tests.sh 20.1 KB
Newer Older
1
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
2
#
3 4 5
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 7 8
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
9

10
. ../conf.sh
11 12

status=0
13
n=0
14

15
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
16
echo_i "checking that named-checkconf handles a known good config ($n)"
17
ret=0
Mark Andrews's avatar
Mark Andrews committed
18
$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
19
if [ $ret != 0 ]; then echo_i "failed"; fi
20 21
status=`expr $status + $ret`

22
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
23
echo_i "checking that named-checkconf prints a known good config ($n)"
24
ret=0
25 26
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
[ -s good.conf.in ] || ret=1
Mark Andrews's avatar
Mark Andrews committed
27 28
$CHECKCONF -p good.conf.in  > checkconf.out$n || ret=1
grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
29
cmp good.conf.in good.conf.out || ret=1
Evan Hunt's avatar
Evan Hunt committed
30
if [ $ret != 0 ]; then echo_i "failed"; fi
31
status=`expr $status + $ret`
32

33
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
34
echo_i "checking that named-checkconf -x removes secrets ($n)"
35 36 37 38
ret=0
# ensure there is a secret and that it is not the check string.
grep 'secret "' good.conf.in > /dev/null || ret=1
grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
Mark Andrews's avatar
Mark Andrews committed
39 40
$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1
grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
41
grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
42
if [ $ret != 0 ]; then echo_i "failed"; fi
43 44
status=`expr $status + $ret`

45
for bad in bad-*.conf
46
do
47
    n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
48
    echo_i "checking that named-checkconf detects error in $bad ($n)"
49
    ret=0
Mark Andrews's avatar
Mark Andrews committed
50
    $CHECKCONF $bad > checkconf.out$n 2>&1
51
    if [ $? != 1 ]; then ret=1; fi
Mark Andrews's avatar
Mark Andrews committed
52
    grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1
53 54 55
    case $bad in
    bad-update-policy[123].conf)
	pat="identity and name fields are not the same"
Mark Andrews's avatar
Mark Andrews committed
56
	grep "$pat" < checkconf.out$n > /dev/null || ret=1
57
	;;
58
    bad-update-policy[4589].conf|bad-update-policy1[01].conf)
59
	pat="name field not set to placeholder value"
Mark Andrews's avatar
Mark Andrews committed
60
	grep "$pat" < checkconf.out$n > /dev/null || ret=1
61
	;;
62
    bad-update-policy[67].conf|bad-update-policy1[2345].conf)
63
	pat="missing name field type '.*' found"
Mark Andrews's avatar
Mark Andrews committed
64
	grep "$pat" < checkconf.out$n > /dev/null || ret=1
65
	;;
66
    esac
Evan Hunt's avatar
Evan Hunt committed
67
    if [ $ret != 0 ]; then echo_i "failed"; fi
68
    status=`expr $status + $ret`
69
done
70

71 72
for good in good-*.conf
do
73
	n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
74
	echo_i "checking that named-checkconf detects no error in $good ($n)"
75
	ret=0
Mark Andrews's avatar
Mark Andrews committed
76
	$CHECKCONF $good > checkconf.out$n 2>&1
Evan Hunt's avatar
Evan Hunt committed
77
	if [ $? != 0 ]; then echo_i "failed"; ret=1; fi
78 79 80
	status=`expr $status + $ret`
done

81 82 83 84 85 86 87 88
n=`expr $n + 1`
echo_i "checking that ancient options report a fatal error ($n)"
ret=0
$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1
grep "no longer exists" ancient.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

89
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
90
echo_i "checking that named-checkconf -z catches missing hint file ($n)"
91
ret=0
92 93
$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1
grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
94
if [ $ret != 0 ]; then echo_i "failed"; fi
95 96
status=`expr $status + $ret`

97
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
98
echo_i "checking that named-checkconf catches range errors ($n)"
Evan Hunt's avatar
Evan Hunt committed
99
ret=0
Mark Andrews's avatar
Mark Andrews committed
100
$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
101
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
102 103
status=`expr $status + $ret`

