tests.sh revision 1.1.1.9.2.1
1 #!/bin/sh 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 SYSTEMTESTTOP=.. 15 . $SYSTEMTESTTOP/conf.sh 16 17 status=0 18 n=0 19 20 mkdir keys 21 22 n=`expr $n + 1` 23 echo_i "checking that named-checkconf handles a known good config ($n)" 24 ret=0 25 $CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 26 if [ $ret -ne 0 ]; then echo_i "failed"; fi 27 status=`expr $status + $ret` 28 29 n=`expr $n + 1` 30 echo_i "checking that named-checkconf prints a known good config ($n)" 31 ret=0 32 awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in 33 [ -s good.conf.in ] || ret=1 34 $CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 35 grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 36 cmp good.conf.in good.conf.out || ret=1 37 if [ $ret -ne 0 ]; then echo_i "failed"; fi 38 status=`expr $status + $ret` 39 40 n=`expr $n + 1` 41 echo_i "checking that named-checkconf -x removes secrets ($n)" 42 ret=0 43 # ensure there is a secret and that it is not the check string. 44 grep 'secret "' good.conf.in > /dev/null || ret=1 45 grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 46 $CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 47 grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 48 grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 49 if [ $ret -ne 0 ]; then echo_i "failed"; fi 50 status=`expr $status + $ret` 51 52 for bad in bad-*.conf 53 do 54 n=`expr $n + 1` 55 echo_i "checking that named-checkconf detects error in $bad ($n)" 56 ret=0 57 $CHECKCONF $bad > checkconf.out$n 2>&1 58 if [ $? -ne 1 ]; then ret=1; fi 59 grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 60 case $bad in 61 bad-update-policy[123].conf) 62 pat="identity and name fields are not the same" 63 grep "$pat" < checkconf.out$n > /dev/null || ret=1 64 ;; 65 bad-update-policy[4589].conf|bad-update-policy1[01].conf) 66 pat="name field not set to placeholder value" 67 grep "$pat" < checkconf.out$n > /dev/null || ret=1 68 ;; 69 bad-update-policy[67].conf|bad-update-policy1[2345].conf) 70 pat="missing name field type '.*' found" 71 grep "$pat" < checkconf.out$n > /dev/null || ret=1 72 ;; 73 esac 74 if [ $ret -ne 0 ]; then echo_i "failed"; fi 75 status=`expr $status + $ret` 76 done 77 78 for good in good-*.conf 79 do 80 n=`expr $n + 1` 81 echo_i "checking that named-checkconf detects no error in $good ($n)" 82 ret=0 83 $CHECKCONF $good > checkconf.out$n 2>&1 84 if [ $? -ne 0 ]; then echo_i "failed"; ret=1; fi 85 status=`expr $status + $ret` 86 done 87 88 n=`expr $n + 1` 89 echo_i "checking that ancient options report a fatal error ($n)" 90 ret=0 91 $CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 92 grep "no longer exists" ancient.out > /dev/null || ret=1 93 if [ $ret -ne 0 ]; then echo_i "failed"; fi 94 status=`expr $status + $ret` 95 96 n=`expr $n + 1` 97 echo_i "checking that named-checkconf -z catches missing hint file ($n)" 98 ret=0 99 $CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 100 grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 101 if [ $ret -ne 0 ]; then echo_i "failed"; fi 102 status=`expr $status + $ret` 103 104 n=`expr $n + 1` 105 echo_i "checking that named-checkconf catches range errors ($n)" 106 ret=0 107 $CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 108 if [ $ret -ne 0 ]; then echo_i "failed"; fi 109 status=`expr $status + $ret` 110 111 n=`expr $n + 1` 112 echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" 113 ret=0 114 $CHECKCONF notify.conf > checkconf.out$n 2>&1 115 warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l` 116 [ $warnings -eq 3 ] || ret=1 117 if [ $ret -ne 0 ]; then echo_i "failed"; fi 118 status=`expr $status + $ret` 119 120 n=`expr $n + 1` 121 echo_i "checking named-checkconf dnssec warnings ($n)" 122 ret=0 123 # dnssec.1: dnssec-enable is obsolete 124 $CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 125 grep "'dnssec-enable' is obsolete and should be removed" < checkconf.out$n.1 > /dev/null || ret=1 126 # dnssec.2: auto-dnssec warning 127 $CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 128 grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 129 # dnssec.3: should have no warnings (other than deprecation warning) 130 $CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 131 grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.3 > /dev/null || ret=1 132 lines=$(wc -l < "checkconf.out$n.3") 133 if [ $lines != 1 ]; then ret=1; fi 134 # dnssec.4: should have specific deprecation warning 135 $CHECKCONF dnssec.4 > checkconf.out$n.4 2>&1 136 grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.4 > /dev/null || ret=1 137 if [ $ret != 0 ]; then echo_i "failed"; fi 138 status=`expr $status + $ret` 139 140 n=`expr $n + 1` 141 echo_i "checking named-checkconf deprecate warnings ($n)" 142 ret=0 143 $CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 144 grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 145 grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 146 grep "option 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 147 grep "token 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 148 if [ $ret -ne 0 ]; then echo_i "failed"; fi 149 status=`expr $status + $ret` 150 # set -i to ignore deprecate warnings 151 $CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1 152 grep '.