=1 45 if [ $ret != 0 ]; then echo_i "failed"; fi 46 status=$((status + ret)) 47 done 48 49 for good in good*.conf; do 50 n=$((n + 1)) 51 echo_i "checking that named-checkconf detects accepts $good ($n)" 52 ret=0 53 $CHECKCONF $good >/dev/null 2>&1 || ret=1 54 if [ $ret != 0 ]; then echo_i "failed"; fi 55 status=$((status + ret)) 56 done 57 58 n=$((n + 1)) 59 echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)" 60 ret=0 61 $DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 62 grep COOKIE: dig.out.test$n >/dev/null && ret=1 63 grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 64 if [ $ret != 0 ]; then echo_i "failed"; fi 65 status=$((status + ret)) 66 67 n=$((n + 1)) 68 echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)" 69 ret=0 70 $DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 71 grep COOKIE: dig.out.test$n >/dev/null || ret=1 72 grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 73 if [ $ret != 0 ]; then echo_i "failed"; fi 74 status=$((status + ret)) 75 76 n=$((n + 1)) 77 echo_i "checking COOKIE token is returned to empty COOKIE option ($n)" 78 ret=0 79 $DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 80 grep COOKIE: dig.out.test$n >/dev/null || ret=1 81 grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 82 if [ $ret != 0 ]; then echo_i "failed"; fi 83 status=$((status + ret)) 84 85 n=$((n + 1)) 86 echo_i "checking COOKIE is not returned when answer-cookie is false ($n)" 87 ret=0 88 oldcookie=b71d3138bb984fc50100000064a65cffbbf02482dfb99ba5 89 $DIG $DIGOPTS +cookie=$oldcookie version.bind txt ch @10.53.0.7 >dig.out.test$n || ret=1 90 grep COOKIE: dig.out.test$n >/dev/null && ret=1 91 grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 92 if [ $ret != 0 ]; then echo_i "failed"; fi 93 status=$((status + ret)) 94 95 n=$((n + 1)) 96 echo_i "checking response size without COOKIE ($n)" 97 ret=0 98 $DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 99 havetc dig.out.test$n || ret=1 100 if [ $ret != 0 ]; then echo_i "failed"; fi 101 status=$((status + ret)) 102 103 n=$((n + 1)) 104 echo_i "checking response size without valid COOKIE ($n)" 105 ret=0 106 $DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 107 havetc dig.out.test$n || ret=1 108 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 109 if [ $ret != 0 ]; then echo_i "failed"; fi 110 status=$((status + ret)) 111 112 n=$((n + 1)) 113 echo_i "checking response size with COOKIE ($n)" 114 ret=0 115 $DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l || ret=1 116 cookie=$(getcookie dig.out.test$n.l) 117 $DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 118 havetc dig.out.test$n && ret=1 119 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 120 if [ $ret != 0 ]; then echo_i "failed"; fi 121 status=$((status + ret)) 122 123 n=$((n + 1)) 124 echo_i "checking response size with COOKIE recursive ($n)" 125 ret=0 126 $DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 127 havetc dig.out.test$n && ret=1 128 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 129 if [ $ret != 0 ]; then echo_i "failed"; fi 130 status=$((status + ret)) 131 132 n=$((n + 1)) 133 echo_i "checking COOKIE is learnt for TCP retry ($n)" 134 ret=0 135 $DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n || ret=1 136 linecount=$(getcookie dig.out.test$n | wc -l) 137 if [ $linecount != 3 ]; then ret=1; fi 138 checkfull=$(getcookie dig.out.test$n | fullcookie) 139 if [ $checkfull != 1 ]; then ret=1; fi 140 if [ $ret != 0 ]; then echo_i "failed"; fi 141 status=$((status + ret)) 142 143 n=$((n + 1)) 144 echo_i "checking for COOKIE value in adb ($n)" 145 ret=0 146 rndc_dumpdb ns1 147 grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1 148 if [ $ret != 0 ]; then echo_i "failed"; fi 149 status=$((status + ret)) 150 151 n=$((n + 1)) 152 echo_i "checking require-server-cookie default (no) ($n)" 153 ret=0 154 $DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n || ret=1 155 grep "status: BADCOOKIE" dig.out.test$n >/dev/null && ret=1 156 linecount=$(getcookie dig.out.test$n | wc -l) 157 if [ $linecount != 2 ]; then ret=1; fi 158 if [ $ret != 0 ]; then echo_i "failed"; fi 159 status=$((status + ret)) 160 161 n=$((n + 1)) 162 echo_i "checking require-server-cookie yes ($n)" 163 ret=0 164 $DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 165 grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1 166 grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 167 grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1 168 linecount=$(getcookie dig.out.test$n | wc -l) 169 if [ $linecount != 2 ]; then ret=1; fi 170 if [ $ret != 0 ]; then echo_i "failed"; fi 171 status=$((status + ret)) 172 173 n=$((n + 1)) 174 echo_i "checking +qr +showbadcookie ($n)" 175 ret=0 176 $DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 177 noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) 178 badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) 179 server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) 180 good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l) 181 linecount=$(getcookie dig.out.test$n | wc -l) 182 if [ $noerror != 3 ]; then ret=1; fi 183 if [ $badcookie != 1 ]; then ret=1; fi 184 if [ $server != 3 ]; then ret=1; fi 185 if [ $good != 2 ]; then ret=1; fi 186 if [ $linecount != 4 ]; then ret=1; fi 187 if [ $ret != 0 ]; then echo_i "failed"; fi 188 status=$((status + ret)) 189 n=$((n + 1)) 190 191 echo_i "checking +showbadcookie ($n)" 192 ret=0 193 $DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 194 noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) 195 badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) 196 