104
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
105
echo_i "checking that named-checkconf warns of notify inconsistencies ($n)"
106
ret=0
Mark Andrews's avatar
Mark Andrews committed
107 108
$CHECKCONF notify.conf > checkconf.out$n 2>&1
warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l`
109
[ $warnings -eq 3 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
110
if [ $ret != 0 ]; then echo_i "failed"; fi
111 112
status=`expr $status + $ret`

113
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
114
echo_i "checking named-checkconf dnssec warnings ($n)"
115
ret=0
116
# dnssec.1: dnssec-enable is obsolete
Mark Andrews's avatar
Mark Andrews committed
117 118
$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1
grep "'dnssec-enable' is obsolete and should be removed" < checkconf.out$n.1 > /dev/null || ret=1
119
# dnssec.2: auto-dnssec warning
Mark Andrews's avatar
Mark Andrews committed
120 121
$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1
grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1
122
# dnssec.3: should have no warnings
Mark Andrews's avatar
Mark Andrews committed
123 124
$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1
grep '.*' < checkconf.out$n.3 > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
125
if [ $ret != 0 ]; then echo_i "failed"; fi
126 127
status=`expr $status + $ret`

128 129 130 131 132 133 134 135 136 137 138 139 140 141
n=`expr $n + 1`
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# set -i to ignore deprecate warnings
$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1
grep '.*' < checkconf.out$n.2 > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

142
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
143
echo_i "range checking fields that do not allow zero ($n)"
144 145 146 147 148 149 150
ret=0
for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
    cat > badzero.conf << EOF
options {
    $field 0;
};
EOF
Mark Andrews's avatar
Mark Andrews committed
151
    $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1
Evan Hunt's avatar
Evan Hunt committed
152
    [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; }
153 154 155 156 157
    cat > badzero.conf << EOF
view dummy {
    $field 0;
};
EOF
Mark Andrews's avatar
Mark Andrews committed
158
    $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1
Evan Hunt's avatar
Evan Hunt committed
159
    [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; }
160
    cat > badzero.conf << EOF
161 162 163 164 165 166
options {
    $field 0;
};
view dummy {
};
EOF
Mark Andrews's avatar
Mark Andrews committed
167
    $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1
Evan Hunt's avatar
Evan Hunt committed
168
    [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; }
169
    cat > badzero.conf << EOF
170
zone dummy {
171 172
    type secondary;
    primaries { 0.0.0.0; };
173 174 175
    $field 0;
};
EOF
Mark Andrews's avatar
Mark Andrews committed
176
    $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1
Evan Hunt's avatar
Evan Hunt committed
177
    [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; }
178
done
Evan Hunt's avatar
Evan Hunt committed
179
if [ $ret != 0 ]; then echo_i "failed"; fi
180 181
status=`expr $status + $ret`

182
n=`expr $n + 1`
183
echo_i "checking options allowed in inline-signing secondaries ($n)"
184
ret=0
Mark Andrews's avatar
Mark Andrews committed
185 186
$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1
l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l`
187
[ $l -eq 1 ] || ret=1
Mark Andrews's avatar
Mark Andrews committed
188 189
$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1
l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l`
190
[ $l -eq 1 ] || ret=1
Mark Andrews's avatar
Mark Andrews committed
191 192
$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1
l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l`
193
[ $l -eq 1 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
194
if [ $ret != 0 ]; then echo_i "failed"; fi
195 196
status=`expr $status + $ret`

197
n=`expr $n + 1`
198
echo_i "check file + inline-signing for secondary zones ($n)"
Mark Andrews's avatar
Mark Andrews committed
199 200
$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1
l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l`
201
[ $l -eq 0 ] || ret=1
Mark Andrews's avatar
Mark Andrews committed
202 203
$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1
l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l`
204
[ $l -eq 0 ] || ret=1
Mark Andrews's avatar
Mark Andrews committed
205 206
$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1
l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l`
207
[ $l -eq 1 ] || ret=1
Evan Hunt's avatar
Evan Hunt committed
208
if [ $ret != 0 ]; then echo_i "failed"; fi
209
status=`expr $status + $ret`
Evan Hunt's avatar
Evan Hunt committed
210

211
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
212
echo_i "checking named-checkconf DLZ warnings ($n)"
Evan Hunt's avatar
Evan Hunt committed
213
ret=0
Mark Andrews's avatar
Mark Andrews committed
214 215
$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1
grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
216
if [ $ret != 0 ]; then echo_i "failed"; fi
217 218
status=`expr $status + $ret`

