Home | History | Annotate | Line # | Download | only in checkconf
tests.sh revision 1.1 
      1 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
      2 #
      3 # This Source Code Form is subject to the terms of the Mozilla Public
      4 # License, v. 2.0. If a copy of the MPL was not distributed with this
      5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
      6 #
      7 # See the COPYRIGHT file distributed with this work for additional
      8 # information regarding copyright ownership.
      9 
     10 SYSTEMTESTTOP=..
     11 . $SYSTEMTESTTOP/conf.sh
     12 
     13 status=0
     14 n=0
     15 
     16 n=`expr $n + 1`
     17 echo_i "checking that named-checkconf handles a known good config ($n)"
     18 ret=0
     19 $CHECKCONF good.conf > /dev/null 2>&1 || ret=1
     20 if [ $ret != 0 ]; then echo_i "failed"; fi
     21 status=`expr $status + $ret`
     22 
     23 n=`expr $n + 1`
     24 echo_i "checking that named-checkconf prints a known good config ($n)"
     25 ret=0
     26 awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
     27 [ -s good.conf.in ] || ret=1
     28 $CHECKCONF -p good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
     29 cmp good.conf.in good.conf.out || ret=1
     30 if [ $ret != 0 ]; then echo_i "failed"; fi
     31 status=`expr $status + $ret`
     32 
     33 n=`expr $n + 1`
     34 echo_i "checking that named-checkconf -x removes secrets ($n)"
     35 ret=0
     36 # ensure there is a secret and that it is not the check string.
     37 grep 'secret "' good.conf.in > /dev/null || ret=1
     38 grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
     39 $CHECKCONF -p -x good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
     40 grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
     41 if [ $ret != 0 ]; then echo_i "failed"; fi
     42 status=`expr $status + $ret`
     43 
     44 for bad in bad-*.conf
     45 do
     46     n=`expr $n + 1`
     47     echo_i "checking that named-checkconf detects error in $bad ($n)"
     48     ret=0
     49     $CHECKCONF $bad > checkconf.out 2>&1
     50     if [ $? != 1 ]; then ret=1; fi
     51     grep "^$bad:[0-9]*: " checkconf.out > /dev/null || ret=1
     52     case $bad in
     53     bad-update-policy[123].conf)
     54 	pat="identity and name fields are not the same"
     55 	grep "$pat" checkconf.out > /dev/null || ret=1
     56 	;;
     57     bad-update-policy*.conf)
     58 	pat="name field not set to placeholder value"
     59 	grep "$pat" checkconf.out > /dev/null || ret=1
     60 	;;
     61     esac
     62     if [ $ret != 0 ]; then echo_i "failed"; fi
     63     status=`expr $status + $ret`
     64 done
     65 
     66 for good in good-*.conf
     67 do
     68 	n=`expr $n + 1`
     69 	echo_i "checking that named-checkconf detects no error in $good ($n)"
     70 	ret=0
     71 	$CHECKCONF $good > /dev/null 2>&1
     72 	if [ $? != 0 ]; then echo_i "failed"; ret=1; fi
     73 	status=`expr $status + $ret`
     74 done
     75 
     76 n=`expr $n + 1`
     77 echo_i "checking that named-checkconf -z catches missing hint file ($n)"
     78 ret=0
     79 $CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1
     80 grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1
     81 if [ $ret != 0 ]; then echo_i "failed"; fi
     82 status=`expr $status + $ret`
     83 
     84 n=`expr $n + 1`
     85 echo_i "checking that named-checkconf catches range errors ($n)"
     86 ret=0
     87 $CHECKCONF range.conf > /dev/null 2>&1 && ret=1
     88 if [ $ret != 0 ]; then echo_i "failed"; fi
     89 status=`expr $status + $ret`
     90 
     91 n=`expr $n + 1`
     92 echo_i "checking that named-checkconf warns of notify inconsistencies ($n)"
     93 ret=0
     94 warnings=`$CHECKCONF notify.conf 2>&1 | grep "'notify' is disabled" | wc -l`
     95 [ $warnings -eq 3 ] || ret=1
     96 if [ $ret != 0 ]; then echo_i "failed"; fi
     97 status=`expr $status + $ret`
     98 
     99 n=`expr $n + 1`
    100 echo_i "checking named-checkconf dnssec warnings ($n)"
    101 ret=0
    102 $CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
    103 $CHECKCONF dnssec.2 2>&1 | grep 'auto-dnssec may only be ' > /dev/null || ret=1
