From 9597a3aaca3f269e5533785003f0e5922d19a2aa Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 28 Dec 2022 15:55:43 +0000 Subject: [PATCH 1/9] Add nsupdate timeout tests * nsupdate should take 12 seconds (one try and three retries with 3 second timeout for each), UDP mode * nsupdate -u 4 -r 1 should take 8 seconds (one try and one retry with 4 second timeout for each), UDP mode * nsupdate -u 0 -t 8 -r 1 should also take 8 seconds, UDP mode * nsupdate -u 4 -t 30 -r 1 should also take 8 seconds, as -u takes precedence over -t, UDP mode * nsupdate -t 8 -v should also take 8 seconds, TCP mode (cherry picked from commit 5ce2ed068845e6d05e843fc7f720d08e12f266d7) --- bin/tests/system/nsupdate/ans4/ans.pl | 5 + bin/tests/system/nsupdate/tests.sh | 250 +++++++++++++++++--------- 2 files changed, 171 insertions(+), 84 deletions(-) diff --git a/bin/tests/system/nsupdate/ans4/ans.pl b/bin/tests/system/nsupdate/ans4/ans.pl index d4299c492b..30c792f1cf 100644 --- a/bin/tests/system/nsupdate/ans4/ans.pl +++ b/bin/tests/system/nsupdate/ans4/ans.pl @@ -31,6 +31,8 @@ if (!$localport) { $localport = 5300; } my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; print "listening on $server_addr:$localport.\n"; @@ -49,6 +51,7 @@ for (;;) { $rin = ''; vec($rin, fileno($udpsock), 1) = 1; + vec($rin, fileno($tcpsock), 1) = 1; select($rout = $rin, undef, undef, undef); @@ -56,5 +59,7 @@ for (;;) { printf "UDP request\n"; my $buf; $udpsock->recv($buf, 512); + } elsif (vec($rout, fileno($tcpsock), 1)) { + printf "TCP request\n"; } } diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index c3ad998505..9b6c774753 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -738,7 +738,7 @@ grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1 n=$((n + 1)) ret=0 echo_i "check 'grant' in deny name + grant subdomain ($n)" -$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 +$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 key hmac-sha256:subkey 1234abcd8765 server 10.53.0.9 ${PORT} zone denyname.example @@ -752,7 +752,7 @@ grep "added" dig.out.ns9.test$n > /dev/null || ret=1 n=$((n + 1)) ret=0 echo_i "check 'deny' in deny name + grant subdomain ($n)" -$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 key hmac-sha256:subkey 1234abcd8765 server 10.53.0.9 ${PORT} zone denyname.example @@ -1033,7 +1033,7 @@ grep "bad name" nsupdate.out4-$n > /dev/null && ret=1 n=$((n + 1)) echo_i "check adding of delegating NS records processing ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1 +$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update add child.delegation.test. 3600 NS foo.example.net. @@ -1048,7 +1048,7 @@ grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 n=$((n + 1)) echo_i "check deleting of delegating NS records processing ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1 +$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. @@ -1062,13 +1062,13 @@ grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 n=$((n + 1)) echo_i "check that adding too many records is blocked ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone too-big.test. update add r1.too-big.test 3600 IN TXT r1.too-big.test send EOF -grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1 +grep "update failed: SERVFAIL" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT > dig.out.ns3.test$n grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1 @@ -1076,15 +1076,97 @@ grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || n=$((n + 1)) ret=0 -echo_i "check whether valid addresses are used for primary failover ($n)" -$NSUPDATE -t 1 < nsupdate.out-$n 2>&1 && ret=1 +echo_i "check whether valid addresses are used for primary failover (UDP with defaults) ($n)" +t1=$($PERL -e 'print time()') +$NSUPDATE < nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out-$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out-$n > /dev/null 2>&1 && ret=1 +t2=`$PERL -e 'print time()'` +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +elapsed=$((t2 - t1)) +# Check that default timeout value is respected, there should be 4 tries with 3 seconds each. +test $elapsed -lt 12 && ret=1 +test $elapsed -gt 15 && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check whether valid addresses are used for primary failover (UDP with -u udptimeout) ($n)" +t1=$($PERL -e 'print time()') +$NSUPDATE -u 4 -r 1 < nsupdate.out.test$n 2>&1 && ret=1 +server 10.53.0.4 ${PORT} +zone unreachable. +update add unreachable. 600 A 192.0.2.1 +send +END +t2=`$PERL -e 'print time()'` +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +elapsed=$((t2 - t1)) +# Check that given timeout value is respected, there should be 2 tries with 4 seconds each. +test $elapsed -lt 8 && ret=1 +test $elapsed -gt 12 && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check whether valid addresses are used for primary failover (UDP with -t timeout) ($n)" +t1=$($PERL -e 'print time()') +$NSUPDATE -u 0 -t 8 -r 1 < nsupdate.out.test$n 2>&1 && ret=1 +server 10.53.0.4 ${PORT} +zone unreachable. +update add unreachable. 