server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) 197 good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l) 198 linecount=$(getcookie dig.out.test$n | wc -l) 199 if [ $noerror != 1 ]; then ret=1; fi 200 if [ $badcookie != 1 ]; then ret=1; fi 201 if [ $server != 2 ]; then ret=1; fi 202 if [ $good != 2 ]; then ret=1; fi 203 if [ $linecount != 2 ]; then ret=1; fi 204 if [ $ret != 0 ]; then echo_i "failed"; fi 205 status=$((status + ret)) 206 207 n=$((n + 1)) 208 echo_i "checking require-server-cookie yes with rate-limit ($n)" 209 ret=0 210 $DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n || ret=1 211 grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 212 grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1 213 linecount=$(getcookie dig.out.test$n | wc -l) 214 if [ $linecount != 2 ]; then ret=1; fi 215 if [ $ret != 0 ]; then echo_i "failed"; fi 216 status=$((status + ret)) 217 218 n=$((n + 1)) 219 echo_i "checking 'server <prefix> { require-cookie yes; };' triggers TCP when cookie not returned ($n)" 220 ret=0 221 nextpart ns8/named.run >/dev/null 222 $DIG $DIGOPTS +cookie soa from-no-cookie-server.example @10.53.0.8 >dig.out.test$n || ret=1 223 grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 224 wait_for_log_peek 3 "missing required cookie from 10.53.0.7#" ns8/named.run || ret=1 225 wait_for_log_peek 3 "connected from" ns8/named.run || ret=1 226 if [ $ret != 0 ]; then echo_i "failed"; fi 227 status=$((status + ret)) 228 229 n=$((n + 1)) 230 echo_i "send undersized cookie ($n)" 231 ret=0 232 $DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1 233 grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 234 if [ $ret != 0 ]; then echo_i "failed"; fi 235 status=$((status + ret)) 236 237 n=$((n + 1)) 238 echo_i "send oversized for named cookie ($n)" 239 ret=0 240 $DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1 241 grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1 242 if [ $ret != 0 ]; then echo_i "failed"; fi 243 status=$((status + ret)) 244 245 n=$((n + 1)) 246 echo_i "send oversized for named cookie with server requiring a good cookie ($n)" 247 ret=0 248 $DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1 249 grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1 250 if [ $ret != 0 ]; then echo_i "failed"; fi 251 status=$((status + ret)) 252 253 echo_i "check that BADCOOKIE is returned for a bad server COOKIE ($n)" 254 ret=0 255 badcookie=$(echo $cookie | sed 's/[a-f0-9]/0/g') 256 $DIG $DIGOPTS +qr +cookie=$badcookie +nobadcookie soa example @10.53.0.1 >dig.out.test$n || ret=1 257 grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 258 grep "status: BADCOOKIE" dig.out.test$n >/dev/null || ret=1 259 linecount=$(getcookie dig.out.test$n | wc -l) 260 if [ $linecount != 2 ]; then ret=1; fi 261 if [ $ret != 0 ]; then echo_i "failed"; fi 262 status=$((status + ret)) 263 264 # 265 # Test shared cookie-secret support. 266 # 267 # NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352"; 268 # 269 # NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352"; 270 # NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; (alternate) 271 # 272 # NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; 273 # 274 # Server cookies from NS4 are accepted by NS5 and not NS6 275 # Server cookies from NS5 are accepted by NS4 and not NS6 276 # Server cookies from NS6 are accepted by NS5 and not NS4 277 # 278 # Force local address so that the client's address is the same to all servers. 279 # 280 281 n=$((n + 1)) 282 echo_i "get NS4 cookie for cross server checking ($n)" 283 ret=0 284 $DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n || ret=1 285 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 286 ns4cookie=$(getcookie dig.out.test$n) 287 test -n "$ns4cookie" || ret=1 288 if [ $ret != 0 ]; then echo_i "failed"; fi 289 status=$((status + ret)) 290 291 n=$((n + 1)) 292 echo_i "get NS5 cookie for cross server checking ($n)" 293 ret=0 294 $DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n || ret=1 295 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 296 ns5cookie=$(getcookie dig.out.test$n) 297 test -n "$ns5cookie" || ret=1 298 if [ $ret != 0 ]; then echo_i "failed"; fi 299 status=$((status + ret)) 300 301 n=$((n + 1)) 302 echo_i "get NS6 cookie for cross server checking ($n)" 303 ret=0 304 $DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n || ret=1 305 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 306 ns6cookie=$(getcookie dig.out.test$n) 307 if [ $ret != 0 ]; then echo_i "failed"; fi 308 status=$((status + ret)) 309 310 n=$((n + 1)) 311 echo_i "test NS4 cookie on NS5 (expect success) ($n)" 312 ret=0 313 $DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1 314 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 315 grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 316 if [ $ret != 0 ]; then echo_i "failed"; fi 317 status=$((status + ret)) 318 319 n=$((n + 1)) 320 echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)" 321 ret=0 322 $DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1 323 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 324 grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 325 if [ $ret != 0 ]; then echo_i "failed"; fi 326 status=$((status + ret)) 327 328 n=$((n + 1)) 329 echo_i "test NS5 cookie on NS4 (expect success) ($n)" 330 ret=0 331 $DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1 332 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 333 grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 334 if [ $ret != 0 ]; then echo_i "failed"; fi 335 status=$((status + ret)) 336 337 n=$((n + 1)) 338 echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)" 