    104 $CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1
    105 $CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
    106 # this one should have no warnings
    107 $CHECKCONF dnssec.3 2>&1 | grep '.*' && ret=1
    108 if [ $ret != 0 ]; then echo_i "failed"; fi
    109 status=`expr $status + $ret`
    110 
    111 n=`expr $n + 1`
    112 echo_i "range checking fields that do not allow zero ($n)"
    113 ret=0
    114 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
    115     cat > badzero.conf << EOF
    116 options {
    117     $field 0;
    118 };
    119 EOF
    120     $CHECKCONF badzero.conf > /dev/null 2>&1
    121     [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; }
    122     cat > badzero.conf << EOF
    123 view dummy {
    124     $field 0;
    125 };
    126 EOF
    127     $CHECKCONF badzero.conf > /dev/null 2>&1
    128     [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; }
    129     cat > badzero.conf << EOF
    130 options {
    131     $field 0;
    132 };
    133 view dummy {
    134 };
    135 EOF
    136     $CHECKCONF badzero.conf > /dev/null 2>&1
    137     [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; }
    138     cat > badzero.conf << EOF
    139 zone dummy {
    140     type slave;
    141     masters { 0.0.0.0; };
    142     $field 0;
    143 };
    144 EOF
    145     $CHECKCONF badzero.conf > /dev/null 2>&1
    146     [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; }
    147 done
    148 if [ $ret != 0 ]; then echo_i "failed"; fi
    149 status=`expr $status + $ret`
    150 
    151 n=`expr $n + 1`
    152 echo_i "checking options allowed in inline-signing slaves ($n)"
    153 ret=0
    154 l=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-dnskey-kskonly.*requires inline" | wc -l`
    155 [ $l -eq 1 ] || ret=1
    156 l=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-loadkeys-interval.*requires inline" | wc -l`
    157 [ $l -eq 1 ] || ret=1
    158 l=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "update-check-ksk.*requires inline" | wc -l`
    159 [ $l -eq 1 ] || ret=1
    160 if [ $ret != 0 ]; then echo_i "failed"; fi
    161 status=`expr $status + $ret`
    162 
    163 n=`expr $n + 1`
    164 echo_i "check file + inline-signing for slave zones ($n)"
    165 l=`$CHECKCONF inline-no.conf 2>&1 | grep "missing 'file' entry" | wc -l`
    166 [ $l -eq 0 ] || ret=1
    167 l=`$CHECKCONF inline-good.conf 2>&1 | grep "missing 'file' entry" | wc -l`
    168 [ $l -eq 0 ] || ret=1
    169 l=`$CHECKCONF inline-bad.conf 2>&1 | grep "missing 'file' entry" | wc -l`
    170 [ $l -eq 1 ] || ret=1
    171 if [ $ret != 0 ]; then echo_i "failed"; fi
    172 status=`expr $status + $ret`
    173 
    174 n=`expr $n + 1`
    175 echo_i "checking named-checkconf DLZ warnings ($n)"
    176 ret=0
    177 $CHECKCONF dlz-bad.conf 2>&1 | grep "'dlz' and 'database'" > /dev/null || ret=1
    178 if [ $ret != 0 ]; then echo_i "failed"; fi
    179 status=`expr $status + $ret`
    180 
    181 n=`expr $n + 1`
    182 echo_i "checking for missing key directory warning ($n)"
    183 ret=0
    184 rm -rf test.keydir
    185 l=`$CHECKCONF warn-keydir.conf 2>&1 | grep "'test.keydir' does not exist" | wc -l`
    186 [ $l -eq 1 ] || ret=1
    187 touch test.keydir
    188 l=`$CHECKCONF warn-keydir.conf 2>&1 | grep "'test.keydir' is not a directory" | wc -l`
    189 [ $l -eq 1 ] || ret=1
    190 rm -f test.keydir
    191 mkdir test.keydir
    192 l=`$CHECKCONF warn-keydir.conf 2>&1 | grep "key-directory" | wc -l`
    193 [ $l -eq 0 ] || ret=1
    194 rm -rf test.keydir
    195 if [ $ret != 0 ]; then echo_i "failed"; fi
    196 
    197 n=`expr $n + 1`
    198 echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
    199 ret=0
    200 $CHECKCONF -z max-ttl.conf > check.out 2>&1
    201 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
    202 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
    203 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
    204 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    205 status=`expr $status + $ret`
    206 
    207 n=`expr $n + 1`
    208 echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)"
