1*00b67f09SDavid van Moolenbroek# Copyright (C) 2005, 2007, 2010-2015 Internet Systems Consortium, Inc. ("ISC") 2*00b67f09SDavid van Moolenbroek# 3*00b67f09SDavid van Moolenbroek# Permission to use, copy, modify, and/or distribute this software for any 4*00b67f09SDavid van Moolenbroek# purpose with or without fee is hereby granted, provided that the above 5*00b67f09SDavid van Moolenbroek# copyright notice and this permission notice appear in all copies. 6*00b67f09SDavid van Moolenbroek# 7*00b67f09SDavid van Moolenbroek# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 8*00b67f09SDavid van Moolenbroek# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 9*00b67f09SDavid van Moolenbroek# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 10*00b67f09SDavid van Moolenbroek# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 11*00b67f09SDavid van Moolenbroek# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 12*00b67f09SDavid van Moolenbroek# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 13*00b67f09SDavid van Moolenbroek# PERFORMANCE OF THIS SOFTWARE. 14*00b67f09SDavid van Moolenbroek 15*00b67f09SDavid van Moolenbroek# Id 16*00b67f09SDavid van Moolenbroek 17*00b67f09SDavid van MoolenbroekSYSTEMTESTTOP=.. 18*00b67f09SDavid van Moolenbroek. $SYSTEMTESTTOP/conf.sh 19*00b67f09SDavid van Moolenbroek 20*00b67f09SDavid van Moolenbroekstatus=0 21*00b67f09SDavid van Moolenbroek 22*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf handles a known good config" 23*00b67f09SDavid van Moolenbroekret=0 24*00b67f09SDavid van Moolenbroek$CHECKCONF good.conf > /dev/null 2>&1 || ret=1 25*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 26*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 27*00b67f09SDavid van Moolenbroek 28*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf prints a known good config" 29*00b67f09SDavid van Moolenbroekret=0 30*00b67f09SDavid van Moolenbroekawk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in 31*00b67f09SDavid van Moolenbroek[ -s good.conf.in ] || ret=1 32*00b67f09SDavid van Moolenbroek$CHECKCONF -p good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1 33*00b67f09SDavid van Moolenbroekcmp good.conf.in good.conf.out || ret=1 34*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 35*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 36*00b67f09SDavid van Moolenbroek 37*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf -x removes secrets" 38*00b67f09SDavid van Moolenbroekret=0 39*00b67f09SDavid van Moolenbroek# ensure there is a secret and that it is not the check string. 40*00b67f09SDavid van Moolenbroekgrep 'secret "' good.conf.in > /dev/null || ret=1 41*00b67f09SDavid van Moolenbroekgrep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 42*00b67f09SDavid van Moolenbroek$CHECKCONF -p -x good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1 43*00b67f09SDavid van Moolenbroekgrep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 44*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 45*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 46*00b67f09SDavid van Moolenbroek 47*00b67f09SDavid van Moolenbroekfor bad in bad*.conf 48*00b67f09SDavid van Moolenbroekdo 49*00b67f09SDavid van Moolenbroek ret=0 50*00b67f09SDavid van Moolenbroek echo "I: checking that named-checkconf detects error in $bad" 51*00b67f09SDavid van Moolenbroek $CHECKCONF $bad > /dev/null 2>&1 52*00b67f09SDavid van Moolenbroek if [ $? != 1 ]; then echo "I:failed"; ret=1; fi 53*00b67f09SDavid van Moolenbroek status=`expr $status + $ret` 54*00b67f09SDavid van Moolenbroekdone 55*00b67f09SDavid van Moolenbroek 56*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf -z catches missing hint file" 57*00b67f09SDavid van Moolenbroekret=0 58*00b67f09SDavid van Moolenbroek$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 59*00b67f09SDavid van Moolenbroekgrep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 60*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 61*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 62*00b67f09SDavid van Moolenbroek 63*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf catches range errors" 64*00b67f09SDavid van Moolenbroekret=0 65*00b67f09SDavid van Moolenbroek$CHECKCONF range.conf > /dev/null 2>&1 && ret=1 66*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 67*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 68*00b67f09SDavid van Moolenbroek 69*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf warns of notify inconsistencies" 70*00b67f09SDavid van Moolenbroekret=0 71*00b67f09SDavid van Moolenbroekwarnings=`$CHECKCONF notify.conf 2>&1 | grep "'notify' is disabled" | wc -l` 72*00b67f09SDavid van Moolenbroek[ $warnings -eq 3 ] || ret=1 73*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 74*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 75*00b67f09SDavid van Moolenbroek 76*00b67f09SDavid van Moolenbroekecho "I: checking named-checkconf dnssec warnings" 77*00b67f09SDavid van Moolenbroekret=0 78*00b67f09SDavid van Moolenbroek$CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1 79*00b67f09SDavid van Moolenbroek$CHECKCONF dnssec.2 2>&1 | grep 'auto-dnssec may only be ' > /dev/null || ret=1 80*00b67f09SDavid van Moolenbroek$CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1 81*00b67f09SDavid van Moolenbroek$CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1 82*00b67f09SDavid van Moolenbroek# this one should have no warnings 83*00b67f09SDavid van Moolenbroek$CHECKCONF dnssec.3 2>&1 | grep '.*' && ret=1 84*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 85*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 86*00b67f09SDavid van Moolenbroek 87*00b67f09SDavid van Moolenbroekecho "I: range checking fields that do not allow zero" 88*00b67f09SDavid van Moolenbroekret=0 89*00b67f09SDavid van Moolenbroekfor field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do 90*00b67f09SDavid van Moolenbroek cat > badzero.conf << EOF 91*00b67f09SDavid van Moolenbroekoptions { 92*00b67f09SDavid van Moolenbroek $field 0; 93*00b67f09SDavid van Moolenbroek}; 94*00b67f09SDavid van MoolenbroekEOF 95*00b67f09SDavid van Moolenbroek $CHECKCONF badzero.conf > /dev/null 2>&1 96*00b67f09SDavid van Moolenbroek [ $? -eq 1 ] || { echo "I: options $field failed" ; ret=1; } 97*00b67f09SDavid van Moolenbroek cat > badzero.conf << EOF 98*00b67f09SDavid van Moolenbroekview dummy { 99*00b67f09SDavid van Moolenbroek $field 0; 100*00b67f09SDavid van Moolenbroek}; 101*00b67f09SDavid van MoolenbroekEOF 102*00b67f09SDavid van Moolenbroek $CHECKCONF badzero.conf > /dev/null 2>&1 103*00b67f09SDavid van Moolenbroek [ $? -eq 1 ] || { echo "I: view $field failed" ; ret=1; } 104*00b67f09SDavid van Moolenbroek cat > badzero.conf << EOF 105*00b67f09SDavid van Moolenbroekoptions { 106*00b67f09SDavid van Moolenbroek $field 0; 107*00b67f09SDavid van Moolenbroek}; 108*00b67f09SDavid van Moolenbroekview dummy { 109*00b67f09SDavid van Moolenbroek}; 110*00b67f09SDavid van MoolenbroekEOF 111*00b67f09SDavid van Moolenbroek $CHECKCONF badzero.conf > /dev/null 2>&1 112*00b67f09SDavid van Moolenbroek [ $? -eq 1 ] || { echo "I: options + view $field failed" ; ret=1; } 113*00b67f09SDavid van Moolenbroek cat > badzero.conf << EOF 114*00b67f09SDavid van Moolenbroekzone dummy { 115*00b67f09SDavid van Moolenbroek type slave; 116*00b67f09SDavid van Moolenbroek masters { 0.0.0.0; }; 117*00b67f09SDavid van Moolenbroek $field 0; 118*00b67f09SDavid van Moolenbroek}; 119*00b67f09SDavid van MoolenbroekEOF 120*00b67f09SDavid van Moolenbroek $CHECKCONF badzero.conf > /dev/null 2>&1 121*00b67f09SDavid van Moolenbroek [ $? -eq 1 ] || { echo "I: zone $field failed" ; ret=1; } 122*00b67f09SDavid van Moolenbroekdone 123*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 124*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 125*00b67f09SDavid van Moolenbroek 126*00b67f09SDavid van Moolenbroekecho "I: checking options allowed in inline-signing slaves" 127*00b67f09SDavid van Moolenbroekret=0 128*00b67f09SDavid van Moolenbroekn=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-dnskey-kskonly.*requires inline" | wc -l` 129*00b67f09SDavid van Moolenbroek[ $n -eq 1 ] || ret=1 130*00b67f09SDavid van Moolenbroekn=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-loadkeys-interval.