Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/mpl/bind/dist Import bind 9.14.8 (security fix -- l...
details: https://anonhg.NetBSD.org/src/rev/7d7c71996b0c
branches: trunk
changeset: 461383:7d7c71996b0c
user: christos <christos%NetBSD.org@localhost>
date: Sun Nov 24 19:56:50 2019 +0000
description:
Import bind 9.14.8 (security fix -- limits on concurrent TCP queries)
--- 9.14.8 released ---
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
when the server has been offline for prolonged
period of times. [GL #1256]
5314. [func] Added a new statistics variable "tcp-highwater"
that reports the maximum number of simultaneous TCP
clients BIND has handled while running. [GL #1206]
5313. [bug] The default GeoIP2 database location did not match
the ARM. 'named -V' now reports the default
location. [GL #1301]
5310. [bug] TCP failures were affecting EDNS statistics. [GL #1059]
5308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal()
at ERROR level in receive_secure_serial(). [GL #1288]
5307. [bug] Fix hang when named-compilezone output is sent to pipe.
Thanks to Tony Finch. [GL !2481]
5306. [security] Set a limit on the number of concurrently served
pipelined TCP queries. (CVE-2019-6477) [GL #1264]
5305. [bug] NSEC Aggressive Cache ("synth-from-dnssec") has been
disabled by default because it was found to have
a significant performance impact on the recursive
service. [GL #1265]
5304. [bug] "dnskey-sig-validity 0;" was not being accepted.
[GL #876]
5302. [bug] Fix checking that "dnstap-output" is defined when
"dnstap" is specified in a view. [GL #1281]
5301. [bug] Detect partial prefixes / incomplete IPv4 address in
acls. [GL #1143]
diffstat:
external/mpl/bind/dist/CHANGES | 48 +-
external/mpl/bind/dist/README | 5 +
external/mpl/bind/dist/README.md | 5 +
external/mpl/bind/dist/bin/tests/system/autosign/clean.sh | 1 +
external/mpl/bind/dist/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in | 20 +
external/mpl/bind/dist/bin/tests/system/autosign/ns3/keygen.sh | 24 +-
external/mpl/bind/dist/bin/tests/system/autosign/ns3/named.conf.in | 9 +
external/mpl/bind/dist/bin/tests/system/autosign/tests.sh | 76 +
external/mpl/bind/dist/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf | 3 +
external/mpl/bind/dist/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf | 3 +
external/mpl/bind/dist/bin/tests/system/checkconf/bad-ipv4-prefix2.conf | 3 +
external/mpl/bind/dist/bin/tests/system/checkconf/good-dnskey-validity-3660.conf | 14 +
external/mpl/bind/dist/bin/tests/system/checkconf/good-dnskey-validity-zero.conf | 14 +
external/mpl/bind/dist/bin/tests/system/conf.sh.common | 32 +-
external/mpl/bind/dist/bin/tests/system/digdelv/tests.sh | 12 +-
external/mpl/bind/dist/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf | 3 +
external/mpl/bind/dist/bin/tests/system/dnstap/good-dnstap-in-options.conf | 5 +
external/mpl/bind/dist/bin/tests/system/dnstap/good-dnstap-in-view.conf | 8 +
external/mpl/bind/dist/bin/tests/system/filter-aaaa/tests.sh | 27 +-
external/mpl/bind/dist/bin/tests/system/geoip2/tests.sh | 22 +-
external/mpl/bind/dist/bin/tests/system/legacy/tests.sh | 23 +
external/mpl/bind/dist/bin/tests/system/staticstub/tests.sh | 2 +-
external/mpl/bind/dist/bin/tests/system/synthfromdnssec/tests.sh | 4 +-
external/mpl/bind/dist/bin/tests/system/tcp/ans6/ans.py | 153 +
external/mpl/bind/dist/bin/tests/system/tcp/clean.sh | 2 +
external/mpl/bind/dist/bin/tests/system/tcp/ns5/named.conf.in | 43 +
external/mpl/bind/dist/bin/tests/system/tcp/prereq.sh | 19 +
external/mpl/bind/dist/bin/tests/system/tcp/setup.sh | 1 +
external/mpl/bind/dist/bin/tests/system/tcp/tests.sh | 90 +