600 A 192.0.2.1 +send +END +t2=`$PERL -e 'print time()'` +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +elapsed=$((t2 - t1)) +# Check that given timeout value is respected, there should be 2 tries with 4 seconds each. +test $elapsed -lt 8 && ret=1 +test $elapsed -gt 12 && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check whether valid addresses are used for primary failover (UDP with -u udptimeout -t timeout) ($n)" +t1=$($PERL -e 'print time()') +$NSUPDATE -u 4 -t 30 -r 1 < nsupdate.out.test$n 2>&1 && ret=1 +server 10.53.0.4 ${PORT} +zone unreachable. +update add unreachable. 600 A 192.0.2.1 +send +END +t2=`$PERL -e 'print time()'` +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +elapsed=$((t2 - t1)) +# Check that given timeout value is respected, there should be 2 tries with 4 seconds each, as -u takes precedence over -t. +test $elapsed -lt 8 && ret=1 +test $elapsed -gt 12 && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check whether valid addresses are used for primary failover (TCP with -t timeout) ($n)" +t1=$($PERL -e 'print time()') +$NSUPDATE -t 8 -v < nsupdate.out.test$n 2>&1 && ret=1 +server 10.53.0.4 ${PORT} +zone unreachable. +update add unreachable. 600 A 192.0.2.1 +send +END +t2=`$PERL -e 'print time()'` +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +elapsed=$((t2 - t1)) +# Check that given timeout value is respected, there should be 1 try with 8 seconds. +test $elapsed -lt 8 && ret=1 +test $elapsed -gt 12 && ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } n=$((n + 1)) @@ -1148,39 +1230,39 @@ grep "syntax error" nsupdate.out > /dev/null && ret=1 n=$((n + 1)) ret=0 echo_i "check nsupdate -4 -6 ($n)" -$NSUPDATE -4 -6 < nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE -4 -6 < nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. update del child.delegation.test. 3600 NS bar.example.net. send END -grep "only one of -4 and -6 allowed" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +grep "only one of -4 and -6 allowed" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } n=$((n + 1)) ret=0 echo_i "check nsupdate -4 with an IPv6 server address ($n)" -$NSUPDATE -4 < nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE -4 < nsupdate.out.test$n 2>&1 && ret=1 server fd92:7065:b8e:ffff::2 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. update del child.delegation.test. 3600 NS bar.example.net. send END -grep "address family not supported" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +grep "address family not supported" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } n=$((n + 1)) ret=0 echo_i "check that TKEY in a update is rejected ($n)" -$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw== send END -grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 -grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +grep "UPDATE, status: NOERROR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 +grep "UPDATE, status: FORMERR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } n=$((n + 1)) @@ -1250,7 +1332,7 @@ grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 nextpart ns3/named.run > /dev/null # specify zone to override the default of adding to parent zone -$NSUPDATE -d < nsupdate.out-$n 2>&1 || ret=1 +$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone example update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C @@ -1269,7 +1351,7 @@ echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is n $DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C @@ -1289,7 +1371,7 @@ $DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 nextpart ns3/named.run > /dev/null -$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== @@ -1308,7 +1390,7 @@ echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)" $DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d < nsupdate.out-$n 2>&1 || ret=1 +$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C @@ -1323,7 +1405,7 @@ echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)" $DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d < nsupdate.out-$n 2>&1 || ret=1 +$NSUPDATE -d < nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== @@ -1335,12 +1417,12 @@ retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1 n=$((n + 1)) ret=0 echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)" -$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE -d < nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone example update add example 0 in NSEC3PARAM 1 0 151 - END -grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1 +grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out.test$n >/dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } n=$((n + 1)) @@ -1351,13 +1433,13 @@ echo_i "check nsupdate retries with another server on REFUSED response ($n)" # that's what we're testing for. (failure is still expected, however, # because the address lookup for the primary doesn't use the overridden # resolv.conf file). -$NSUPDATE -D -C resolv.conf -p ${PORT} << EOF > nsupdate.out-$n 2>&1 && ret=1 +$NSUPDATE -D -C resolv.conf -p ${PORT} << EOF > nsupdate.out.test$n 2>&1 && ret=1 zone example update add a 3600 IN A 1.2.3.4 send EOF -grep '10.53.0.1.