219
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
220
echo_i "checking for missing key directory warning ($n)"
221 222
ret=0
rm -rf test.keydir
Mark Andrews's avatar
Mark Andrews committed
223 224
$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1
l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l`
225
[ $l -eq 1 ] || ret=1
226
touch test.keydir
Mark Andrews's avatar
Mark Andrews committed
227 228
$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1
l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l`
229
[ $l -eq 1 ] || ret=1
230 231
rm -f test.keydir
mkdir test.keydir
Mark Andrews's avatar
Mark Andrews committed
232 233
$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1
l=`grep "key-directory" < checkconf.out$n.3 | wc -l`
234
[ $l -eq 0 ] || ret=1
235
rm -rf test.keydir
Evan Hunt's avatar
Evan Hunt committed
236
if [ $ret != 0 ]; then echo_i "failed"; fi
Evan Hunt's avatar
Evan Hunt committed
237

238
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
239
echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
Evan Hunt's avatar
Evan Hunt committed
240 241 242 243 244
ret=0
$CHECKCONF -z max-ttl.conf > check.out 2>&1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
245
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
Evan Hunt's avatar
Evan Hunt committed
246 247
status=`expr $status + $ret`

248
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
249
echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)"
Evan Hunt's avatar
Evan Hunt committed
250
ret=0
Mark Andrews's avatar
Mark Andrews committed
251
$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
252
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
253 254
status=`expr $status + $ret`

255
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
256
echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)"
257
ret=0
Mark Andrews's avatar
Mark Andrews committed
258
$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
259
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
260 261
status=`expr $status + $ret`

262
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
263
echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)"
264
ret=0
Mark Andrews's avatar
Mark Andrews committed
265
$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
266
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
267 268
status=`expr $status + $ret`

269
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
270
echo_i "checking that named-checkconf -z fails on view with ANY class ($n)"
271
ret=0
Mark Andrews's avatar
Mark Andrews committed
272
$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
273
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
274 275
status=`expr $status + $ret`

276
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
277
echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)"
278
ret=0
Mark Andrews's avatar
Mark Andrews committed
279
$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1
Evan Hunt's avatar
Evan Hunt committed
280
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
281 282
status=`expr $status + $ret`

283
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
284
echo_i "checking that named-checkconf -z passes on view with IN class ($n)"
285
ret=0
Mark Andrews's avatar
Mark Andrews committed
286
$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
287
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
288 289
status=`expr $status + $ret`

290
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
291
echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)"
292
ret=0
Mark Andrews's avatar
Mark Andrews committed
293
$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1
Evan Hunt's avatar
Evan Hunt committed
294
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
295 296
status=`expr $status + $ret`

297
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
298
echo_i "check that check-names fails as configured ($n)"
299
ret=0
300
$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1
Mark Andrews's avatar
Mark Andrews committed
301
grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1
302
grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
303
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
304 305
status=`expr $status + $ret`

306
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
307
echo_i "check that check-mx fails as configured ($n)"
308
ret=0
309
$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
Mark Andrews's avatar
Mark Andrews committed
310
grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1
311
grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
312
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
313 314
status=`expr $status + $ret`

315
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
316
echo_i "check that check-dup-records fails as configured ($n)"
317
ret=0
318
$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1
Mark Andrews's avatar
Mark Andrews committed
319
grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1
320
grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
321
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
322 323
status=`expr $status + $ret`

324
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
325
echo_i "check that check-mx fails as configured ($n)"
326
ret=0
327
$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
Mark Andrews's avatar
Mark Andrews committed
328
grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1
329
grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
330
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
331 332
status=`expr $status + $ret`

333
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
334
echo_i "check that check-mx-cname fails as configured ($n)"
335
ret=0
336
$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
Mark Andrews's avatar
Mark Andrews committed
337
grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
338
grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
339
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
340 341
status=`expr $status + $ret`

342
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
343
echo_i "check that check-srv-cname fails as configured ($n)"
344
ret=0
345
$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
Mark Andrews's avatar
Mark Andrews committed
346
grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
347
grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
Evan Hunt's avatar
Evan Hunt committed
348
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
349 350
status=`expr $status + $ret`