external/mpl/bind/dist/cocci/dns_name_copy-with-result.spatch | 30 +
external/mpl/bind/dist/cocci/dns_name_copy.spatch | 30 +
external/mpl/bind/dist/cocci/dns_name_copynf.spatch | 6 +
external/mpl/bind/dist/configure.ac | 5 +-
external/mpl/bind/dist/doc/arm/Bv9ARM-book.xml | 74 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch01.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch02.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch03.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch04.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch05.html | 70 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch06.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch07.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch08.html | 972 ++++++++-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch09.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch10.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch11.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.ch12.html | 2 +-
external/mpl/bind/dist/doc/arm/Bv9ARM.html | 18 +-
external/mpl/bind/dist/doc/arm/Makefile.in | 15 +-
external/mpl/bind/dist/doc/arm/man.arpaname.html | 2 +-
external/mpl/bind/dist/doc/arm/man.ddns-confgen.html | 2 +-
external/mpl/bind/dist/doc/arm/man.delv.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dig.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-cds.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-checkds.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-coverage.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-dsfromkey.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-importkey.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-keyfromlabel.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-keygen.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-keymgr.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-revoke.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-settime.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-signzone.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnssec-verify.html | 2 +-
external/mpl/bind/dist/doc/arm/man.dnstap-read.html | 2 +-
external/mpl/bind/dist/doc/arm/man.filter-aaaa.html | 2 +-
external/mpl/bind/dist/doc/arm/man.host.html | 2 +-
external/mpl/bind/dist/doc/arm/man.mdig.html | 2 +-
external/mpl/bind/dist/doc/arm/man.named-checkconf.html | 2 +-
external/mpl/bind/dist/doc/arm/man.named-checkzone.html | 2 +-
external/mpl/bind/dist/doc/arm/man.named-journalprint.html | 2 +-
external/mpl/bind/dist/doc/arm/man.named-nzd2nzf.html | 2 +-
external/mpl/bind/dist/doc/arm/man.named-rrchecker.html | 2 +-
external/mpl/bind/dist/doc/arm/man.named.conf.html | 2 +-
external/mpl/bind/dist/doc/arm/man.named.html | 2 +-
external/mpl/bind/dist/doc/arm/man.nsec3hash.html | 2 +-
external/mpl/bind/dist/doc/arm/man.nslookup.html | 2 +-
external/mpl/bind/dist/doc/arm/man.nsupdate.html | 2 +-
external/mpl/bind/dist/doc/arm/man.pkcs11-destroy.html | 2 +-
external/mpl/bind/dist/doc/arm/man.pkcs11-keygen.html | 2 +-
external/mpl/bind/dist/doc/arm/man.pkcs11-list.html | 2 +-
external/mpl/bind/dist/doc/arm/man.pkcs11-tokens.html | 2 +-
external/mpl/bind/dist/doc/arm/man.rndc-confgen.html | 2 +-
external/mpl/bind/dist/doc/arm/man.rndc.conf.html | 2 +-
external/mpl/bind/dist/doc/arm/man.rndc.html | 2 +-
external/mpl/bind/dist/doc/arm/notes-9.14.0.xml | 486 +++++
external/mpl/bind/dist/doc/arm/notes-9.14.1.xml | 62 +
external/mpl/bind/dist/doc/arm/notes-9.14.2.xml | 36 +
external/mpl/bind/dist/doc/arm/notes-9.14.3.xml | 42 +
external/mpl/bind/dist/doc/arm/notes-9.14.4.xml | 73 +