*REFUSED' nsupdate.out-$n > /dev/null || ret=1 -grep 'Reply from SOA query' nsupdate.out-$n > /dev/null || ret=1 +grep '10.53.0.1.*REFUSED' nsupdate.out.test$n > /dev/null || ret=1 +grep 'Reply from SOA query' nsupdate.out.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } n=$((n + 1)) @@ -1396,7 +1478,7 @@ else echo_i "check krb5-self match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1414,7 +1496,7 @@ EOF echo_i "check krb5-self no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1422,7 +1504,7 @@ EOF update add foo.example.com 3600 IN A 10.53.0.7 send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1432,7 +1514,7 @@ EOF echo_i "check krb5-subdomain match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1450,7 +1532,7 @@ EOF echo_i "check krb5-subdomain no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1458,7 +1540,7 @@ EOF update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1468,7 +1550,7 @@ EOF echo_i "check krb5-subdomain-self-rhs match PTR ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1486,7 +1568,7 @@ EOF echo_i "check krb5-subdomain-self-rhs no-match PTR ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1494,7 +1576,7 @@ EOF update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 5.3.2.1.in-addr.arpa PTR > dig.out.ns7.test$n grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1504,7 +1586,7 @@ EOF echo_i "check krb5-subdomain-self-rhs match SRV ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1522,7 +1604,7 @@ EOF echo_i "check krb5-subdomain-self-rhs no listed types match (SRV & TXT) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1542,7 +1624,7 @@ EOF echo_i "check krb5-subdomain-self-rhs no-match RDATA (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1550,7 +1632,7 @@ EOF update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com SRV > dig.out.ns7.test$n grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1560,7 +1642,7 @@ EOF echo_i "check krb5-subdomain-self-rhs no-match TYPE (TXT) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1568,7 +1650,7 @@ EOF update add _yyy.self-srv.example.com 3600 IN TXT a-txt-record send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com TXT > dig.out.ns7.test$n grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1581,7 +1663,7 @@ EOF grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1598,7 +1680,7 @@ EOF echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1606,7 +1688,7 @@ EOF update delete many.ptr.self-ptr.in-addr.arpa PTR send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 @@ -1620,7 +1702,7 @@ EOF grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1637,7 +1719,7 @@ EOF echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1645,7 +1727,7 @@ EOF update delete many.any.self-ptr.in-addr.arpa send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 @@ -1659,7 +1741,7 @@ EOF grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1676,7 +1758,7 @@ EOF echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1684,7 +1766,7 @@ EOF update delete many.srv.self-srv.example.com SRV send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 many.srv.self-srv.example.com SRV > dig.out.ns7.test$n grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 @@ -1698,7 +1780,7 @@ EOF grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1715,7 +1797,7 @@ EOF echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1723,7 +1805,7 @@ EOF update delete many.any.self-srv.example.com send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-srv.example.com SRV > dig.out.ns7.test$n grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 @@ -1734,7 +1816,7 @@ EOF echo_i "check krb5-selfsub match ($n)" KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.8 ${PORT} @@ -1752,7 +1834,7 @@ EOF echo_i "check krb5-selfsub no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.8 ${PORT} @@ -1760,7 +1842,7 @@ EOF update add foo.example.com 3600 IN A 10.53.0.8 send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1770,7 +1852,7 @@ EOF echo_i "check ms-self match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1788,7 +1870,7 @@ EOF echo_i "check ms-self no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1796,7 +1878,7 @@ EOF update add foo.example.com 3600 IN A 10.53.0.9 send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1806,7 +1888,7 @@ EOF echo_i "check ms-subdomain match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1824,7 +1906,7 @@ EOF echo_i "check ms-subdomain no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1832,7 +1914,7 @@ EOF update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1842,7 +1924,7 @@ EOF echo_i "check ms-subdomain-self-rhs match (PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -1860,7 +1942,7 @@ EOF echo_i "check ms-subdomain-self-rhs no-match (PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -1868,7 +1950,7 @@ EOF update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.10 5.3.2.1.in-addr.arpa PTR > dig.out.ns10.test$n grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1878,7 +1960,7 @@ EOF echo_i "check ms-subdomain-self-rhs match (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -1896,7 +1978,7 @@ EOF echo_i "check ms-subdomain-self-rhs no-match (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -1904,7 +1986,7 @@ EOF update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.10 _yyy.self-srv.example.com SRV > dig.out.ns10.test$n grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } @@ -1917,7 +1999,7 @@ EOF grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -1934,7 +2016,7 @@ EOF echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -1942,7 +2024,7 @@ EOF update delete many.srv.self-srv.example.com SRV send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.10 many.srv.self-srv.example.com SRV > dig.out.ns10.test$n grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 @@ -1956,7 +2038,7 @@ EOF grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -1973,7 +2055,7 @@ EOF echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -1981,7 +2063,7 @@ EOF update delete many.ptr.self-ptr.in-addr.arpa PTR send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.10 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 @@ -1995,7 +2077,7 @@ EOF grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2012,7 +2094,7 @@ EOF echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2020,7 +2102,7 @@ EOF update delete many.any.self-ptr.in-addr.arpa send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 @@ -2034,7 +2116,7 @@ EOF grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2051,7 +2133,7 @@ EOF echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2059,7 +2141,7 @@ EOF update delete many.any.self-srv.example.com send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-srv.example.com SRV > dig.out.ns10.test$n grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 @@ -2070,7 +2152,7 @@ EOF echo_i "check ms-selfsub match ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2088,7 +2170,7 @@ EOF echo_i "check ms-selfsub no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2096,7 +2178,7 @@ EOF update add foo.example.com 3600 IN A 10.53.0.10 send EOF - grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } From b015b87fdcdbd753c65bd420373d976a0c6babe7 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 12 Dec 2022 11:36:42 +0000 Subject: [PATCH 2/9] nsupdate: when set to 0, UDP timeout should be calculated by dns_request The manual page of nsupdate's '-u udptimeout' option states that, quote: > If zero, the interval is computed from the timeout interval and number > of UDP retries. However, nsupdate sets the UDP timeout value to UINT_MAX when it is 0, thus, not behaving as documented. Let dns_request_create() calculate the UDP timeout, if it was set to 0. (cherry picked from commit 0ef11c0ccbea4db66f9edd6818a3a836f6c625f2) --- bin/nsupdate/nsupdate.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 3dceff7b3e..0d0f115e26 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -1177,9 +1177,6 @@ parse_args(int argc, char **argv) { isc_commandline_argument); exit(1); } - if (udp_timeout == 0) { - udp_timeout = UINT_MAX; - } break; case 'r': result = isc_parse_uint32(&udp_retries, From 4dc2ff79d6c0ecbe9f2c42f133348a73ed158432 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 12 Dec 2022 11:55:09 +0000 Subject: [PATCH 3/9] Synchronize dns_request_createraw() and dns_request_create() UDP timeout The dns_request_createraw() function, unlike dns_request_create(), when calculating the UDP timeout value, doesn't check that 'udpretries' is not zero, and that is the more logical behavior, because the calculation formula uses division to 'udpretries + 1', where '1' is the first try. Change the dns_request_create() function to remove the 'udpretries != 0' condition. Add a 'REQUIRE(udpretries != UINT_MAX)' check to protect from a division by zero. Make the 'request->udpcount' field to represent the number of tries, instead of the number of retries. (cherry picked from commit 643abfbba7fe9eb7e2000ee3015c7e680cc590a2) --- lib/dns/request.