tests.sh revision 1.1.1.11.2.1
1 #!/bin/sh 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 set -e 15 16 . ../conf.sh 17 18 status=0 19 n=0 20 21 mkdir -p keys 22 23 n=$((n + 1)) 24 echo_i "checking that named-checkconf handles a known good config ($n)" 25 ret=0 26 $CHECKCONF good.conf >checkconf.out$n 2>&1 || ret=1 27 if [ $ret -ne 0 ]; then echo_i "failed"; fi 28 status=$((status + ret)) 29 30 n=$((n + 1)) 31 echo_i "checking that named-checkconf prints a known good config ($n)" 32 ret=0 33 awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf >good.conf.raw 34 [ -s good.conf.raw ] || ret=1 35 $CHECKCONF -p good.conf.raw >checkconf.out$n || ret=1 36 grep -v '^good.conf.raw:' <checkconf.out$n >good.conf.out 2>&1 || ret=1 37 cmp good.conf.raw good.conf.out || ret=1 38 if [ $ret -ne 0 ]; then echo_i "failed"; fi 39 status=$((status + ret)) 40 41 n=$((n + 1)) 42 echo_i "checking that named-checkconf -x removes secrets ($n)" 43 ret=0 44 # ensure there is a secret and that it is not the check string. 45 grep 'secret "' good.conf.raw >/dev/null || ret=1 46 grep 'secret "????????????????"' good.conf.raw >/dev/null 2>&1 && ret=1 47 $CHECKCONF -p -x good.conf.raw >checkconf.out$n || ret=1 48 grep -v '^good.conf.raw:' <checkconf.out$n >good.conf.out 2>&1 || ret=1 49 grep 'secret "????????????????"' good.conf.out >/dev/null 2>&1 || ret=1 50 if [ $ret -ne 0 ]; then echo_i "failed"; fi 51 status=$((status + ret)) 52 53 for bad in bad-*.conf; do 54 n=$((n + 1)) 55 echo_i "checking that named-checkconf detects error in $bad ($n)" 56 ret=0 57 { 58 $CHECKCONF $bad >checkconf.out$n 2>&1 59 rc=$? 60 } || true 61 if [ $rc -ne 1 ]; then ret=1; fi 62 grep "^$bad:[0-9]*: " <checkconf.out$n >/dev/null || ret=1 63 case $bad in 64 bad-update-policy[123].conf) 65 pat="identity and name fields are not the same" 66 grep "$pat" <checkconf.out$n >/dev/null || ret=1 67 ;; 68 bad-update-policy[4589].conf | bad-update-policy1[01].conf) 69 pat="name field not set to placeholder value" 70 grep "$pat" <checkconf.out$n >/dev/null || ret=1 71 ;; 72 bad-update-policy[67].conf | bad-update-policy1[2345789].conf | bad-update-policy20.conf) 73 pat="missing name field type '.*' found" 74 grep "$pat" <checkconf.out$n >/dev/null || ret=1 75 ;; 76 esac 77 if [ $ret -ne 0 ]; then echo_i "failed"; fi 78 status=$((status + ret)) 79 done 80 81 for good in good-*.conf; do 82 n=$((n + 1)) 83 echo_i "checking that named-checkconf detects no error in $good ($n)" 84 ret=0 85 if ! $FEATURETEST --with-libnghttp2; then 86 case $good in 87 good-doh-*.conf) continue ;; 88 good-dot-*.conf) continue ;; 89 good-proxy-*doh*.conf) continue ;; 90 bad-proxy-*doh*.conf) continue ;; 91 esac 92 elif ! $FEATURETEST --have-openssl-cipher-suites; then 93 case $good in 94 good-tls-cipher-suites-*.conf) continue ;; 95 esac 96 fi 97 { 98 $CHECKCONF $good >checkconf.out$n 2>&1 99 rc=$? 100 } || true 101 if [ $rc -ne 0 ]; then 102 echo_i "failed" 103 ret=1 104 fi 105 status=$((status + ret)) 106 done 107 108 for lmdb in lmdb-*.conf; do 109 n=$((n + 1)) 110 ret=0 111 112 if $FEATURETEST --with-lmdb; then 113 echo_i "checking that named-checkconf detects no error in $lmdb ($n)" 114 { 115 $CHECKCONF $lmdb >checkconf.out$n 2>&1 116 rc=$? 117 } || true 118 if [ $rc -ne 0 ]; then 119 echo_i "failed" 120 ret=1 121 fi 122 else 123 echo_i "checking that named-checkconf detects error in $lmdb ($n)" 124 { 125 $CHECKCONF $lmdb >checkconf.out$n 2>&1 126 rc=$? 