external/mpl/bind/dist/doc/arm/notes-9.14.5.xml | 86 +
external/mpl/bind/dist/doc/arm/notes-9.14.6.xml | 26 +
external/mpl/bind/dist/doc/arm/notes-9.14.7.xml | 34 +
external/mpl/bind/dist/doc/arm/notes-9.14.8.xml | 50 +
external/mpl/bind/dist/doc/arm/notes-download.xml | 2 +-
external/mpl/bind/dist/doc/arm/notes-eol.xml | 2 +-
external/mpl/bind/dist/doc/arm/notes-thankyou.xml | 2 +-
external/mpl/bind/dist/doc/arm/notes.html | 956 ++++++++-
external/mpl/bind/dist/doc/arm/notes.pdf | Bin
external/mpl/bind/dist/doc/arm/notes.txt | 430 +++-
external/mpl/bind/dist/doc/arm/notes.xml | 14 +-
external/mpl/bind/dist/lib/bind9/api | 2 +-
external/mpl/bind/dist/lib/dns/api | 4 +-
external/mpl/bind/dist/lib/dns/rdata/generic/amtrelay_260.c | 8 +-
external/mpl/bind/dist/lib/dns/rdata/generic/zonemd_63.c | 6 +-
external/mpl/bind/dist/lib/dns/win32/libdns.def.in | 2 +
external/mpl/bind/dist/lib/isc/api | 4 +-
external/mpl/bind/dist/lib/isc/win32/libisc.def.in | 2 +
external/mpl/bind/dist/lib/isccfg/api | 2 +-
external/mpl/bind/dist/lib/ns/api | 6 +-
external/mpl/bind/dist/lib/ns/win32/libns.def | 2 +
external/mpl/bind/dist/srcid | 2 +-
external/mpl/bind/dist/version | 2 +-
external/mpl/bind/dist/win32utils/Configure | 7 -
114 files changed, 3825 insertions(+), 510 deletions(-)
diffs (truncated from 5855 to 300 lines):
diff -r bb1283b3e5a8 -r 7d7c71996b0c external/mpl/bind/dist/CHANGES
--- a/external/mpl/bind/dist/CHANGES Sun Nov 24 16:16:21 2019 +0000
+++ b/external/mpl/bind/dist/CHANGES Sun Nov 24 19:56:50 2019 +0000
@@ -1,8 +1,49 @@
+ --- 9.14.8 released ---
+
+5315. [bug] Apply the inital RRSIG expiration spread fixed
+ to all dynamically created records in the zone
+ including NSEC3. Also fix the signature clusters
+ when the server has been offline for prolonged
+ period of times. [GL #1256]
+
+5314. [func] Added a new statistics variable "tcp-highwater"
+ that reports the maximum number of simultaneous TCP
+ clients BIND has handled while running. [GL #1206]
+
+5313. [bug] The default GeoIP2 database location did not match
+ the ARM. 'named -V' now reports the default
+ location. [GL #1301]
+
+5310. [bug] TCP failures were affecting EDNS statistics. [GL #1059]
+
+5308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal()
+ at ERROR level in receive_secure_serial(). [GL #1288]
+
+5307. [bug] Fix hang when named-compilezone output is sent to pipe.
+ Thanks to Tony Finch. [GL !2481]
+
+5306. [security] Set a limit on the number of concurrently served
+ pipelined TCP queries. (CVE-2019-6477) [GL #1264]
+
+5305. [bug] NSEC Aggressive Cache ("synth-from-dnssec") has been
+ disabled by default because it was found to have
+ a significant performance impact on the recursive
+ service. [GL #1265]
+
+5304. [bug] "dnskey-sig-validity 0;" was not being accepted.
+ [GL #876]
+
+5302. [bug] Fix checking that "dnstap-output" is defined when
+ "dnstap" is specified in a view. [GL #1281]
+
+5301. [bug] Detect partial prefixes / incomplete IPv4 address in
+ acls. [GL #1143]
+
--- 9.14.7 released ---
5299. [security] A flaw in DNSSEC verification when transferring
mirror zones could allow data to be incorrectly
- marked valid. (CVE-2019-6475) [GL #16P]
+ marked valid. (CVE-2019-6475) [GL #1252]
5298. [security] Named could assert if a forwarder returned a
referral, rather than resolving the query, when QNAME
@@ -12,6 +53,11 @@
is still running before starting a new one; return
SERVFAIL and log an error if so. [GL #1191]
+5295. [cleanup] Split dns_name_copy() calls into dns_name_copy() and
+ dns_name_copynf() for those calls that can potentially
+ fail and those that should not fail respectively.