*' < checkconf.out$n.2 > /dev/null && ret=1 153 if [ $ret -ne 0 ]; then echo_i "failed"; fi 154 status=`expr $status + $ret` 155 156 n=`expr $n + 1` 157 echo_i "checking named-checkconf servestale warnings ($n)" 158 ret=0 159 $CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1 160 grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1 161 if [ $ret -ne 0 ]; then echo_i "failed"; fi 162 status=`expr $status + $ret` 163 ret=0 164 $CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1 165 grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1 166 if [ $ret -ne 0 ]; then echo_i "failed"; fi 167 status=`expr $status + $ret` 168 169 n=`expr $n + 1` 170 echo_i "range checking fields that do not allow zero ($n)" 171 ret=0 172 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do 173 cat > badzero.conf << EOF 174 options { 175 $field 0; 176 }; 177 EOF 178 $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1 179 [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; } 180 cat > badzero.conf << EOF 181 view dummy { 182 $field 0; 183 }; 184 EOF 185 $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1 186 [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; } 187 cat > badzero.conf << EOF 188 options { 189 $field 0; 190 }; 191 view dummy { 192 }; 193 EOF 194 $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1 195 [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } 196 cat > badzero.conf << EOF 197 zone dummy { 198 type secondary; 199 primaries { 0.0.0.0; }; 200 $field 0; 201 }; 202 EOF 203 $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1 204 [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } 205 done 206 if [ $ret -ne 0 ]; then echo_i "failed"; fi 207 status=`expr $status + $ret` 208 209 n=`expr $n + 1` 210 echo_i "checking options allowed in inline-signing secondaries ($n)" 211 ret=0 212 $CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 213 l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l` 214 [ $l -eq 1 ] || ret=1 215 $CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 216 l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l` 217 [ $l -eq 1 ] || ret=1 218 $CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 219 l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l` 220 [ $l -eq 1 ] || ret=1 221 if [ $ret -ne 0 ]; then echo_i "failed"; fi 222 status=`expr $status + $ret` 223 224 n=`expr $n + 1` 225 echo_i "check file + inline-signing for secondary zones ($n)" 226 $CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 227 l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l` 228 [ $l -eq 0 ] || ret=1 229 $CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 230 l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l` 231 [ $l -eq 0 ] || ret=1 232 $CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 233 l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l` 234 [ $l -eq 1 ] || ret=1 235 if [ $ret -ne 0 ]; then echo_i "failed"; fi 236 status=`expr $status + $ret` 237 238 n=`expr $n + 1` 239 echo_i "checking named-checkconf DLZ warnings ($n)" 240 ret=0 241 $CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 242 grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 243 if [ $ret -ne 0 ]; then echo_i "failed"; fi 244 status=`expr $status + $ret` 245 246 n=`expr $n + 1` 247 echo_i "checking for missing key directory warning ($n)" 248 ret=0 249 rm -rf test.keydir 250 $CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 251 l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l` 252 [ $l -eq 1 ] || ret=1 253 touch test.keydir 254 $CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1 255 l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l` 256 [ $l -eq 1 ] || ret=1 257 rm -f test.keydir 258 mkdir test.keydir 259 $CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1 260 l=`grep "key-directory" < checkconf.out$n.3 | wc -l` 261 [ $l -eq 0 ] || ret=1 262 rm -rf test.keydir 263 if [ $ret -ne 0 ]; then echo_i "failed"; fi 264 265 n=`expr $n + 1` 266 echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" 267 ret=0 268 $CHECKCONF -z max-ttl.conf > check.out 2>&1 269 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 270 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 271 grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 272 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 273 status=`expr $status + $ret` 274 275 n=`expr $n + 1` 276 echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" 277 ret=0 278 $CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 279 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 280 status=`expr $status + $ret` 281 282 n=`expr $n + 1` 283 echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" 284 ret=0 285 $CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 286 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 287 status=`expr $status + $ret` 288 289 n=`expr $n + 1` 290 echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" 291 ret=0 292 $CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 293 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 294 status=`expr $status + $ret` 295 296 n=`expr $n + 1` 297 echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" 298 ret=0 299 $CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 300 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 301 status=`expr $status + $ret` 302 303 n=`expr $n + 1` 304 echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" 305 ret=0 306 $CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 307 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 308 status=`expr $status + $ret` 309 310 n=`expr $n + 1` 311 echo_i "checking that named-checkconf -z passes on view with IN class ($n)" 312 ret=0 313 $CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 314 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 315 status=`expr $status + $ret` 316 317 n=`expr $n + 1` 318 echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" 319 ret=0 320 $CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 321 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 322 status=`expr $status + $ret` 323 324 n=`expr $n + 1` 325 echo_i "check that check-names fails as configured ($n)" 326 ret=0 327 $CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 328 grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 329 grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 330 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 331 status=`expr $status + $ret` 332 333 n=`expr $n + 1` 334 echo_i "check that check-mx fails as configured ($n)" 335 ret=0 336 $CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 337 grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 338 grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 339 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 340 status=`expr $status + $ret` 341 342 n=`expr $n + 1` 343 echo_i "check that check-dup-records fails as configured ($n)" 344 ret=0 345 $CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 346 grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 347 grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 348 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 349 status=`expr $status + $ret` 350 351 n=`expr $n + 1` 352 echo_i "check that check-mx fails as configured ($n)" 353 ret=0 354 $CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 355 grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 356 grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 357 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 358 status=`expr $status + $ret` 359 360 n=`expr $n + 1` 361 echo_i "check that check-mx-cname fails as configured ($n)" 362 ret=0 363 $CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 364 grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 365 grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 366 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 367 status=`expr $status + $ret` 368 369 n=`expr $n + 1` 370 echo_i "check that check-srv-cname fails as configured ($n)" 371 ret=0 372 $CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 373 grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 374 grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 375 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 376 status=`expr $status + $ret` 377 378 n=`expr $n + 1` 379 echo_i "check that named-checkconf -p properly print a port range ($n)" 380 ret=0 381 $CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 382 grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 383 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 384 status=`expr $status + $ret` 385 386 n=`expr $n + 1` 387 echo_i "check that named-checkconf -z handles in-view ($n)" 388 ret=0 389 $CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 390 grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 391 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 392 status=`expr $status + $ret` 393 394 n=`expr $n + 1` 395 echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" 396 ret=0 397 $CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1 398 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 399 status=`expr $status + $ret` 400 401 n=`expr $n + 1` 402 echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)" 403 ret=0 404 $CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 405 grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 406 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 407 status=`expr $status + $ret` 408 409 n=`expr $n + 1` 410 echo_i "check that named-checkconf -l prints out the zone list ($n)" 411 ret=0 412 $CHECKCONF -l good.conf | 413 grep -v "is deprecated" | 414 grep -v "is not implemented" | 415 grep -v "is not recommended" | 416 grep -v "no longer exists" | 417 grep -v "is obsolete" > checkconf.out$n || ret=1 418 diff good.zonelist checkconf.out$n > diff.out$n || ret=1 419 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 420 status=`expr $status + $ret` 421 422 n=`expr $n + 1` 423 echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)" 424 ret=0 425 $CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 426 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 427 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 428 status=`expr $status + $ret` 429 430 n=`expr $n + 1` 431 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)" 432 ret=0 433 $CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 434 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 435 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 436 status=`expr $status + $ret` 437 438 n=`expr $n + 1` 439 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)" 440 ret=0 441 $CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 442 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 443 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 444 status=`expr $status + $ret` 445 446 n=`expr $n + 1` 447 echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" 448 ret=0 449 $CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 450 [ -s checkconf.out$n ] || ret=1 451 grep "key without the updated" < checkconf.out$n > /dev/null || ret=1 452 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 453 status=`expr $status + $ret` 454 455 n=`expr $n + 1` 456 echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" 457 ret=0 458 $CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 459 [ -s checkconf.out$n ] && ret=1 460 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 461 status=`expr $status + $ret` 462 463 n=`expr $n + 1` 464 echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" 465 ret=0 466 $CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 467 [ -s checkconf.out$n ] && ret=1 468 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 469 status=`expr $status + $ret` 470 471 n=`expr $n + 1` 472 echo_i "check that a static root key generates a warning ($n)" 473 ret=0 474 $CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1 475 grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 476 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 477 status=`expr $status + $ret` 478 479 n=`expr $n + 1` 480 echo_i "check that a static root DS trust anchor generates a warning ($n)" 481 ret=0 482 $CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1 483 grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 484 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 485 status=`expr $status + $ret` 486 487 n=`expr $n + 1` 488 echo_i "check that a trusted-keys entry for root generates a warning ($n)" 489 ret=0 490 $CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1 491 grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 492 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 493 status=`expr $status + $ret` 494 495 n=`expr $n + 1` 496 echo_i "check that using trust-anchors and