127 } || true 128 if [ $rc -eq 0 ]; then 129 echo_i "failed" 130 ret=1 131 fi 132 fi 133 status=$((status + ret)) 134 done 135 136 n=$((n + 1)) 137 echo_i "checking that ancient options report a fatal error ($n)" 138 ret=0 139 $CHECKCONF ancient.conf >ancient.out 2>&1 && ret=1 140 grep "no longer exists" ancient.out >/dev/null || ret=1 141 if [ $ret -ne 0 ]; then echo_i "failed"; fi 142 status=$((status + ret)) 143 144 n=$((n + 1)) 145 echo_i "checking that named-checkconf -z catches missing hint file ($n)" 146 ret=0 147 $CHECKCONF -z hint-nofile.conf >hint-nofile.out 2>&1 && ret=1 148 grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out >/dev/null || ret=1 149 if [ $ret -ne 0 ]; then echo_i "failed"; fi 150 status=$((status + ret)) 151 152 n=$((n + 1)) 153 echo_i "checking that named-checkconf catches range errors ($n)" 154 ret=0 155 $CHECKCONF range.conf >checkconf.out$n 2>&1 && ret=1 156 if [ $ret -ne 0 ]; then echo_i "failed"; fi 157 status=$((status + ret)) 158 159 n=$((n + 1)) 160 echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" 161 ret=0 162 $CHECKCONF notify.conf >checkconf.out$n 2>&1 163 warnings=$(grep "'notify' is disabled" <checkconf.out$n | wc -l) 164 [ $warnings -eq 3 ] || ret=1 165 if [ $ret -ne 0 ]; then echo_i "failed"; fi 166 status=$((status + ret)) 167 168 if grep "^#define DNS_RDATASET_FIXED" "$TOP_BUILDDIR/config.h" >/dev/null 2>&1; then 169 test_fixed=true 170 else 171 test_fixed=false 172 fi 173 174 n=$((n + 1)) 175 echo_i "checking named-checkconf deprecate warnings ($n)" 176 ret=0 177 $CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 178 grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 179 grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 180 grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 181 grep "option 'use-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 182 grep "option 'use-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 183 grep "option 'avoid-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 184 grep "option 'avoid-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 185 grep "option 'dialup' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 186 grep "option 'heartbeat-interval' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 187 grep "option 'dnssec-must-be-secure' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 188 grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 189 grep "token 'port' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 190 if $test_fixed; then 191 grep "rrset-order: order 'fixed' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 192 else 193 grep "rrset-order: order 'fixed' was disabled at compilation time" <checkconf.out$n.1 >/dev/null || ret=1 194 fi 195 if [ $ret -ne 0 ]; then echo_i "failed"; fi 196 status=$((status + ret)) 197 # set -i to ignore deprecate warnings 198 $CHECKCONF -i deprecated.conf 2>&1 | grep_v "rrset-order: order 'fixed' was disabled at compilation time" >checkconf.out$n.2 199 grep '^.+$' <checkconf.out$n.2 >/dev/null && ret=1 200 if [ $ret -ne 0 ]; then echo_i "failed"; fi 201 status=$((status + ret)) 202 203 n=$((n + 1)) 204 echo_i "checking named-checkconf servestale warnings ($n)" 205 ret=0 206 $CHECKCONF servestale.stale-refresh-time.0.conf >checkconf.out$n.1 2>&1 207 grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null && ret=1 208 if [ $ret -ne 0 ]; then echo_i "failed"; fi 209 status=$((status + ret)) 210 ret=0 211 $CHECKCONF servestale.stale-refresh-time.29.conf >checkconf.out$n.1 2>&1 212 grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null || ret=1 213 if [ $ret -ne 0 ]; then echo_i "failed"; fi 214 status=$((status + ret)) 215 216 n=$((n + 1)) 217 echo_i "range checking fields that do not allow zero ($n)" 218 ret=0 219 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do 220 cat >badzero.conf <<EOF 221 options { 222 $field 0; 223 }; 224 EOF 225 { 226 $CHECKCONF badzero.conf >checkconf.out$n.1 2>&1 227 rc=$? 