+ [GL !2265]
+
5294. [func] Fallback to ACE name on output in locale, which does not
support converting it to unicode. [GL #846]
diff -r bb1283b3e5a8 -r 7d7c71996b0c external/mpl/bind/dist/README
--- a/external/mpl/bind/dist/README Sun Nov 24 16:16:21 2019 +0000
+++ b/external/mpl/bind/dist/README Sun Nov 24 19:56:50 2019 +0000
@@ -180,6 +180,11 @@
BIND 9.14.7 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+BIND 9.14.8
+
+BIND 9.14.8 is a maintenance release, and also addresses the security
+vulnerability disclosed in CVE-2019-6477.
+
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
diff -r bb1283b3e5a8 -r 7d7c71996b0c external/mpl/bind/dist/README.md
--- a/external/mpl/bind/dist/README.md Sun Nov 24 16:16:21 2019 +0000
+++ b/external/mpl/bind/dist/README.md Sun Nov 24 19:56:50 2019 +0000
@@ -196,6 +196,11 @@
BIND 9.14.7 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+#### BIND 9.14.8
+
+BIND 9.14.8 is a maintenance release, and also addresses the security
+vulnerability disclosed in CVE-2019-6477.
+
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
diff -r bb1283b3e5a8 -r 7d7c71996b0c external/mpl/bind/dist/bin/tests/system/autosign/clean.sh
--- a/external/mpl/bind/dist/bin/tests/system/autosign/clean.sh Sun Nov 24 16:16:21 2019 +0000
+++ b/external/mpl/bind/dist/bin/tests/system/autosign/clean.sh Sun Nov 24 19:56:50 2019 +0000
@@ -39,6 +39,7 @@
rm -f ns3/inacksk3.example.db
rm -f ns3/inaczsk2.example.db
rm -f ns3/inaczsk3.example.db
+rm -f ns3/jitter.nsec3.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/kskonly.example.db
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
diff -r bb1283b3e5a8 -r 7d7c71996b0c external/mpl/bind/dist/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/mpl/bind/dist/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in Sun Nov 24 19:56:50 2019 +0000
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
diff -r bb1283b3e5a8 -r 7d7c71996b0c external/mpl/bind/dist/bin/tests/system/autosign/ns3/keygen.sh
--- a/external/mpl/bind/dist/bin/tests/system/autosign/ns3/keygen.sh Sun Nov 24 16:16:21 2019 +0000
+++ b/external/mpl/bind/dist/bin/tests/system/autosign/ns3/keygen.sh Sun Nov 24 19:56:50 2019 +0000
@@ -53,6 +53,21 @@
$DSFROMKEY $ksk.key > dsset-${zone}$TP
#
+# Jitter/NSEC3 test zone
+#
+setup jitter.nsec3.example
+cp $infile $zonefile
+count=1
+while [ $count -le 100 ]
+do
+ echo "label${count} IN TXT label${count}" >> $zonefile
+ count=`expr $count + 1`
+done
+# Don't create keys just yet, because the scenario we want to test
+# is an unsigned zone that has a NSEC3PARAM record added with
+# dynamic update before the keys are generated.
+
+#
# OPTOUT/NSEC3 test zone
#
setup optout.nsec3.example
@@ -150,9 +165,16 @@
#
setup oldsigs.example
cp $infile $zonefile
+count=1
+while [ $count -le 100 ]
+do
+ echo "label${count} IN TXT label${count}" >> $zonefile
+ count=`expr $count + 1`
+done
$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
-$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
+$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out 2>&1 || dumpit s.out
+mv $zonefile.signed $zonefile
#
# NSEC3->NSEC transition test zone.
diff -r bb1283b3e5a8 -r 7d7c71996b0c external/mpl/bind/dist/bin/tests/system/autosign/ns3/named.conf.in
--- a/external/mpl/bind/dist/bin/tests/system/autosign/ns3/named.conf.in Sun Nov 24 16:16:21 2019 +0000
+++ b/external/mpl/bind/dist/bin/tests/system/autosign/ns3/named.conf.in Sun Nov 24 19:56:50 2019 +0000
@@ -96,6 +96,14 @@
auto-dnssec maintain;
};
+zone "jitter.nsec3.example" {
+ type master;
+ file "jitter.nsec3.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+ sig-validity-interval 10 2;
+};
+
zone "secure.nsec3.example" {
type master;
file "secure.nsec3.example.db";
@@ -179,6 +187,7 @@
file "oldsigs.example.db";
allow-update { any; };
auto-dnssec maintain;
+ sig-validity-interval 10 2;
};
zone "prepub.example" {
diff -r bb1283b3e5a8 -r 7d7c71996b0c external/mpl/bind/dist/bin/tests/system/autosign/tests.sh
--- a/external/mpl/bind/dist/bin/tests/system/autosign/tests.sh Sun Nov 24 16:16:21 2019 +0000
+++ b/external/mpl/bind/dist/bin/tests/system/autosign/tests.sh Sun Nov 24 19:56:50 2019 +0000
@@ -50,6 +50,43 @@
return 1
}
+# Check the signatures expiration times. First check how many signatures
+# there are in total ($rrsigs). Then see what the distribution of signature
+# expiration times is ($expiretimes). Ignore the time part for a better
+# modelled distribution.
+checkjitter () {
+ _file=$1
+ _ret=0
+
+ cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | cat_i
+ _rrsigs=$(cat $_file | awk '$4 == "RRSIG" {print $4}' | cat_i | wc -l)
+ _expiretimes=$(cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | awk '{print $1}')
+ _count=0
+ _total=0
+ for _num in $_expiretimes
+ do
+ _total=$(($_total + $_num))
+ done
+ # Make sure the total number of numbers matches the number of RRSIGs.
+ test $_total -eq $_rrsigs || _ret=1
+ # Calculate mean: The number of signatures divided over 8 days.
+ _mean=$(($_total / 8))
+ # We expect the number of signatures not to exceed twice the mean.
+ _limit=$(($_mean * 2))
+ # Add an additional margin.
+ _limit=$(($_limit + 10))
+ # Find outliers.
+ for _num in $_expiretimes
+ do
+ if [ $_num -gt $_limit ]; then
+ echo_i "error: too many RRSIG records ($_num) with the same expiration time"
+ _ret=1
+ fi
+ done
+
+ return $_ret
+}
+
#
# The NSEC record at the apex of the zone and its RRSIG records are
# added as part of the last step in signing a zone. We wait for the
@@ -334,6 +371,15 @@
sleep 1
done
n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+# Check jitter distribution.
+echo_i "checking expired signatures were jittered correctly ($n)"
+ret=0
+$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+checkjitter dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
@@ -938,6 +984,36 @@
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+echo_i "checking jitter in a newly signed NSEC3 zone ($n)"
+ret=0
+# Use DNS UPDATE to add an NSEC3PARAM record into the zone.
+$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1
+server 10.53.0.3 ${PORT}
+zone jitter.nsec3.example.
+update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+END
+[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
+# Create DNSSEC keys in the zone directory.
+$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
+# Trigger zone signing.
+$RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
+# Wait until zone has been signed.
+for i in 0 1 2 3 4 5 6 7 8 9; do
+ failed=0
+ $DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1
+ grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1
+ [ $failed -eq 0 ] && break
+ echo_i "waiting ... ($i)"
+ sleep 2
+done
+[ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1
+# Check jitter distribution.
+checkjitter dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)"
ret=0
oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
Home |
Main Index |
Thread Index |
Old Index