3541. [bug] The parts if libdns was not being properly initialized

in when built in libexport mode. [RT #33028]
2013-04-03 17:27:40 +11:00
parent 8c460e0159
commit 8013077aa7
14 changed files with 396 additions and 21 deletions
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -31,6 +31,7 @@ rm -f ns2/single-nsec3.db
 rm -f ns2/nsec3chain-test.db
 rm -f */example.bk
 rm -f dig.out.*
+rm -f sample.out*
 rm -f random.data
 rm -f ns2/dlv.db
 rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -73,3 +73,8 @@ cp managed.conf ../ns4/managed.conf
 keyid=`expr $keyname : 'K.+001+\(.*\)'`
 keyid=`expr $keyid + 0`
 echo "$keyid" > managed.key.id
+cat $keyname.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print "-a $alg -e -k $dn -K $key\n"
+' > sample.key
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -28,6 +28,7 @@ n=1
 rm -f dig.out.*

 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+SAMPLEKEY=`cat ns1/sample.key`

 # convert private-type records to readable form
 showprivate () {
@@ -133,6 +134,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking postive validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.example > sample.out$n || ret=1
+   grep "a.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.example..*.RRSIG.A 3 2 300 .*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive validation NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
@@ -145,6 +157,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.nsec3.example > sample.out$n || ret=1
+   grep "a.nsec3.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.nsec3.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
@@ -157,6 +180,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.optout.example > sample.out$n || ret=1
+   grep "a.optout.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.optout.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard validation NSEC ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@@ -168,6 +202,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.example > sample.out$n || ret=1
+   grep "a.wild.example..*10.0.0.27" sample.out$n > /dev/null || ret=1
+   grep "a.wild.example..*RRSIG.A 3 2 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard answer NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -179,9 +224,9 @@ status=`expr $status + $ret`

 echo "I:checking positive wildcard answer NSEC3 ($n)"
 ret=0
-$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1
-grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -197,6 +242,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.nsec3.example > sample.out$n || ret=1
+   grep "a.wild.nsec3.example..*10.0.0.6" sample.out$n > /dev/null || ret=1
+   grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.optout.example. \
@@ -210,6 +266,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.optout.example > sample.out$n || ret=1
+   grep "a.wild.optout.example..*10.0.0.6" sample.out$n > /dev/null || ret=1
+   grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@@ -221,6 +288,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.nsec3.example. \
@@ -234,6 +311,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.optout.example. \
@@ -248,6 +335,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
@@ -260,6 +357,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
@@ -274,6 +381,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
@@ -288,6 +405,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation NSEC ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
@@ -299,6 +426,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.wild.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
@@ -309,6 +446,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.wild.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.optout.example. \
@@ -323,6 +470,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.optout.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 # Check the insecure.example domain

 echo "I:checking 1-server insecurity proof NSEC ($n)"
@@ -337,6 +494,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.example > sample.out$n || ret=1
+   grep "a.insecure.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server insecurity proof NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -349,6 +516,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.nsec3.example > sample.out$n || ret=1
+   grep "a.insecure.nsec3.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server insecurity proof OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -361,6 +538,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.optout.example > sample.out$n || ret=1
+   grep "a.insecure.optout.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof NSEC ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
@@ -375,6 +562,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \
@@ -389,6 +586,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \
@@ -403,6 +610,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
 ret=0
 $DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \
@@ -590,6 +807,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking failed validation using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.bogus.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: no valid RRSIG" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 # Try validating with a bad trusted key.
 # This should fail.

@@ -625,6 +852,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking that validation fails when key record is missing using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.b.keyless.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: broken trust chain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
 ret=0
 #prime
@@ -1814,7 +2051,7 @@ echo "I:testing legacy upper case signer name validation ($n)"
 ret=0
 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa upper.example @10.53.0.4 \
        > dig.out.ns4.test$n 2>&1
-grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1
+grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1
 grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -1824,7 +2061,7 @@ echo "I:testing that we lower case signer name ($n)"
 ret=0
 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa LOWER.EXAMPLE @10.53.0.4 \
        > dig.out.ns4.test$n 2>&1
-grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1
+grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1
 grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi