Merge pull request #620 from srvrco/test-root-servers

Fix dig SOA lookup

getssl

@@ -247,11 +247,12 @@
 # 2020-12-18 Wrong SANS when domain contains a minus character (atisne)
 # 2020-12-22 Fixes to get_auth_dns
 # 2020-12-22 Check that dig doesn't return an error (#611)(2.32)
+# 2020-12-29 Fix dig SOA lookup (#617)(2.33)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
 PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)"
-VERSION="2.32"
+VERSION="2.33"
 
 # defaults
 ACCOUNT_KEY_LENGTH=4096
@@ -1310,11 +1311,11 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
       if [[ "$HAS_DIG_OR_DRILL" == "dig" ]]; then
         debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d $gad_s" to find primary nameserver
         test_output "Using $HAS_DIG_OR_DRILL SOA"
-        res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W")
+        res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" $gad_s 2>/dev/null | grep "IN\WNS\W")
       else
         debug Using "$HAS_DIG_OR_DRILL -T $gad_d $gad_s" to find primary nameserver
         test_output "Using $HAS_DIG_OR_DRILL SOA"
-        res=$($HAS_DIG_OR_DRILL -T SOA "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W")
+        res=$($HAS_DIG_OR_DRILL -T SOA "$gad_d" $gad_s 2>/dev/null | grep "IN\WNS\W")
       fi
     fi
 
@@ -1324,12 +1325,12 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
 
       # Two options here; either dig CNAME will return the CNAME and the NS or just the CNAME
       debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d $gad_s"
-      res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "$gad_s"| grep "^$gad_d")
+      res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" $gad_s| grep "^$gad_d")
       cname=$(echo "$res"| awk '$4 ~ "CNAME" {print $5}' |sed 's/\.$//g')
 
       if [[ $_TEST_SKIP_CNAME_CALL == 0 ]]; then
         debug Checking if CNAME result contains NS records
-        res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "$gad_s"| grep -E "IN\W(NS|SOA)\W")
+        res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" $gad_s| grep -E "IN\W(NS|SOA)\W")
       else
         res=""
       fi
@@ -1385,7 +1386,8 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
     if [[ -z "$gad_s" ]]; then
       res=$(host -t NS "$gad_d"| grep "name server")
     else
-      res=$(host -t NS "$gad_d" "$gad_s"| grep "name server")
+      # shellcheck disable=SC2086
+      res=$(host -t NS "$gad_d" $gad_s| grep "name server")
     fi
     if [[ -n "$res" ]]; then
       all_auth_dns_servers=$(echo "$res" | awk '{print $4}' | sed 's/\.$//g'|tr '\n' ' ')

test/u2-test-get_auth_dns-drill.bats

@@ -31,19 +31,6 @@ teardown() {
 }
 
 
-teardown() {
-    if [ -f /usr/bin/host.getssl.bak ]; then
-        mv /usr/bin/host.getssl.bak /usr/bin/host
-    fi
-    if [ -f /usr/bin/nslookup.getssl.bak ]; then
-        mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup
-    fi
-    if [ -f /usr/bin/dig.getssl.bak ]; then
-        mv /usr/bin/dig.getssl.bak /usr/bin/dig
-    fi
-}
-
-
 @test "Check get_auth_dns using drill NS" {
     if [ ! -f /usr/bin/drill ]; then
         # Can't find drill package for centos8

test/u5-test-get_auth_dns-no-root-servers.bats

@@ -0,0 +1,96 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    cp /etc/resolv.conf /etc/resolv.conf.getssl
+    cat <<- EOF > /etc/resolv.conf
+nameserver 8.8.8.8
+options ndots:0
+EOF
+
+    for app in drill host nslookup
+    do
+        if [ -f /usr/bin/${app} ]; then
+            mv /usr/bin/${app} /usr/bin/${app}.getssl.bak
+        fi
+    done
+
+    . /getssl/getssl --source
+    find_dns_utils
+    _RUNNING_TEST=1
+    _USE_DEBUG=0
+}
+
+
+teardown() {
+    cat /etc/resolv.conf.getssl > /etc/resolv.conf
+    for app in drill host nslookup
+    do
+        if [ -f /usr/bin/${app}.getssl.bak ]; then
+            mv /usr/bin/${app}.getssl.bak /usr/bin/${app}
+        fi
+    done
+}
+
+
+@test "Check get_auth_dns doesn't include root servers (dig NS)" {
+    # Test that get_auth_dns() handles scenario where NS query returns root servers
+    # Issue #617
+    #
+    # Log output was:
+    #   Verifying example.com
+    #   checking DNS at h.root-servers.net for example.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again
+    #   ... (retried until max attempts then failed)
+
+    # Disable SOA and CNAME check
+    _TEST_SKIP_CNAME_CALL=1
+    _TEST_SKIP_SOA_CALL=1
+
+    PUBLIC_DNS_SERVER=
+    CHECK_PUBLIC_DNS_SERVER=false
+    CHECK_ALL_AUTH_DNS=true
+
+    run get_auth_dns example.com
+
+    # Assert that we've found the primary_ns server
+    assert_output --regexp 'set primary_ns = '
+    # Assert that we had to use dig NS
+    assert_line --partial 'Using dig NS'
+
+    # Check we didn't include any root servers
+    refute_line --partial 'root-servers.net'
+}
+
+
+@test "Check get_auth_dns doesn't include root servers (dig SOA)" {
+    # Test that get_auth_dns() handles scenario where NS query returns root servers
+    # Issue #617
+    #
+    # Log output was:
+    #   Verifying example.com
+    #   checking DNS at h.root-servers.net for example.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again
+    #   ... (retried until max attempts then failed)
+
+    # Disable CNAME check, ensure SOA check is enabled
+    _TEST_SKIP_CNAME_CALL=1
+    _TEST_SKIP_SOA_CALL=0
+
+    PUBLIC_DNS_SERVER=
+    CHECK_PUBLIC_DNS_SERVER=false
+    CHECK_ALL_AUTH_DNS=true
+
+    run get_auth_dns example.com
+
+    # Assert that we've found the primary_ns server
+    assert_output --regexp 'set primary_ns = '
+    # Assert that we had to use dig SOA
+    assert_line --partial 'Using dig SOA'
+
+    # Check we didn't include any root servers
+    refute_line --partial 'root-servers.net'
+}