    209 ret=0
    210 $CHECKCONF -z max-ttl-bad.conf > /dev/null 2>&1 && ret=1
    211 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    212 status=`expr $status + $ret`
    213 
    214 n=`expr $n + 1`
    215 echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)"
    216 ret=0
    217 $CHECKCONF -z altdb.conf > /dev/null 2>&1 || ret=1
    218 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    219 status=`expr $status + $ret`
    220 
    221 n=`expr $n + 1`
    222 echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)"
    223 ret=0
    224 $CHECKCONF -z altdlz.conf > /dev/null 2>&1 || ret=1
    225 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    226 status=`expr $status + $ret`
    227 
    228 n=`expr $n + 1`
    229 echo_i "checking that named-checkconf -z fails on view with ANY class ($n)"
    230 ret=0
    231 $CHECKCONF -z view-class-any1.conf > /dev/null 2>&1 && ret=1
    232 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    233 status=`expr $status + $ret`
    234 
    235 n=`expr $n + 1`
    236 echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)"
    237 ret=0
    238 $CHECKCONF -z view-class-any2.conf > /dev/null 2>&1 && ret=1
    239 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    240 status=`expr $status + $ret`
    241 
    242 n=`expr $n + 1`
    243 echo_i "checking that named-checkconf -z passes on view with IN class ($n)"
    244 ret=0
    245 $CHECKCONF -z view-class-in1.conf > /dev/null 2>&1 || ret=1
    246 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    247 status=`expr $status + $ret`
    248 
    249 n=`expr $n + 1`
    250 echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)"
    251 ret=0
    252 $CHECKCONF -z view-class-in2.conf > /dev/null 2>&1 || ret=1
    253 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    254 status=`expr $status + $ret`
    255 
    256 n=`expr $n + 1`
    257 echo_i "check that check-names fails as configured ($n)"
    258 ret=0
    259 $CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1
    260 grep "near '_underscore': bad name (check-names)" checkconf.out$n > /dev/null || ret=1
    261 grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
    262 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    263 status=`expr $status + $ret`
    264 
    265 n=`expr $n + 1`
    266 echo_i "check that check-mx fails as configured ($n)"
    267 ret=0
    268 $CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
    269 grep "near '10.0.0.1': MX is an address" checkconf.out$n > /dev/null || ret=1
    270 grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
    271 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    272 status=`expr $status + $ret`
    273 
    274 n=`expr $n + 1`
    275 echo_i "check that check-dup-records fails as configured ($n)"
    276 ret=0
    277 $CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1
    278 grep "has semantically identical records" checkconf.out$n > /dev/null || ret=1
    279 grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
    280 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    281 status=`expr $status + $ret`
    282 
    283 n=`expr $n + 1`
    284 echo_i "check that check-mx fails as configured ($n)"
    285 ret=0
    286 $CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
    287 grep "failed: MX is an address" checkconf.out$n > /dev/null || ret=1
    288 grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
    289 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    290 status=`expr $status + $ret`
    291 
    292 n=`expr $n + 1`
    293 echo_i "check that check-mx-cname fails as configured ($n)"
    294 ret=0
    295 $CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
    296 grep "MX.* is a CNAME (illegal)" checkconf.out$n > /dev/null || ret=1
    297 grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
    298 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    299 status=`expr $status + $ret`
    300 
    301 n=`expr $n + 1`
    302 echo_i "check that check-srv-cname fails as configured ($n)"
    303 ret=0
    304 $CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