228 } || true 229 [ $rc -eq 1 ] || { 230 echo_i "options $field failed" 231 ret=1 232 } 233 cat >badzero.conf <<EOF 234 view dummy { 235 $field 0; 236 }; 237 EOF 238 { 239 $CHECKCONF badzero.conf >checkconf.out$n.2 2>&1 240 rc=$? 241 } || true 242 [ $rc -eq 1 ] || { 243 echo_i "view $field failed" 244 ret=1 245 } 246 cat >badzero.conf <<EOF 247 options { 248 $field 0; 249 }; 250 view dummy { 251 }; 252 EOF 253 { 254 $CHECKCONF badzero.conf >checkconf.out$n.3 2>&1 255 rc=$? 256 } || true 257 [ $rc -eq 1 ] || { 258 echo_i "options + view $field failed" 259 ret=1 260 } 261 cat >badzero.conf <<EOF 262 zone dummy { 263 type secondary; 264 primaries { 0.0.0.0; }; 265 $field 0; 266 }; 267 EOF 268 { 269 $CHECKCONF badzero.conf >checkconf.out$n.4 2>&1 270 rc=$? 271 } || true 272 [ $rc -eq 1 ] || { 273 echo_i "zone $field failed" 274 ret=1 275 } 276 done 277 if [ $ret -ne 0 ]; then echo_i "failed"; fi 278 status=$((status + ret)) 279 280 n=$((n + 1)) 281 echo_i "checking options allowed in inline-signing secondaries ($n)" 282 ret=0 283 $CHECKCONF bad-dnssec.conf >checkconf.out$n.2 2>&1 && ret=1 284 l=$(grep "dnssec-loadkeys-interval.*requires inline" <checkconf.out$n.2 | wc -l) 285 [ $l -eq 1 ] || ret=1 286 if [ $ret -ne 0 ]; then echo_i "failed"; fi 287 status=$((status + ret)) 288 289 n=$((n + 1)) 290 echo_i "check file + inline-signing for secondary zones ($n)" 291 $CHECKCONF inline-no.conf >checkconf.out$n.1 2>&1 && ret=1 292 l=$(grep "missing 'file' entry" <checkconf.out$n.1 | wc -l) 293 [ $l -eq 0 ] || ret=1 294 $CHECKCONF inline-good.conf >checkconf.out$n.2 2>&1 || ret=1 295 l=$(grep "missing 'file' entry" <checkconf.out$n.2 | wc -l) 296 [ $l -eq 0 ] || ret=1 297 $CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 && ret=1 298 l=$(grep "missing 'file' entry" <checkconf.out$n.3 | wc -l) 299 [ $l -eq 1 ] || ret=1 300 if [ $ret -ne 0 ]; then echo_i "failed"; fi 301 status=$((status + ret)) 302 303 n=$((n + 1)) 304 echo_i "checking named-checkconf DLZ warnings ($n)" 305 ret=0 306 $CHECKCONF dlz-bad.conf >checkconf.out$n 2>&1 && ret=1 307 grep "'dlz' and 'database'" <checkconf.out$n >/dev/null || ret=1 308 if [ $ret -ne 0 ]; then echo_i "failed"; fi 309 status=$((status + ret)) 310 311 n=$((n + 1)) 312 echo_i "checking for missing key directory warning ($n)" 313 ret=0 314 rm -rf test.keydir 315 rm -rf test.keystoredir 316 $CHECKCONF warn-keydir.conf >checkconf.out$n.1 2>&1 317 l=$(grep "'test.keydir' does not exist" <checkconf.out$n.1 | wc -l) 318 [ $l -eq 1 ] || ret=1 319 l=$(grep "'test.keystoredir' does not exist" <checkconf.out$n.1 | wc -l) 320 [ $l -eq 1 ] || ret=1 321 touch test.keydir 322 touch test.keystoredir 323 $CHECKCONF warn-keydir.conf >checkconf.out$n.2 2>&1 324 l=$(grep "'test.keydir' is not a directory" <checkconf.out$n.2 | wc -l) 325 [ $l -eq 1 ] || ret=1 326 l=$(grep "'test.keystoredir' is not a directory" <checkconf.out$n.2 | wc -l) 327 [ $l -eq 1 ] || ret=1 328 rm -f test.keydir 329 rm -f test.keystoredir 330 mkdir test.keydir 331 mkdir test.keystoredir 332 $CHECKCONF warn-keydir.conf >checkconf.out$n.3 2>&1 333 l=$(grep "key-directory" <checkconf.out$n.3 | wc -l) 334 [ $l -eq 0 ] || ret=1 335 l=$(grep "key-store directory" <checkconf.out$n.3 | wc -l) 336 [ $l -eq 0 ] || ret=1 337 rm -rf test.keydir 338 rm -rf test.keystoredir 339 if [ $ret -ne 0 ]; then echo_i "failed"; fi 340 status=$((status + ret)) 341 342 n=$((n + 1)) 343 echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" 344 ret=0 345 $CHECKCONF -z max-ttl.conf >check.out 2>&1 && ret=1 346 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 347 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 348 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 349 if [ $ret -ne 0 ]; then 350 echo_i "failed" 351 ret=1 352 fi 353 status=$((status + ret)) 354 355 n=$((n + 1)) 356 echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" 357 ret=0 358 $CHECKCONF -z max-ttl-bad.conf >checkconf.out$n 2>&1 && ret=1 359 if [ $ret -ne 0 ]; then 360 echo_i "failed" 361 ret=1 362 fi 363 status=$((status + ret)) 364 365 n=$((n + 1)) 366 echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" 367 ret=0 368 $CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1 369 if [ $ret -ne 0 ]; then 370 echo_i "failed" 371 ret=1 372 fi 373 status=$((status + ret)) 374 375 n=$((n + 1)) 376 echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" 377 ret=0 378 $CHECKCONF -z altdlz.conf >checkconf.out$n 2>&1 || ret=1 379 if [ $ret -ne 0 ]; then 380 echo_i "failed" 381 ret=1 382 fi 383 status=$((status + ret)) 384 385 n=$((n + 1)) 386 echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" 387 ret=0 388 $CHECKCONF -z view-class-any1.conf >checkconf.out$n 2>&1 && ret=1 389 if [ $ret -ne 0 ]; then 390 echo_i "failed" 391 ret=1 392 fi 393 status=$((status + ret)) 394 395 n=$((n + 1)) 396 echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" 397 ret=0 398 $CHECKCONF -z view-class-any2.conf >checkconf.out$n 2>&1 && ret=1 399 if [ $ret -ne 0 ]; then 400 echo_i "failed" 401 ret=1 402 fi 403 status=$((status + ret)) 404 405 n=$((n + 1)) 406 echo_i "checking that named-checkconf -z passes on view with IN class ($n)" 407 ret=0 408 $CHECKCONF -z view-class-in1.conf >checkconf.out$n 2>&1 || ret=1 409 if [ $ret -ne 0 ]; then 410 echo_i "failed" 411 ret=1 412 fi 413 status=$((status + ret)) 414 415 n=$((n + 1)) 416 echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" 417 ret=0 418 $CHECKCONF -z view-class-in2.conf >checkconf.out$n 2>&1 || ret=1 419 if [ $ret -ne 0 ]; then 420 echo_i "failed" 421 ret=1 422 fi 423 status=$((status + ret)) 424 425 n=$((n + 1)) 426 echo_i "check that check-names fails as configured ($n)" 427 ret=0 428 $CHECKCONF -z check-names-fail.conf >checkconf.out$n 2>&1 && ret=1 429 grep "near '_underscore': bad name (check-names)" <checkconf.out$n >/dev/null || ret=1 430 grep "zone check-names/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 431 if [ $ret -ne 0 ]; then 432 echo_i "failed" 433 ret=1 434 fi 435 status=$((status + ret)) 436 437 n=$((n + 1)) 438 echo_i "check that check-mx fails as configured ($n)" 439 ret=0 440 $CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 441 grep "near '10.0.0.1': MX is an address" <checkconf.out$n >/dev/null || ret=1 442 grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 443 if [ $ret -ne 0 ]; then 444 echo_i "failed" 445 ret=1 446 fi 447 status=$((status + ret)) 448 449 n=$((n + 1)) 450 echo_i "check that check-dup-records fails as configured ($n)" 451 ret=0 452 $CHECKCONF -z check-dup-records-fail.conf >checkconf.out$n 2>&1 && ret=1 453 grep "has semantically identical records" <checkconf.out$n >/dev/null || ret=1 454 grep "zone check-dup-records/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 455 if [ $ret -ne 0 ]; then 456 echo_i "failed" 457 ret=1 458 fi 459 status=$((status + ret)) 460 461 n=$((n + 1)) 462 echo_i "check that check-mx fails as configured ($n)" 463 ret=0 464 $CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 465 grep "failed: MX is an address" <checkconf.out$n >/dev/null || ret=1 466 grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 467 if [ $ret -ne 0 ]; then 468 echo_i "failed" 469 ret=1 470 fi 471 status=$((status + ret)) 472 473 n=$((n + 1)) 474 echo_i "check that check-mx-cname fails as configured ($n)" 475 ret=0 476 $CHECKCONF -z check-mx-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 477 grep "MX.