351
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
352
echo_i "check that named-checkconf -p properly print a port range ($n)"
353
ret=0
354
$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1
Mark Andrews's avatar
Mark Andrews committed
355
grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
356
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
357 358
status=`expr $status + $ret`

359
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
360
echo_i "check that named-checkconf -z handles in-view ($n)"
361
ret=0
362 363
$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1
grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
364
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
365 366
status=`expr $status + $ret`

367 368 369 370 371 372 373
n=`expr $n + 1`
echo_i "check that named-checkconf -z returns error when a later view is okay ($n)"
ret=0
$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`

374
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
375
echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
376
ret=0
377
$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1
Mark Andrews's avatar
Mark Andrews committed
378
grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
379
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
380 381 382
status=`expr $status + $ret`

n=`expr $n + 1`
383
echo_i "check that named-checkconf -l prints out the zone list ($n)"
384 385 386
ret=0
$CHECKCONF -l good.conf |
grep -v "is not implemented" |
387
grep -v "no longer exists" |
388
grep -v "is obsolete" > checkconf.out$n || ret=1
Mark Andrews's avatar
Mark Andrews committed
389
diff good.zonelist checkconf.out$n > diff.out$n || ret=1
Evan Hunt's avatar
Evan Hunt committed
390
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
391 392
status=`expr $status + $ret`

393
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
394
echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)"
395 396
ret=0
$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
397
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
398
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
399 400 401
status=`expr $status + $ret`

n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
402
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)"
403 404
ret=0
$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
405
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
406
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
407 408 409
status=`expr $status + $ret`

n=`expr $n + 1`
410
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)"
411
ret=0
412 413
$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
414
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
415 416
status=`expr $status + $ret`

417
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
418
echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
419 420 421
ret=0
$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
Mark Andrews's avatar
Mark Andrews committed
422
grep "key without the updated" < checkconf.out$n > /dev/null || ret=1
Evan Hunt's avatar
Evan Hunt committed
423
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
424 425
status=`expr $status + $ret`

426 427
n=`expr $n + 1`
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
428 429 430
ret=0
$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
431
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
432 433
status=`expr $status + $ret`

434
n=`expr $n + 1`
Evan Hunt's avatar
Evan Hunt committed
435
echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)"
436 437 438
ret=0
$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
Evan Hunt's avatar
Evan Hunt committed
439
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
440 441
status=`expr $status + $ret`

442
n=`expr $n + 1`
443 444 445
echo_i "check that a static root key generates a warning ($n)"
ret=0
$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1
446 447 448 449 450 451 452 453 454
grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo_i "check that a static root DS trust anchor generates a warning ($n)"
ret=0
$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1
grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
455 456 457
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`

458
n=`expr $n + 1`
459 460 461 462 463 464 465
echo_i "check that a trusted-keys entry for root generates a warning ($n)"
ret=0
$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1
grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`

466
n=`expr $n + 1`
467
echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
468
ret=0
469 470
$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
471 472 473
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`

474
n=`expr $n + 1`
475 476 477 478
echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
ret=0
$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
Mark Andrews's avatar
Mark Andrews committed
479
grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1
480 481 482
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`

483
n=`expr $n + 1`
484
echo_i "checking named-checkconf kasp errors ($n)"
485
ret=0
486
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
487
grep "'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on a non-dynamic DNS zone" < checkconf.out$n > /dev/null || ret=1
488 489 490 491 492 493 494 495 496 497
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

498
n=`expr $n + 1`
499
echo_i "checking named-checkconf kasp predefined key lengths ($n)"
500
ret=0
501 502
$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
503 504 505
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522
n=`expr $n + 1`
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0
$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

n=`expr $n + 1`
echo_i "checking that named-checkconf prints a known good kasp config ($n)"
ret=0
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
[ -s good-kasp.conf.in ] || ret=1
$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
cmp good-kasp.conf.in good-kasp.conf.out || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

523 524 525 526 527 528 529 530
n=`expr $n + 1`
echo_i "check that max-ixfr-ratio 100% generates a warning ($n)"
ret=0
$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1
grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`

Evan Hunt's avatar
Evan Hunt committed
531
echo_i "exit status: $status"
532
[ $status -eq 0 ] || exit 1