1 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 # 3 # This Source Code Form is subject to the terms of the Mozilla Public 4 # License, v. 2.0. If a copy of the MPL was not distributed with this 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 # 7 # See the COPYRIGHT file distributed with this work for additional 8 # information regarding copyright ownership. 9 10 SYSTEMTESTTOP=.. 11 . $SYSTEMTESTTOP/conf.sh 12 13 status=0 14 n=0 15 16 n=`expr $n + 1` 17 echo_i "checking that named-checkconf handles a known good config ($n)" 18 ret=0 19 $CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 20 if [ $ret != 0 ]; then echo_i "failed"; fi 21 status=`expr $status + $ret` 22 23 n=`expr $n + 1` 24 echo_i "checking that named-checkconf prints a known good config ($n)" 25 ret=0 26 awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in 27 [ -s good.conf.in ] || ret=1 28 $CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 29 grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 30 cmp good.conf.in good.conf.out || ret=1 31 if [ $ret != 0 ]; then echo_i "failed"; fi 32 status=`expr $status + $ret` 33 34 n=`expr $n + 1` 35 echo_i "checking that named-checkconf -x removes secrets ($n)" 36 ret=0 37 # ensure there is a secret and that it is not the check string. 38 grep 'secret "' good.conf.in > /dev/null || ret=1 39 grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 40 $CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 41 grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 42 grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 43 if [ $ret != 0 ]; then echo_i "failed"; fi 44 status=`expr $status + $ret` 45 46 for bad in bad-*.conf 47 do 48 n=`expr $n + 1` 49 echo_i "checking that named-checkconf detects error in $bad ($n)" 50 ret=0 51 $CHECKCONF $bad > checkconf.out$n 2>&1 52 if [ $? != 1 ]; then ret=1; fi 53 grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 54 case $bad in 55 bad-update-policy[123].conf) 56 pat="identity and name fields are not the same" 57 grep "$pat" < checkconf.out$n > /dev/null || ret=1 58 ;; 59 bad-update-policy[4589].conf|bad-update-policy1[01].conf) 60 pat="name field not set to placeholder value" 61 grep "$pat" < checkconf.out$n > /dev/null || ret=1 62 ;; 63 bad-update-policy[67].conf|bad-update-policy1[2345].conf) 64 pat="missing name field type '.*' found" 65 grep "$pat" < checkconf.out$n > /dev/null || ret=1 66 ;; 67 esac 68 if [ $ret != 0 ]; then echo_i "failed"; fi 69 status=`expr $status + $ret` 70 done 71 72 for good in good-*.conf 73 do 74 n=`expr $n + 1` 75 echo_i "checking that named-checkconf detects no error in $good ($n)" 76 ret=0 77 $CHECKCONF $good > checkconf.out$n 2>&1 78 if [ $? != 0 ]; then echo_i "failed"; ret=1; fi 79 status=`expr $status + $ret` 80 done 81 82 n=`expr $n + 1` 83 echo_i "checking that ancient options report a fatal error ($n)" 84 ret=0 85 $CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 86 grep "no longer exists" ancient.out > /dev/null || ret=1 87 if [ $ret != 0 ]; then echo_i "failed"; fi 88 status=`expr $status + $ret` 89 90 n=`expr $n + 1` 91 echo_i "checking that named-checkconf -z catches missing hint file ($n)" 92 ret=0 93 $CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 94 grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 95 if [ $ret != 0 ]; then echo_i "failed"; fi 96 status=`expr $status + $ret` 97 98 n=`expr $n + 1` 99 echo_i "checking that named-checkconf catches range errors ($n)" 100 ret=0 101 $CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 102 if [ $ret != 0 ]; then echo_i "failed"; fi 103 status=`expr $status + $ret` 104 105 n=`expr $n + 1` 106 echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" 107 ret=0 108 $CHECKCONF notify.conf > checkconf.out$n 2>&1 109 warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l` 110 [ $warnings -eq 3 ] || ret=1 111 if [ $ret != 0 ]; then echo_i "failed"; fi 112 status=`expr $status + $ret` 113 114 n=`expr $n + 1` 115 echo_i "checking named-checkconf dnssec warnings ($n)" 116 ret=0 117 $CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 118 grep 'validation yes.*enable no' < checkconf.out$n.1 > /dev/null || ret=1 119 $CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 120 grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 121 $CHECKCONF dnssec.2 > checkconf.out$n.3 2>&1 122 grep 'validation auto.*enable no' < checkconf.out$n.3 > /dev/null || ret=1 123 $CHECKCONF dnssec.2 > checkconf.out$n.4 2>&1 124 grep 'validation yes.*enable no' < checkconf.out$n.4 > /dev/null || ret=1 125 # this one should have no warnings 126 $CHECKCONF dnssec.3 > checkconf.out$n.5 2>&1 127 grep '.*' < checkconf.out$n.5 && ret=1 128 if [ $ret != 0 ]; then echo_i "failed"; fi 129 status=`expr $status + $ret` 130 131 n=`expr $n + 1` 132 echo_i "range checking fields that do not allow zero ($n)" 133 ret=0 134 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do 135 cat > badzero.conf << EOF 136 options { 137 $field 0; 138 }; 139 EOF 140 $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1 141 [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; } 142 cat > badzero.conf << EOF 143 view dummy { 144 $field 0; 145 }; 146 EOF 147 $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1 148 [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; } 149 cat > badzero.conf << EOF 150 options { 151 $field 0; 152 }; 153 view dummy { 154 }; 155 EOF 156 $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1 157 [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } 158 cat > badzero.conf << EOF 159 zone dummy { 160 type slave; 161 masters { 0.0.0.0; }; 162 $field 0; 163 }; 164 EOF 