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1 478 grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 479 if [ $ret -ne 0 ]; then 480 echo_i "failed" 481 ret=1 482 fi 483 status=$((status + ret)) 484 485 n=$((n + 1)) 486 echo_i "check that check-srv-cname fails as configured ($n)" 487 ret=0 488 $CHECKCONF -z check-srv-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 489 grep "SRV.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1 490 grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 491 if [ $ret -ne 0 ]; then 492 echo_i "failed" 493 ret=1 494 fi 495 status=$((status + ret)) 496 497 n=$((n + 1)) 498 echo_i "check that named-checkconf -p properly print a port range ($n)" 499 ret=0 500 $CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1 501 grep "range 8610 8614;" <checkconf.out$n >/dev/null || ret=1 502 if [ $ret -ne 0 ]; then 503 echo_i "failed" 504 ret=1 505 fi 506 status=$((status + ret)) 507 508 n=$((n + 1)) 509 echo_i "check that named-checkconf -z handles in-view ($n)" 510 ret=0 511 $CHECKCONF -z in-view-good.conf >checkconf.out$n 2>&1 || ret=1 512 grep "zone shared.example/IN: loaded serial" <checkconf.out$n >/dev/null || ret=1 513 if [ $ret -ne 0 ]; then 514 echo_i "failed" 515 ret=1 516 fi 517 status=$((status + ret)) 518 519 n=$((n + 1)) 520 echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" 521 ret=0 522 $CHECKCONF -z check-missing-zone.conf >checkconf.out$n 2>&1 && ret=1 523 if [ $ret -ne 0 ]; then 524 echo_i "failed" 525 ret=1 526 fi 527 status=$((status + ret)) 528 529 n=$((n + 1)) 530 echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)" 531 ret=0 532 $CHECKCONF -p max-cache-size-good.conf >checkconf.out$n 2>&1 || ret=1 533 grep "max-cache-size 60%;" <checkconf.out$n >/dev/null || ret=1 534 if [ $ret -ne 0 ]; then 535 echo_i "failed" 536 ret=1 537 fi 538 status=$((status + ret)) 539 540 n=$((n + 1)) 541 echo_i "check that named-checkconf -l prints out the zone list ($n)" 542 ret=0 543 $CHECKCONF -l good.conf \ 544 | grep -v "is deprecated" \ 545 | grep -v "is not implemented" \ 546 | grep -v "is not recommended" \ 547 | grep -v "no longer exists" \ 548 | grep -v "is obsolete" >checkconf.out$n || ret=1 549 diff good.zonelist checkconf.out$n >diff.out$n || ret=1 550 if [ $ret -ne 0 ]; then 551 echo_i "failed" 552 ret=1 553 fi 554 status=$((status + ret)) 555 556 n=$((n + 1)) 557 echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" 558 ret=0 559 $CHECKCONF check-root-ksk-2010.conf >checkconf.out$n 2>/dev/null || ret=1 560 [ -s checkconf.out$n ] || ret=1 561 grep "key without the updated" <checkconf.out$n >/dev/null || ret=1 562 if [ $ret -ne 0 ]; then 563 echo_i "failed" 564 ret=1 565 fi 566 status=$((status + ret)) 567 568 n=$((n + 1)) 569 echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" 570 ret=0 571 $CHECKCONF check-root-ksk-both.conf >checkconf.out$n 2>/dev/null || ret=1 572 [ -s checkconf.out$n ] && ret=1 573 if [ $ret -ne 0 ]; then 574 echo_i "failed" 575 ret=1 576 fi 577 status=$((status + ret)) 578 579 n=$((n + 1)) 580 echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" 581 ret=0 582 $CHECKCONF check-root-ksk-2017.conf >checkconf.out$n 2>/dev/null || ret=1 583 [ -s checkconf.out$n ] && ret=1 584 if [ $ret -ne 0 ]; then 585 echo_i "failed" 586 ret=1 587 fi 588 status=$((status + ret)) 589 590 n=$((n + 1)) 591 echo_i "check that a static root key generates a warning ($n)" 592 ret=0 593 $CHECKCONF check-root-static-key.conf >checkconf.out$n 2>/dev/null || ret=1 594 grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 595 if [ $ret -ne 0 ]; then 596 echo_i "failed" 597 ret=1 598 fi 599 status=$((status + ret)) 600 601 n=$((n + 1)) 602 echo_i "check that