    305 grep "SRV.* is a CNAME (illegal)" checkconf.out$n > /dev/null || ret=1
    306 grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
    307 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    308 status=`expr $status + $ret`
    309 
    310 n=`expr $n + 1`
    311 echo_i "check that named-checkconf -p properly print a port range ($n)"
    312 ret=0
    313 $CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1
    314 grep "range 8610 8614;" checkconf.out$n > /dev/null || ret=1
    315 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    316 status=`expr $status + $ret`
    317 
    318 n=`expr $n + 1`
    319 echo_i "check that named-checkconf -z handles in-view ($n)"
    320 ret=0
    321 $CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1
    322 grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1
    323 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    324 status=`expr $status + $ret`
    325 
    326 n=`expr $n + 1`
    327 echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
    328 ret=0
    329 $CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1
    330 grep "max-cache-size 60%;" checkconf.out$n > /dev/null || ret=1
    331 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    332 status=`expr $status + $ret`
    333 
    334 n=`expr $n + 1`
    335 echo_i "check that named-checkconf -l print out the zone list ($n)"
    336 ret=0
    337 $CHECKCONF -l good.conf |
    338 grep -v "is not implemented" |
    339 grep -v "is obsolete" > checkconf.out$n || ret=1
    340 diff good.zonelist checkconf.out$n  > diff.out$n || ret=1
    341 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    342 status=`expr $status + $ret`
    343 
    344 n=`expr $n + 1`
    345 echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)"
    346 ret=0
    347 $CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
    348 grep "dnssec-lookaside 'auto' is no longer supported" checkconf.out$n > /dev/null || ret=1
    349 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    350 status=`expr $status + $ret`
    351 
    352 n=`expr $n + 1`
    353 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)"
    354 ret=0
    355 $CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
    356 grep "dlv.isc.org has been shut down" checkconf.out$n > /dev/null || ret=1
    357 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    358 status=`expr $status + $ret`
    359 
    360 n=`expr $n + 1`
    361 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
    362 ret=0
    363 $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
    364 [ -s checkconf.out$n ] && ret=1
    365 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    366 status=`expr $status + $ret`
    367 
    368 n=`expr $n + 1`
    369 echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
    370 ret=0
    371 $CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
    372 [ -s checkconf.out$n ] || ret=1
    373 grep "trusted-key for root from 2010 without updated" checkconf.out$n > /dev/null || ret=1
    374 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    375 status=`expr $status + $ret`
    376 
    377 echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)"
    378 ret=0
    379 $CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
    380 [ -s checkconf.out$n ] && ret=1
    381 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    382 status=`expr $status + $ret`
    383 
    384 echo_i "check that the 2017 ICANN ROOT KSK alone does not warning ($n)"
    385 ret=0
    386 $CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
    387 [ -s checkconf.out$n ] && ret=1
    388 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    389 status=`expr $status + $ret`
    390 
    391 echo_i "check that the dlv.isc.org KSK generates a warning ($n)"
    392 ret=0
    393 $CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
    394 [ -s checkconf.out$n ] || ret=1
    395 grep "trusted-key for dlv.isc.org still present" checkconf.out$n > /dev/null || ret=1
    396 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
    397 status=`expr $status + $ret`
    398 
    399 echo_i "exit status: $status"
    400 [ $status -eq 0 ] || exit 1
    401