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/dns/request.c b/lib/dns/request.c index e5066798f8..1103bea49f 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -488,6 +488,8 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf, REQUIRE(action != NULL); REQUIRE(requestp != NULL && *requestp == NULL); REQUIRE(timeout > 0); + REQUIRE(udpretries != UINT_MAX); + if (srcaddr != NULL) { REQUIRE(isc_sockaddr_pf(srcaddr) == isc_sockaddr_pf(destaddr)); } @@ -510,7 +512,7 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf, return (result); } - request->udpcount = udpretries; + request->udpcount = udpretries + 1; request->event = (dns_requestevent_t *)isc_event_allocate( mctx, task, DNS_EVENT_REQUESTDONE, action, arg, @@ -531,7 +533,7 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf, request->timeout = timeout * 1000; } else { if (udptimeout == 0) { - udptimeout = timeout / (udpretries + 1); + udptimeout = timeout / request->udpcount; } if (udptimeout == 0) { udptimeout = 1; @@ -642,6 +644,7 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message, REQUIRE(action != NULL); REQUIRE(requestp != NULL && *requestp == NULL); REQUIRE(timeout > 0); + REQUIRE(udpretries != UINT_MAX); mctx = requestmgr->mctx; @@ -667,7 +670,7 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message, return (result); } - request->udpcount = udpretries; + request->udpcount = udpretries + 1; request->event = (dns_requestevent_t *)isc_event_allocate( mctx, task, DNS_EVENT_REQUESTDONE, action, arg, @@ -690,8 +693,8 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message, tcp = true; request->timeout = timeout * 1000; } else { - if (udptimeout == 0 && udpretries != 0) { - udptimeout = timeout / (udpretries + 1); + if (udptimeout == 0) { + udptimeout = timeout / request->udpcount; } if (udptimeout == 0) { udptimeout = 1; @@ -1056,7 +1059,7 @@ req_response(isc_result_t result, isc_region_t *region, void *arg) { if (result == ISC_R_TIMEDOUT) { LOCK(&request->requestmgr->locks[request->hash]); - if (request->udpcount != 0) { + if (request->udpcount > 1) { request->udpcount -= 1; dns_dispatch_resume(request->dispentry, request->timeout); From 14084d8eac43f32ecfcac1ad493d6bac6449b1a6 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 12 Dec 2022 12:08:16 +0000 Subject: [PATCH 4/9] Perform request validation in req_response() before using the pointer The 'request' pointer is used before it is checked. Perform the check before using the pointer. (cherry picked from commit 5b373596975862b4f6df2f70516db02683a9e7fc) --- lib/dns/request.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/request.c b/lib/dns/request.c index 1103bea49f..8f53d37812 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -1057,6 +1057,8 @@ req_response(isc_result_t result, isc_region_t *region, void *arg) { req_log(ISC_LOG_DEBUG(3), "req_response: request %p: %s", request, isc_result_totext(result)); + REQUIRE(VALID_REQUEST(request)); + if (result == ISC_R_TIMEDOUT) { LOCK(&request->requestmgr->locks[request->hash]); if (request->udpcount > 1) { @@ -1074,8 +1076,6 @@ req_response(isc_result_t result, isc_region_t *region, void *arg) { goto done; } - REQUIRE(VALID_REQUEST(request)); - LOCK(&request->requestmgr->locks[request->hash]); if (result != ISC_R_SUCCESS) { From 7beda284d20e501c469e4493ea72eb082f2bae64 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 12 Dec 2022 12:12:13 +0000 Subject: [PATCH 5/9] Do not resend TCP requests The req_response() function is using 'udpcount' variable to resend the request 'udpcount' times on timeout even for TCP requests, which does not make sense, as it would use the same connection. Add a condition to use the resend logic only for UDP requests. (cherry picked from commit edcdb881da9aefaaadb9b6e4de2ff372ed395ab0) --- lib/dns/request.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/dns/request.c b/lib/dns/request.c index 8f53d37812..b2b7b119b9 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -1061,7 +1061,9 @@ req_response(isc_result_t result, isc_region_t *region, void *arg) { if (result == ISC_R_TIMEDOUT) { LOCK(&request->requestmgr->locks[request->hash]); - if (request->udpcount > 1) { + if (request->udpcount > 1 && + (request->flags & DNS_REQUEST_F_TCP) == 0) + { request->udpcount -= 1; dns_dispatch_resume(request->dispentry, request->timeout); From d861433ad41493dd54eaca36d6ae653301655bf9 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 28 Dec 2022 10:12:12 +0000 Subject: [PATCH 6/9] Update nsupdate -t option's documentation Add some clarifications about the -t option's behavior differences in TCP and UDP modes. (cherry picked from commit a00540ac24d32109df2d3219dfc6579389083a1b) --- bin/nsupdate/nsupdate.