a static root DS trust anchor generates a warning ($n)" 603 ret=0 604 $CHECKCONF check-root-static-ds.conf >checkconf.out$n 2>/dev/null || ret=1 605 grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 606 if [ $ret -ne 0 ]; then 607 echo_i "failed" 608 ret=1 609 fi 610 status=$((status + ret)) 611 612 n=$((n + 1)) 613 echo_i "check that a trusted-keys entry for root generates a warning ($n)" 614 ret=0 615 $CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1 616 grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 617 if [ $ret -ne 0 ]; then 618 echo_i "failed" 619 ret=1 620 fi 621 status=$((status + ret)) 622 623 n=$((n + 1)) 624 echo_i "check that using trust-anchors and managed-keys generates an error ($n)" 625 ret=0 626 $CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1 627 grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1 628 if [ $ret -ne 0 ]; then 629 echo_i "failed" 630 ret=1 631 fi 632 status=$((status + ret)) 633 634 n=$((n + 1)) 635 echo_i "checking named-checkconf kasp errors ($n)" 636 ret=0 637 $CHECKCONF kasp-and-other-dnssec-options.conf >checkconf.out$n 2>&1 && ret=1 638 grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" <checkconf.out$n >/dev/null || ret=1 639 if [ $ret -ne 0 ]; then echo_i "failed"; fi 640 status=$((status + ret)) 641 642 n=$((n + 1)) 643 echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" 644 ret=0 645 if [ $RSASHA1_SUPPORTED = 0 ]; then 646 conf=kasp-bad-nsec3-iter-fips.conf 647 expect=2 648 else 649 conf=kasp-bad-nsec3-iter.conf 650 expect=3 651 fi 652 $CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1 653 grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" <checkconf.out$n >/dev/null || ret=1 654 lines=$(wc -l <"checkconf.out$n") 655 if [ $lines -ne $expect ]; then ret=1; fi 656 if [ $ret -ne 0 ]; then echo_i "failed"; fi 657 status=$((status + ret)) 658 659 n=$((n + 1)) 660 echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" 661 ret=0 662 $CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1 663 if [ $RSASHA1_SUPPORTED = 0 ]; then 664 grep "dnssec-policy: algorithm rsasha1 not supported" <checkconf.out$n >/dev/null || ret=1 665 else 666 grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" <checkconf.out$n >/dev/null || ret=1 667 fi 668 if [ $ret -ne 0 ]; then echo_i "failed"; fi 669 status=$((status + ret)) 670 671 n=$((n + 1)) 672 echo_i "checking named-checkconf kasp key errors ($n)" 673 ret=0 674 $CHECKCONF kasp-bad-keylen.conf >checkconf.out$n 2>&1 && ret=1 675 grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" <checkconf.out$n >/dev/null || ret=1 676 if [ $ret -ne 0 ]; then echo_i "failed"; fi 677 status=$((status + ret)) 678 679 n=$((n + 1)) 680 echo_i "checking named-checkconf kasp offline-ksk with csk errors ($n)" 681 ret=0 682 $CHECKCONF kasp-bad-offline-ksk.conf >checkconf.out$n 2>&1 && ret=1 683 grep "dnssec-policy: csk keys are not allowed when offline-ksk is enabled" <checkconf.out$n >/dev/null || ret=1 684 if [ $ret -ne 0 ]; then echo_i "failed"; fi 685 status=$((status + ret)) 686 687 n=$((n + 1)) 688 echo_i "checking named-checkconf kasp signatures refresh errors ($n)" 689 ret=0 690 $CHECKCONF kasp-bad-signatures-refresh.conf >checkconf.out$n 2>&1 && ret=1 691 grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" <checkconf.out$n >/dev/null || ret=1 692 grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" <checkconf.out$n >/dev/null || ret=1 693 lines=$(wc -l <"checkconf.out$n") 694 if [ $lines -ne 2 ]; then ret=1; fi 695 if [ $ret -ne 0 ]; then echo_i "failed"; fi 696 status=$((status + ret)) 697 698 n=$((n + 1)) 699 echo_i "checking named-checkconf kasp key lifetime errors ($n)" 700 ret=0 701 $CHECKCONF