165 $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1 166 [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } 167 done 168 if [ $ret != 0 ]; then echo_i "failed"; fi 169 status=`expr $status + $ret` 170 171 n=`expr $n + 1` 172 echo_i "checking options allowed in inline-signing slaves ($n)" 173 ret=0 174 $CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 175 l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l` 176 [ $l -eq 1 ] || ret=1 177 $CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 178 l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l` 179 [ $l -eq 1 ] || ret=1 180 $CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 181 l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l` 182 [ $l -eq 1 ] || ret=1 183 if [ $ret != 0 ]; then echo_i "failed"; fi 184 status=`expr $status + $ret` 185 186 n=`expr $n + 1` 187 echo_i "check file + inline-signing for slave zones ($n)" 188 $CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 189 l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l` 190 [ $l -eq 0 ] || ret=1 191 $CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 192 l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l` 193 [ $l -eq 0 ] || ret=1 194 $CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 195 l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l` 196 [ $l -eq 1 ] || ret=1 197 if [ $ret != 0 ]; then echo_i "failed"; fi 198 status=`expr $status + $ret` 199 200 n=`expr $n + 1` 201 echo_i "checking named-checkconf DLZ warnings ($n)" 202 ret=0 203 $CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 204 grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 205 if [ $ret != 0 ]; then echo_i "failed"; fi 206 status=`expr $status + $ret` 207 208 n=`expr $n + 1` 209 echo_i "checking for missing key directory warning ($n)" 210 ret=0 211 rm -rf test.keydir 212 $CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 213 l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l` 214 [ $l -eq 1 ] || ret=1 215 touch test.keydir 216 $CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1 217 l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l` 218 [ $l -eq 1 ] || ret=1 219 rm -f test.keydir 220 mkdir test.keydir 221 $CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1 222 l=`grep "key-directory" < checkconf.out$n.3 | wc -l` 223 [ $l -eq 0 ] || ret=1 224 rm -rf test.keydir 225 if [ $ret != 0 ]; then echo_i "failed"; fi 226 status=`expr $status + $ret` 227 228 n=`expr $n + 1` 229 echo_i "checking for trusted-key/managed-key collision warning ($n)" 230 ret=0 231 $CHECKCONF warn-duplicate-key.conf 2>&1 | grep "ROLLOVERS WILL FAIL" > /dev/null 2>&1 || ret=1 232 $CHECKCONF warn-duplicate-root-key.conf 2>&1 | grep "ROLLOVERS WILL FAIL" > /dev/null 2>&1 || ret=1 233 $CHECKCONF warn-validation-auto-key.conf 2>&1 | grep "ROLLOVERS WILL FAIL" > /dev/null 2>&1 || ret=1 234 if [ $ret != 0 ]; then echo_i "failed"; fi 235 status=`expr $status + $ret` 236 237 n=`expr $n + 1` 238 echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" 239 ret=0 240 $CHECKCONF -z max-ttl.conf > check.out 2>&1 241 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 242 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 243 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 244 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 245 status=`expr $status + $ret` 246 247 n=`expr $n + 1` 248 echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" 249 ret=0 250 $CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 251 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 252 status=`expr $status + $ret` 253 254 n=`expr $n + 1` 255 echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" 256 ret=0 257 $CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 258 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 259 status=`expr $status + $ret` 260 261 n=`expr $n + 1` 262 echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" 263 ret=0 264 $CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 265 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 266 status=`expr $status + $ret` 267 268 n=`expr $n + 1` 269 echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" 270 ret=0 271 $CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 272 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 273 status=`expr $status + $ret` 274 275 n=`expr $n + 1` 276 echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" 277 ret=0 278 $CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 279 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 280 status=`expr $status + $ret` 281 282 n=`expr $n + 1` 283 echo_i "checking that named-checkconf -z passes on view with IN class ($n)" 284 ret=0 285 $CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 286 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 287 status=`expr $status + $ret` 288 289 n=`expr $n + 1` 290 echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" 291 ret=0 292 $CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 293 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 294 status=`expr $status + $ret` 295 296 n=`expr $n + 1` 297 echo_i "check that check-names fails as configured ($n)" 298 ret=0 299 $CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 300 grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 301 grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 302 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 303 status=`expr $status + $ret` 304 305 n=`expr $n + 1` 306 echo_i "check that check-mx fails as configured ($n)" 307 ret=0 308 $CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 309 grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 310 grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 311 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 312 status=`expr $status + $ret` 313 314 n=`expr $n + 1` 315 echo_i "check that check-dup-records fails as configured ($n)" 316 ret=0 317 $CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 318 grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 319 grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 320 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 321 status=`expr $status + $ret` 322 323 n=`expr $n + 1` 324 echo_i "check that check-mx fails as configured ($n)" 325 ret=0 326 $CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 327 grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 328 grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 329 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 330 status=`expr $status + $ret` 331 332 n=`expr $n + 1` 333 echo_i "check that check-mx-cname fails as configured ($n)" 334 ret=0 335 $CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 336 grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 337 grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 338 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 339 status=`expr $status + $ret` 340 341 n=`expr $n + 1` 342 echo_i "check that check-srv-cname fails as configured ($n)" 343 ret=0 344 $CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 345 grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 346 grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 347 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 348 status=`expr $status + $ret` 349 350 n=`expr $n + 1` 351 echo_i "check that named-checkconf -p properly print a port range ($n)" 352 ret=0 353 $CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 354 grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 355 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 356 status=`expr $status + $ret` 357 358 n=`expr $n + 1` 359 echo_i "check that named-checkconf -z handles in-view ($n)" 360 ret=0 361 $CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 362 grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 363 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 364 status=`expr $status + $ret` 365 366 n=`expr $n + 1` 367 echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)" 368 ret=0 369 $CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 370 grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 371 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 372 status=`expr $status + $ret` 373 374 n=`expr $n + 1` 375 echo_i "check that named-checkconf -l print out the zone list ($n)" 376 ret=0 377 $CHECKCONF -l good.conf | 378 grep -v "is not implemented" | 379 grep -v "no longer exists" | 380 grep -v "is obsolete" > checkconf.out$n || ret=1 381 diff good.zonelist checkconf.out$n > diff.out$n || ret=1 382 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 383 status=`expr $status + $ret` 384 385 n=`expr $n + 1` 386 echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)" 387 ret=0 388 $CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 389 grep "dnssec-lookaside 'auto' is no longer supported" < checkconf.out$n > /dev/null || ret=1 390 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 391 status=`expr $status + $ret` 392 393 n=`expr $n + 1` 394 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)" 395 ret=0 396 $CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 397 grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1 398 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 399 status=`expr $status + $ret` 400 401 n=`expr $n + 1` 402 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)" 403 ret=0 404 $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 405 [ -s checkconf.out$n ] && ret=1 406 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 407 status=`expr $status + $ret` 408 409 n=`expr $n + 1` 410 echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" 411 ret=0 412 $CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 413 [ -s checkconf.out$n ] || ret=1 414 grep "trusted-key for root from 2010 without updated" < checkconf.out$n > /dev/null || ret=1 415 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 416 status=`expr $status + $ret` 417 418 n=`expr $n + 1` 419 echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" 420 ret=0 421 $CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 422 [ -s checkconf.out$n ] && ret=1 423 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 424 status=`expr $status + $ret` 425 426 echo_i "check that the 2017 ICANN ROOT KSK alone does not warning ($n)" 427 ret=0 428 $CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 429 [ -s checkconf.out$n ] && ret=1 430 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 431 status=`expr $status + $ret` 432 433 echo_i "check that the dlv.isc.org KSK generates a warning ($n)" 434 ret=0 435 $CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1 436 [ -s checkconf.out$n ] || ret=1 437 grep "trusted-key for dlv.isc.org still present" < checkconf.out$n > /dev/null || ret=1 438 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 439 status=`expr $status + $ret` 440 441 echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" 442 ret=0 443 $CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 444 [ -s checkconf.out$n ] || ret=1 445 grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1 446 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 447 status=`expr $status + $ret` 448 449 echo_i "exit status: $status" 450 [ $status -eq 0 ] || exit 1 451