*requires inline" | wc -l` 131*00b67f09SDavid van Moolenbroek[ $n -eq 1 ] || ret=1 132*00b67f09SDavid van Moolenbroekn=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "update-check-ksk.*requires inline" | wc -l` 133*00b67f09SDavid van Moolenbroek[ $n -eq 1 ] || ret=1 134*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 135*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 136*00b67f09SDavid van Moolenbroek 137*00b67f09SDavid van Moolenbroekecho "I: check file + inline-signing for slave zones" 138*00b67f09SDavid van Moolenbroekn=`$CHECKCONF inline-no.conf 2>&1 | grep "missing 'file' entry" | wc -l` 139*00b67f09SDavid van Moolenbroek[ $n -eq 0 ] || ret=1 140*00b67f09SDavid van Moolenbroekn=`$CHECKCONF inline-good.conf 2>&1 | grep "missing 'file' entry" | wc -l` 141*00b67f09SDavid van Moolenbroek[ $n -eq 0 ] || ret=1 142*00b67f09SDavid van Moolenbroekn=`$CHECKCONF inline-bad.conf 2>&1 | grep "missing 'file' entry" | wc -l` 143*00b67f09SDavid van Moolenbroek[ $n -eq 1 ] || ret=1 144*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 145*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 146*00b67f09SDavid van Moolenbroek 147*00b67f09SDavid van Moolenbroekecho "I: checking named-checkconf DLZ warnings" 148*00b67f09SDavid van Moolenbroekret=0 149*00b67f09SDavid van Moolenbroek$CHECKCONF dlz-bad.conf 2>&1 | grep "'dlz' and 'database'" > /dev/null || ret=1 150*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 151*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 152*00b67f09SDavid van Moolenbroek 153*00b67f09SDavid van Moolenbroekecho "I: checking for missing key directory warning" 154*00b67f09SDavid van Moolenbroekret=0 155*00b67f09SDavid van Moolenbroekrm -rf test.keydir 156*00b67f09SDavid van Moolenbroekn=`$CHECKCONF warn-keydir.conf 2>&1 | grep "'test.keydir' does not exist" | wc -l` 157*00b67f09SDavid van Moolenbroek[ $n -eq 1 ] || ret=1 158*00b67f09SDavid van Moolenbroektouch test.keydir 159*00b67f09SDavid van Moolenbroekn=`$CHECKCONF warn-keydir.conf 2>&1 | grep "'test.keydir' is not a directory" | wc -l` 160*00b67f09SDavid van Moolenbroek[ $n -eq 1 ] || ret=1 161*00b67f09SDavid van Moolenbroekrm -f test.keydir 162*00b67f09SDavid van Moolenbroekmkdir test.keydir 163*00b67f09SDavid van Moolenbroekn=`$CHECKCONF warn-keydir.conf 2>&1 | grep "key-directory" | wc -l` 164*00b67f09SDavid van Moolenbroek[ $n -eq 0 ] || ret=1 165*00b67f09SDavid van Moolenbroekrm -rf test.keydir 166*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; fi 167*00b67f09SDavid van Moolenbroek 168*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf -z catches conflicting ttl with max-ttl" 169*00b67f09SDavid van Moolenbroekret=0 170*00b67f09SDavid van Moolenbroek$CHECKCONF -z max-ttl.conf > check.out 2>&1 171*00b67f09SDavid van Moolenbroekgrep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 172*00b67f09SDavid van Moolenbroekgrep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 173*00b67f09SDavid van Moolenbroekgrep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 174*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 175*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 176*00b67f09SDavid van Moolenbroek 177*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf -z catches invalid max-ttl" 178*00b67f09SDavid van Moolenbroekret=0 179*00b67f09SDavid van Moolenbroek$CHECKCONF -z max-ttl-bad.conf > /dev/null 2>&1 && ret=1 180*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 181*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 182*00b67f09SDavid van Moolenbroek 183*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf -z skips zone check with alternate databases" 184*00b67f09SDavid van Moolenbroekret=0 185*00b67f09SDavid van Moolenbroek$CHECKCONF -z altdb.conf > /dev/null 2>&1 || ret=1 186*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 187*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 188*00b67f09SDavid van Moolenbroek 189*00b67f09SDavid van Moolenbroekecho "I: checking that named-checkconf -z skips zone check with DLZ" 190*00b67f09SDavid van Moolenbroekret=0 191*00b67f09SDavid van Moolenbroek$CHECKCONF -z altdlz.conf > /dev/null 2>&1 || ret=1 192*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 193*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 194*00b67f09SDavid van Moolenbroek 195*00b67f09SDavid van Moolenbroekecho "I: check that check-names fails as configured" 196*00b67f09SDavid van Moolenbroekret=0 197*00b67f09SDavid van Moolenbroek$CHECKCONF -z check-names-fail.conf > checkconf.out1 2>&1 && ret=1 198*00b67f09SDavid van Moolenbroekgrep "near '_underscore': bad name (check-names)" checkconf.out1 > /dev/null || ret=1 199*00b67f09SDavid van Moolenbroekgrep "zone check-names/IN: loaded serial" < checkconf.out1 > /dev/null && ret=1 200*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 201*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 202*00b67f09SDavid van Moolenbroek 203*00b67f09SDavid van Moolenbroekecho "I: check that check-mx fails as configured" 204*00b67f09SDavid van Moolenbroekret=0 205*00b67f09SDavid van Moolenbroek$CHECKCONF -z check-mx-fail.conf > checkconf.out2 2>&1 && ret=1 206*00b67f09SDavid van Moolenbroekgrep "near '10.0.0.1': MX is an address" checkconf.out2 > /dev/null || ret=1 207*00b67f09SDavid van Moolenbroekgrep "zone check-mx/IN: loaded serial" < checkconf.out2 > /dev/null && ret=1 208*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 209*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 210*00b67f09SDavid van Moolenbroek 211*00b67f09SDavid van Moolenbroekecho "I: check that check-dup-records fails as configured" 212*00b67f09SDavid van Moolenbroekret=0 213*00b67f09SDavid van Moolenbroek$CHECKCONF -z check-dup-records-fail.conf > checkconf.out3 2>&1 && ret=1 214*00b67f09SDavid van Moolenbroekgrep "has semantically identical records" checkconf.out3 > /dev/null || ret=1 215*00b67f09SDavid van Moolenbroekgrep "zone check-dup-records/IN: loaded serial" < checkconf.out3 > /dev/null && ret=1 216*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 217*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 218*00b67f09SDavid van Moolenbroek 219*00b67f09SDavid van Moolenbroekecho "I: check that check-mx fails as configured" 220*00b67f09SDavid van Moolenbroekret=0 221*00b67f09SDavid van Moolenbroek$CHECKCONF -z check-mx-fail.conf > checkconf.out4 2>&1 && ret=1 222*00b67f09SDavid van Moolenbroekgrep "failed: MX is an address" checkconf.out4 > /dev/null || ret=1 223*00b67f09SDavid van Moolenbroekgrep "zone check-mx/IN: loaded serial" < checkconf.out4 > /dev/null && ret=1 224*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 225*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 226*00b67f09SDavid van Moolenbroek 227*00b67f09SDavid van Moolenbroekecho "I: check that check-mx-cname fails as configured" 228*00b67f09SDavid van Moolenbroekret=0 229*00b67f09SDavid van Moolenbroek$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out5 2>&1 && ret=1 230*00b67f09SDavid van Moolenbroekgrep "MX.* is a CNAME (illegal)" checkconf.out5 > /dev/null || ret=1 231*00b67f09SDavid van Moolenbroekgrep "zone check-mx-cname/IN: loaded serial" < checkconf.out5 > /dev/null && ret=1 232*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 233*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 234*00b67f09SDavid van Moolenbroek 235*00b67f09SDavid van Moolenbroekecho "I: check that check-srv-cname fails as configured" 236*00b67f09SDavid van Moolenbroekret=0 237*00b67f09SDavid van Moolenbroek$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out6 2>&1 && ret=1 238*00b67f09SDavid van Moolenbroekgrep "SRV.* is a CNAME (illegal)" checkconf.out6 > /dev/null || ret=1 239*00b67f09SDavid van Moolenbroekgrep "zone check-mx-cname/IN: loaded serial" < checkconf.out6 > /dev/null && ret=1 240*00b67f09SDavid van Moolenbroekif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi 241*00b67f09SDavid van Moolenbroekstatus=`expr $status + $ret` 242*00b67f09SDavid van Moolenbroek 243*00b67f09SDavid van Moolenbroekecho "I:exit status: $status" 244*00b67f09SDavid van Moolenbroekexit $status 245