kasp-bad-lifetime.conf >checkconf.out$n 2>&1 && ret=1 702 lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" <checkconf.out$n | wc -l) || ret=1 703 if [ $lines -ne 3 ]; then ret=1; fi 704 if [ $ret -ne 0 ]; then echo_i "failed"; fi 705 status=$((status + ret)) 706 707 n=$((n + 1)) 708 echo_i "checking named-checkconf kasp predefined key length ($n)" 709 ret=0 710 $CHECKCONF kasp-ignore-keylen.conf >checkconf.out$n 2>&1 || ret=1 711 grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" <checkconf.out$n >/dev/null || ret=1 712 if [ $ret -ne 0 ]; then echo_i "failed"; fi 713 status=$((status + ret)) 714 715 n=$((n + 1)) 716 echo_i "checking named-checkconf kasp warns about weird policies ($n)" 717 ret=0 718 $CHECKCONF kasp-warning.conf >checkconf.out$n 2>&1 || ret=1 719 grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 720 grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 721 grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" <checkconf.out$n >/dev/null || ret=1 722 grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 723 grep "dnssec-policy: key lifetime is shorter than 30 days" <checkconf.out$n >/dev/null || ret=1 724 lines=$(wc -l <"checkconf.out$n") 725 if [ $lines -ne 5 ]; then ret=1; fi 726 if [ $ret -ne 0 ]; then echo_i "failed"; fi 727 status=$((status + ret)) 728 729 n=$((n + 1)) 730 echo_i "check that a good 'kasp' configuration is accepted ($n)" 731 ret=0 732 $CHECKCONF good-kasp.conf >checkconf.out$n 2>/dev/null || ret=1 733 if [ $ret -ne 0 ]; then echo_i "failed"; fi 734 status=$((status + ret)) 735 736 n=$((n + 1)) 737 echo_i "checking that named-checkconf prints a known good kasp config ($n)" 738 ret=0 739 awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf >good-kasp.conf.in 740 [ -s good-kasp.conf.in ] || ret=1 741 $CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' >good-kasp.conf.out 2>&1 || ret=1 742 cmp good-kasp.conf.in good-kasp.conf.out || ret=1 743 if [ $ret -ne 0 ]; then echo_i "failed"; fi 744 status=$((status + ret)) 745 746 n=$((n + 1)) 747 echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" 748 ret=0 749 $CHECKCONF warn-maxratio1.conf >checkconf.out$n 2>/dev/null || ret=1 750 grep "exceeds 100%" <checkconf.out$n >/dev/null || ret=1 751 if [ $ret -ne 0 ]; then 752 echo_i "failed" 753 ret=1 754 fi 755 status=$((status + ret)) 756 757 n=$((n + 1)) 758 echo_i "check that *-source options with specified port generate warnings ($n)" 759 ret=0 760 $CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1 761 grep "not recommended" <checkconf.out$n >/dev/null || ret=1 762 $CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1 763 grep "not recommended" <checkconf.out$n >/dev/null || ret=1 764 $CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1 765 grep "not recommended" <checkconf.out$n >/dev/null || ret=1 766 if [ $ret -ne 0 ]; then 767 echo_i "failed" 768 ret=1 769 fi 770 status=$((status + ret)) 771 772 n=$((n + 1)) 773 echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" 774 ret=0 775 $CHECKCONF -z check-wildcard-no.conf >checkconf.out$n 2>&1 || ret=1 776 grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null && ret=1 777 if [ $ret != 0 ]; then 778 echo_i "failed" 779 ret=1 780 fi 781 status=$((status + ret)) 782 783 n=$((n + 1)) 784 echo_i "check that 'check-wildcard yes;' warns as configured ($n)" 785 ret=0 786 $CHECKCONF -z check-wildcard.conf >checkconf.out$n 2>&1 || ret=1 787 grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null || ret=1 788 if [ $ret != 0 ]; then 789 echo_i "failed" 790 ret=1 791 fi 792 status=$((status + ret)) 793 794 echo_i "exit status: $status" 795 [ $status -eq 0 ] || exit 1 796
Indexes created Sun Mar 01 05:31:48 UTC 2026