339 ret=0 340 $DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1 341 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 342 grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 343 if [ $ret != 0 ]; then echo_i "failed"; fi 344 status=$((status + ret)) 345 346 n=$((n + 1)) 347 echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)" 348 ret=0 349 $DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1 350 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 351 grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 352 if [ $ret != 0 ]; then echo_i "failed"; fi 353 status=$((status + ret)) 354 355 n=$((n + 1)) 356 echo_i "test NS6 cookie on NS5 (expect success) ($n)" 357 ret=0 358 $DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1 359 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 360 grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 361 if [ $ret != 0 ]; then echo_i "failed"; fi 362 status=$((status + ret)) 363 364 n=$((n + 1)) 365 echo_i "Restart NS4 with -T cookiealwaysvalid ($n)" 366 stop_server ns4 367 touch ns4/named.cookiealwaysvalid 368 start_server --noclean --restart --port ${PORT} ns4 || ret=1 369 if [ $ret != 0 ]; then echo_i "failed"; fi 370 status=$((status + ret)) 371 372 n=$((n + 1)) 373 echo_i "test NS6 cookie on NS4 with -T cookiealwaysvalid (expect success) ($n)" 374 ret=0 375 $DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1 376 grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 377 grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 378 if [ $ret != 0 ]; then echo_i "failed"; fi 379 status=$((status + ret)) 380 381 n=$((n + 1)) 382 echo_i "check that test server is correctly configured ($n)" 383 ret=0 384 pat="; COOKIE: ................................ (good)" 385 #UDP 386 $DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1 || ret=1 387 grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 388 grep "$pat" dig.out.test$n.1 >/dev/null || ret=1 389 grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1 390 grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1 391 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 392 393 $DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2 || ret=1 394 grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 395 grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1 396 grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 397 grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 398 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 399 400 $DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3 || ret=1 401 grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1 402 grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1 403 grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1 404 grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1 405 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 406 407 $DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4 || ret=1 408 grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1 409 grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1 410 grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1 411 grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1 412 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1 413 414 #TCP 415 $DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5 || ret=1 416 grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1 417 grep "$pat" dig.out.test$n.5 >/dev/null || ret=1 418 grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1 419 grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1 420 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 421 422 $DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6 || ret=1 423 grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1 424 grep "$pat" dig.out.test$n.6 >/dev/null || ret=1 425 grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1 426 grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1 427 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 428 429 $DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7 || ret=1 430 grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1 431 grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1 432 grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1 433 grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1 434 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 435 436 $DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8 || ret=1 437 grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1 438 grep "$pat" dig.out.test$n.8 >/dev/null || ret=1 439 grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1 440 grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1 441 grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1 442 443 if [ $ret != 0 ]; then echo_i "failed"; fi 444 status=$((status + ret)) 445 446 n=$((n + 1)) 447 echo_i "check that spoofed response is dropped when we have a server cookie ($n)" 448 ret=0 449 msg="missing expected cookie from" 450 pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' 451 # prime EDNS COOKIE state 452 $DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 453 grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 454 rndc_dumpdb ns1 455 grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 456 # spoofed response contains 10.53.0.10 457 nextpart ns1/named.run >/dev/null 458 $DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2 || ret=1 459 wait_for_log 5 "$msg" ns1/named.run || ret=1 460 grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 461 grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 462 grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 463 if [ $ret != 0 ]; then echo_i "failed"; fi 464 status=$((status + ret)) 465 466 n=$((n + 1)) 467 echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)" 468 ret=0 469 msg="missing expected cookie from" 470 pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' 471 # prime EDNS COOKIE state 472 $DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 473 grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 474 rndc_dumpdb ns1 475 grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 476 # check the disabled server response 477 nextpart ns1/named.run >/dev/null 478 $DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2 || ret=1 479 wait_for_log 5 "$msg" ns1/named.run || ret=1 480 grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 481 grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 482 grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 483 if [ $ret != 0 ]; then echo_i "failed"; fi 484 status=$((status + ret)) 485 486 n=$((n + 1)) 487 echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)" 488 ret=0 489 pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' 490 # prime EDNS COOKIE state 491 $DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 492 grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 493 rndc_dumpdb ns1 494 grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 495 # spoofed response contains 10.53.0.10 496 nextpart ns1/named.run >/dev/null 497 $DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2 || ret=1 498 grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 499 grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 500 grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 501 nextpart ns1/named.run >named.run.test$n 502 count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) 503 test $count -eq 1 || ret=1 504 if [ $ret != 0 ]; then echo_i "failed"; fi 505 status=$((status + ret)) 506 507 if $PYTHON -c ' 508 import dns.version, sys; 509 if dns.version.MAJOR > 1: sys.exit(0); 510 if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0); 511 sys.exit(1)'; then 512 n=$((n + 1)) 513 echo_i "check that TSIG test server is correctly configured ($n)" 514 ret=0 515 pat="; COOKIE: ................................ (good)" 516 key="${DEFAULT_HMAC}:foo:aaaaaaaaaaaa" 517 #UDP 518 $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1 || ret=1 519 grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 520 grep "$pat" dig.out.test$n.1 >/dev/null || ret=1 521 grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1 522 grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1 523 grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 524 525 $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2 || ret=1 526 grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 527 grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1 528 grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 529 grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 530 grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 531 532 $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3 || ret=1 533 grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1 534 grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1 535 grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1 536 grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1 537 grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 538 539 #TCP 540 $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5 || ret=1 541 grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1 542 grep "$pat" dig.out.test$n.5 >/dev/null || ret=1 543 grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1 544 grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1 545 grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 546 547 $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6 || ret=1 548 grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1 549 grep "$pat" dig.out.test$n.6 >/dev/null || ret=1 550 grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1 551 grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1 552 grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 553 554 $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7 || ret=1 555 grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1 556 grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1 557 grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1 558 grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1 559 grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 560 561 if [ $ret != 0 ]; then echo_i "failed"; fi 562 status=$((status + ret)) 563 564 n=$((n + 1)) 565 echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)" 566 ret=0 567 pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl' 568 # prime EDNS COOKIE state 569 $DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1 || ret=1 570 grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 571 rndc_dumpdb ns1 572 grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 573 # check the disabled server response 574 nextpart ns1/named.run >/dev/null 575 $DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2 || ret=1 576 grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 577 grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 578 grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 579 nextpart ns1/named.run >named.run.test$n 580 count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) 581 test $count -eq 2 || ret=1 582 if [ $ret != 0 ]; then echo_i "failed"; fi 583 status=$((status + ret)) 584 fi 585 586 echo_i "exit status: $status" 587 [ $status -eq 0 ] || exit 1 588
Indexes created Tue Mar 03 05:31:39 UTC 2026