# #-- ede.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test


# DNSSEC failure: Signature Expired or DNSKEY Missing (depending on the servfail configuration)
dig @127.0.0.1 -p $UNBOUND_PORT servfail.nl > servfail.txt

# DNSSEC failure: key not incepted
dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > sig_notyetincepted.txt

if ! grep -q -e "OPT=15: 00 08" -e "EDE: 8" sig_notyetincepted.txt
then
	echo "Signature not yet valid does not return EDE Signature Not Yet Valid"
	cat sig_notyetincepted.txt
	exit 1
fi

# DNSSEC failure: key expired
dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > sig_expired.txt

if ! grep -q -e "OPT=15: 00 07" -e "EDE: 7"  sig_expired.txt
then
	echo "Expired signature does not return EDE Signature expired"
	cat sig_expired.txt
	exit 1
fi

# DNSSEC failure: missing rrsigs
dig @127.0.0.1 -p $UNBOUND_PORT missingrrsigs.dnssec-failures.test. TXT +dnssec > missingrrsigs.txt

if ! grep -q -e "OPT=15: 00 0a" -e "EDE: 10" missingrrsigs.txt
then
	echo "Expired signature does not return EDE RRSIGs missing"
	cat missingrrsigs.txt
	exit 1
fi

# signed zone with DNSKEY missing
dig @127.0.0.1 -p $UNBOUND_PORT dnskey-failures.test > dnskey-failure.txt

if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" dnskey-failure.txt
then
	echo "Expired signature does not return EDE DNSKEY missing"
	cat dnskey-failure.txt
	exit 1
fi

# signed zone with RRSIGs missing
dig @127.0.0.1 -p $UNBOUND_PORT rrsig-failures.test > rrsig-failure.txt

if ! grep -q -e "OPT=15: 00 0a" -e "EDE: 10" rrsig-failure.txt
then
	echo "Expired signature does not return EDE RRSIGs missing"
	cat rrsig-failure.txt
	exit 1
fi

# signed zone with NSEC missing
dig @127.0.0.1 -p $UNBOUND_PORT abc.nsec-failures.test > nsec-failure.txt

if ! grep -q -e "OPT=15: 00 0c" -e "EDE: 12" nsec-failure.txt
then
	echo "Expired signature does not return EDE NSEC missing"
	cat nsec-failure.txt
	exit 1
fi

# EDE with CD bit set (EDE but no SERVFAIL)
dig @127.0.0.1 -p $UNBOUND_PORT cd.dnskey-failures.test +cd > cd_bit_ede.txt

if ! grep -q -e "NXDOMAIN" cd_bit_ede.txt
then
	echo "No NXDOMAIN reply with CD bit set"
	cat cd_bit_ede.txt
	exit 1
fi
if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" cd_bit_ede.txt
then
	echo "No EDE attached with CD bit set"
	cat cd_bit_ede.txt
	exit 1
fi

# EDE with CD bit set (EDE but no SERVFAIL) for a cached answer
# Same test as above
dig @127.0.0.1 -p $UNBOUND_PORT cd.dnskey-failures.test +cd > cd_bit_ede.txt

if ! grep -q -e "NXDOMAIN" cd_bit_ede.txt
then
	echo "No NXDOMAIN reply with CD bit set for cached answer"
	cat cd_bit_ede.txt
	exit 1
fi
if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" cd_bit_ede.txt
then
	echo "No EDE attached with CD bit set for cached answer"
	cat cd_bit_ede.txt
	exit 1
fi
# TODO DNSSEC indeterminate when implemented