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst index b91a606845..81bb4815cf 100644 --- a/bin/nsupdate/nsupdate.rst +++ b/bin/nsupdate/nsupdate.rst @@ -141,7 +141,11 @@ Options .. option:: -t timeout This option sets the maximum time an update request can take before it is aborted. The - default is 300 seconds. If zero, the timeout is disabled. + default is 300 seconds. If zero, the timeout is disabled for TCP mode. For UDP mode, + the option :option:`-u` takes precedence over this option, unless the option :option:`-u` + is set to zero, in which case the interval is computed from the :option:`-t` timeout interval + and the number of UDP retries. For UDP mode, the timeout can not be disabled, and will + be rounded up to 1 second in case if both :option:`-t` and :option:`-u` are set to zero. .. option:: -T From 9e42bfd1a028731122d7a949cf0dd35632f88ad1 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 28 Dec 2022 10:20:37 +0000 Subject: [PATCH 7/9] nsupdate: use the configurable timeout and retry values for all queries The 'nsupdate' tool, when sending SOA queries, uses a hard-coded value 3 UDP retries and of 5 seconds of timeout for UDP queries, and 100 seconds of timeout for TCP queries. Use the timeout and retry values which can be configured using the -t, -u, -r command line options, and which are already used for sending the update query. (cherry picked from commit 3ef2a30c75072d8f677c619bc12814d9219014c3) --- bin/nsupdate/nsupdate.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 0d0f115e26..7d52ecfdc7 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -96,12 +96,11 @@ #include "../dig/readline.h" -#define MAXCMD (128 * 1024) -#define MAXWIRE (64 * 1024) -#define INITTEXT (2 * 1024) -#define MAXTEXT (128 * 1024) -#define FIND_TIMEOUT 5 -#define TTL_MAX 2147483647U /* Maximum signed 32 bit integer. */ +#define MAXCMD (128 * 1024) +#define MAXWIRE (64 * 1024) +#define INITTEXT (2 * 1024) +#define MAXTEXT (128 * 1024) +#define TTL_MAX 2147483647U /* Maximum signed 32 bit integer. */ #define DNSDEFAULTPORT 53 @@ -2611,9 +2610,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) { } result = dns_request_create(requestmgr, soaquery, srcaddr, addr, - 0, NULL, FIND_TIMEOUT * 20, - FIND_TIMEOUT, 3, global_task, - recvsoa, reqinfo, &request); + 0, NULL, timeout, udp_timeout, + udp_retries, global_task, recvsoa, + reqinfo, &request); check_result(result, "dns_request_create"); requests++; return; @@ -2838,9 +2837,9 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, } result = dns_request_create(requestmgr, msg, srcaddr, destaddr, 0, - default_servers ? NULL : tsigkey, - FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, - global_task, recvsoa, reqinfo, request); + default_servers ? NULL : tsigkey, timeout, + udp_timeout, udp_retries, global_task, + recvsoa, reqinfo, request); check_result(result, "dns_request_create"); requests++; } @@ -3040,7 +3039,7 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg, } result = dns_request_create(requestmgr, msg, srcaddr, destaddr, options, - tsigkey, FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, + tsigkey, timeout, udp_timeout, udp_retries, global_task, recvgss, reqinfo, request); check_result(result, "dns_request_create"); if (debugging) { From 1287b0b0e892351d41f460762522954adc8be3f2 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 28 Dec 2022 16:29:26 +0000 Subject: [PATCH 8/9] Add a CHANGES note for [GL #3674] (cherry picked from commit ef81775e7b04329214f15b3f6dd8330c0554e5c6) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index d3a57d1df4..4db698c6f3 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ determining if revoked keys needs to be removed from the trust anchors. [GL #3981] +6141. [bug] Fix several issues in nsupdate timeout handling and + update the -t option's documentation. [GL #3674] + 6138. [doc] Fix the DF-flag documentation on the outgoing UDP packets. [GL #3710] From a7d5ccdb1bfa0b95479eed6e0d05a9cf532ce90f Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 31 Mar 2023 12:25:01 +0000 Subject: [PATCH 9/9] nsupdate: set network manager default timeout values The default values are currently set to 30 seconds, use nsupdate default (or overriden using the -t option) timeout value instead. (cherry picked from commit 98c8135692d30f8737810db2e6dfd5d34ffd8011) --- bin/nsupdate/nsupdate.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 7d52ecfdc7..7cb8d201ea 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -3394,6 +3394,8 @@ getinput(isc_task_t *task, isc_event_t *event) { int main(int argc, char **argv) { isc_result_t result; + uint32_t timeoutms; + style = &dns_master_style_debug; input = stdin; @@ -3420,6 +3422,10 @@ main(int argc, char **argv) { setup_system(); + /* Set the network manager timeouts in milliseconds. */ + timeoutms = timeout * 1000; + isc_nm_settimeouts(netmgr, timeoutms, timeoutms, timeoutms, timeoutms); + result = isc_app_onrun(gmctx, global_task, getinput, NULL); check_result(result, "isc_app_onrun");