managed-keys generates an error ($n)" 497 ret=0 498 $CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 499 grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 500 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 501 status=`expr $status + $ret` 502 503 n=`expr $n + 1` 504 echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" 505 ret=0 506 $CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 507 [ -s checkconf.out$n ] || ret=1 508 grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1 509 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 510 status=`expr $status + $ret` 511 512 n=`expr $n + 1` 513 echo_i "checking named-checkconf kasp errors ($n)" 514 ret=0 515 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 516 grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 517 grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 518 grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 519 grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 520 grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 521 grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 522 grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 523 grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 524 if [ $ret -ne 0 ]; then echo_i "failed"; fi 525 status=`expr $status + $ret` 526 527 n=`expr $n + 1` 528 echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" 529 ret=0 530 $CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 531 grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 532 lines=$(wc -l < "checkconf.out$n") 533 if [ $lines -ne 3 ]; then ret=1; fi 534 if [ $ret -ne 0 ]; then echo_i "failed"; fi 535 status=`expr $status + $ret` 536 537 n=`expr $n + 1` 538 echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" 539 ret=0 540 $CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1 541 grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 542 if [ $ret -ne 0 ]; then echo_i "failed"; fi 543 status=`expr $status + $ret` 544 545 n=`expr $n + 1` 546 echo_i "checking named-checkconf kasp key errors ($n)" 547 ret=0 548 $CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1 549 grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 550 if [ $ret -ne 0 ]; then echo_i "failed"; fi 551 status=`expr $status + $ret` 552 553 n=`expr $n + 1` 554 echo_i "checking named-checkconf kasp predefined key length ($n)" 555 ret=0 556 $CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1 557 grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1 558 if [ $ret -ne 0 ]; then echo_i "failed"; fi 559 status=`expr $status + $ret` 560 561 n=`expr $n + 1` 562 echo_i "check that a good 'kasp' configuration is accepted ($n)" 563 ret=0 564 $CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1 565 if [ $ret -ne 0 ]; then echo_i "failed"; fi 566 status=`expr $status + $ret` 567 568 n=`expr $n + 1` 569 echo_i "checking that named-checkconf prints a known good kasp config ($n)" 570 ret=0 571 awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in 572 [ -s good-kasp.conf.in ] || ret=1 573 $CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1 574 cmp good-kasp.conf.in good-kasp.conf.out || ret=1 575 if [ $ret -ne 0 ]; then echo_i "failed"; fi 576 status=`expr $status + $ret` 577 578 n=`expr $n + 1` 579 echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" 580 ret=0 581 $CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1 582 grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 583 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 584 status=`expr $status + $ret` 585 586 n=`expr $n + 1` 587 echo_i "check that *-source options with specified port generate warnings ($n)" 588 ret=0 589 $CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1 590 grep "not recommended" < checkconf.out$n > /dev/null || ret=1 591 $CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1 592 grep "not recommended" < checkconf.out$n > /dev/null || ret=1 593 $CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1 594 grep "not recommended" < checkconf.out$n > /dev/null || ret=1 595 if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 596 status=`expr $status + $ret` 597 598 n=`expr $n + 1` 599 echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" 600 ret=0 601 $CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 602 grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 603 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 604 status=`expr $status + $ret` 605 606 n=$((n+1)) 607 echo_i "check that masterfile-format map generates deprecation warning ($n)" 608 ret=0 609 $CHECKCONF deprecated-masterfile-format-map.conf > checkconf.out$n 2>/dev/null || ret=1 610 grep "is deprecated" < checkconf.out$n >/dev/null || ret=1 611 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 612 status=$((status+ret)) 613 614 n=$((n+1)) 615 echo_i "check that masterfile-format text and raw don't generate deprecation warning ($n)" 616 ret=0 617 $CHECKCONF good-masterfile-format-text.conf > checkconf.out$n 2>/dev/null || ret=1 618 grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 619 $CHECKCONF good-masterfile-format-raw.conf > checkconf.out$n 2>/dev/null || ret=1 620 grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 621 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 622 status=$((status+ret)) 623 624 n=$((n+1)) 625 echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" 626 ret=0 627 $CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1 628 grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1 629 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 630 status=`expr $status + $ret` 631 632 n=`expr $n + 1` 633 echo_i "check that 'check-wildcard yes;' warns as configured ($n)" 634 ret=0 635 $CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1 636 grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1 637 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 638 status=`expr $status + $ret` 639 640 rmdir keys 641 642 echo_i "exit status: $status" 643 [ $status -eq 0 ] || exit 1 644
Indexes created Sat Feb 28 05:31:39 UTC 2026