1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16. ../conf.sh 17 18status=0 19n=0 20 21mkdir -p keys 22 23n=$((n + 1)) 24echo_i "checking that named-checkconf handles a known good config ($n)" 25ret=0 26$CHECKCONF good.conf >checkconf.out$n 2>&1 || ret=1 27if [ $ret -ne 0 ]; then echo_i "failed"; fi 28status=$((status + ret)) 29 30n=$((n + 1)) 31echo_i "checking that named-checkconf prints a known good config ($n)" 32ret=0 33awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf >good.conf.raw 34[ -s good.conf.raw ] || ret=1 35$CHECKCONF -p good.conf.raw >checkconf.out$n || ret=1 36grep -v '^good.conf.raw:' <checkconf.out$n >good.conf.out 2>&1 || ret=1 37cmp good.conf.raw good.conf.out || ret=1 38if [ $ret -ne 0 ]; then echo_i "failed"; fi 39status=$((status + ret)) 40 41n=$((n + 1)) 42echo_i "checking that named-checkconf -x removes secrets ($n)" 43ret=0 44# ensure there is a secret and that it is not the check string. 45grep 'secret "' good.conf.raw >/dev/null || ret=1 46grep 'secret "????????????????"' good.conf.raw >/dev/null 2>&1 && ret=1 47$CHECKCONF -p -x good.conf.raw >checkconf.out$n || ret=1 48grep -v '^good.conf.raw:' <checkconf.out$n >good.conf.out 2>&1 || ret=1 49grep 'secret "????????????????"' good.conf.out >/dev/null 2>&1 || ret=1 50if [ $ret -ne 0 ]; then echo_i "failed"; fi 51status=$((status + ret)) 52 53for bad in bad-*.conf; do 54 n=$((n + 1)) 55 echo_i "checking that named-checkconf detects error in $bad ($n)" 56 ret=0 57 { 58 $CHECKCONF $bad >checkconf.out$n 2>&1 59 rc=$? 60 } || true 61 if [ $rc -ne 1 ]; then ret=1; fi 62 grep "^$bad:[0-9]*: " <checkconf.out$n >/dev/null || ret=1 63 case $bad in 64 bad-update-policy[123].conf) 65 pat="identity and name fields are not the same" 66 grep "$pat" <checkconf.out$n >/dev/null || ret=1 67 ;; 68 bad-update-policy[4589].conf | bad-update-policy1[01].conf) 69 pat="name field not set to placeholder value" 70 grep "$pat" <checkconf.out$n >/dev/null || ret=1 71 ;; 72 bad-update-policy[67].conf | bad-update-policy1[2345789].conf | bad-update-policy20.conf) 73 pat="missing name field type '.*' found" 74 grep "$pat" <checkconf.out$n >/dev/null || ret=1 75 ;; 76 esac 77 if [ $ret -ne 0 ]; then echo_i "failed"; fi 78 status=$((status + ret)) 79done 80 81for good in good-*.conf; do 82 n=$((n + 1)) 83 echo_i "checking that named-checkconf detects no error in $good ($n)" 84 ret=0 85 if ! $FEATURETEST --with-libnghttp2; then 86 case $good in 87 good-doh-*.conf) continue ;; 88 good-dot-*.conf) continue ;; 89 good-proxy-*doh*.conf) continue ;; 90 bad-proxy-*doh*.conf) continue ;; 91 esac 92 elif ! $FEATURETEST --have-openssl-cipher-suites; then 93 case $good in 94 good-tls-cipher-suites-*.conf) continue ;; 95 esac 96 fi 97 { 98 $CHECKCONF $good >checkconf.out$n 2>&1 99 rc=$? 100 } || true 101 if [ $rc -ne 0 ]; then 102 echo_i "failed" 103 ret=1 104 fi 105 status=$((status + ret)) 106done 107 108for lmdb in lmdb-*.conf; do 109 n=$((n + 1)) 110 ret=0 111 112 if $FEATURETEST --with-lmdb; then 113 echo_i "checking that named-checkconf detects no error in $lmdb ($n)" 114 { 115 $CHECKCONF $lmdb >checkconf.out$n 2>&1 116 rc=$? 117 } || true 118 if [ $rc -ne 0 ]; then 119 echo_i "failed" 120 ret=1 121 fi 122 else 123 echo_i "checking that named-checkconf detects error in $lmdb ($n)" 124 { 125 $CHECKCONF $lmdb >checkconf.out$n 2>&1 126 rc=$? 127 } || true 128 if [ $rc -eq 0 ]; then 129 echo_i "failed" 130 ret=1 131 fi 132 fi 133 status=$((status + ret)) 134done 135 136n=$((n + 1)) 137echo_i "checking that ancient options report a fatal error ($n)" 138ret=0 139$CHECKCONF ancient.conf >ancient.out 2>&1 && ret=1 140grep "no longer exists" ancient.out >/dev/null || ret=1 141if [ $ret -ne 0 ]; then echo_i "failed"; fi 142status=$((status + ret)) 143 144n=$((n + 1)) 145echo_i "checking that named-checkconf -z catches missing hint file ($n)" 146ret=0 147$CHECKCONF -z hint-nofile.conf >hint-nofile.out 2>&1 && ret=1 148grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out >/dev/null || ret=1 149if [ $ret -ne 0 ]; then echo_i "failed"; fi 150status=$((status + ret)) 151 152n=$((n + 1)) 153echo_i "checking that named-checkconf catches range errors ($n)" 154ret=0 155$CHECKCONF range.conf >checkconf.out$n 2>&1 && ret=1 156if [ $ret -ne 0 ]; then echo_i "failed"; fi 157status=$((status + ret)) 158 159n=$((n + 1)) 160echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" 161ret=0 162$CHECKCONF notify.conf >checkconf.out$n 2>&1 163warnings=$(grep "'notify' is disabled" <checkconf.out$n | wc -l) 164[ $warnings -eq 3 ] || ret=1 165if [ $ret -ne 0 ]; then echo_i "failed"; fi 166status=$((status + ret)) 167 168if grep "^#define DNS_RDATASET_FIXED" "$TOP_BUILDDIR/config.h" >/dev/null 2>&1; then 169 test_fixed=true 170else 171 test_fixed=false 172fi 173 174n=$((n + 1)) 175echo_i "checking named-checkconf deprecate warnings ($n)" 176ret=0 177$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 178grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 179grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 180grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 181grep "option 'use-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 182grep "option 'use-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 183grep "option 'avoid-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 184grep "option 'avoid-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 185grep "option 'dialup' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 186grep "option 'heartbeat-interval' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 187grep "option 'dnssec-must-be-secure' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 188grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 189grep "token 'port' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 190if $test_fixed; then 191 grep "rrset-order: order 'fixed' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 192else 193 grep "rrset-order: order 'fixed' was disabled at compilation time" <checkconf.out$n.1 >/dev/null || ret=1 194fi 195if [ $ret -ne 0 ]; then echo_i "failed"; fi 196status=$((status + ret)) 197# set -i to ignore deprecate warnings 198$CHECKCONF -i deprecated.conf 2>&1 | grep_v "rrset-order: order 'fixed' was disabled at compilation time" >checkconf.out$n.2 199grep '^.+$' <checkconf.out$n.2 >/dev/null && ret=1 200if [ $ret -ne 0 ]; then echo_i "failed"; fi 201status=$((status + ret)) 202 203n=$((n + 1)) 204echo_i "checking named-checkconf servestale warnings ($n)" 205ret=0 206$CHECKCONF servestale.stale-refresh-time.0.conf >checkconf.out$n.1 2>&1 207grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null && ret=1 208if [ $ret -ne 0 ]; then echo_i "failed"; fi 209status=$((status + ret)) 210ret=0 211$CHECKCONF servestale.stale-refresh-time.29.conf >checkconf.out$n.1 2>&1 212grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null || ret=1 213if [ $ret -ne 0 ]; then echo_i "failed"; fi 214status=$((status + ret)) 215 216n=$((n + 1)) 217echo_i "range checking fields that do not allow zero ($n)" 218ret=0 219for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do 220 cat >badzero.conf <<EOF 221options { 222 $field 0; 223}; 224EOF 225 { 226 $CHECKCONF badzero.conf >checkconf.out$n.1 2>&1 227 rc=$? 228 } || true 229 [ $rc -eq 1 ] || { 230 echo_i "options $field failed" 231 ret=1 232 } 233 cat >badzero.conf <<EOF 234view dummy { 235 $field 0; 236}; 237EOF 238 { 239 $CHECKCONF badzero.conf >checkconf.out$n.2 2>&1 240 rc=$? 241 } || true 242 [ $rc -eq 1 ] || { 243 echo_i "view $field failed" 244 ret=1 245 } 246 cat >badzero.conf <<EOF 247options { 248 $field 0; 249}; 250view dummy { 251}; 252EOF 253 { 254 $CHECKCONF badzero.conf >checkconf.out$n.3 2>&1 255 rc=$? 256 } || true 257 [ $rc -eq 1 ] || { 258 echo_i "options + view $field failed" 259 ret=1 260 } 261 cat >badzero.conf <<EOF 262zone dummy { 263 type secondary; 264 primaries { 0.0.0.0; }; 265 $field 0; 266}; 267EOF 268 { 269 $CHECKCONF badzero.conf >checkconf.out$n.4 2>&1 270 rc=$? 271 } || true 272 [ $rc -eq 1 ] || { 273 echo_i "zone $field failed" 274 ret=1 275 } 276done 277if [ $ret -ne 0 ]; then echo_i "failed"; fi 278status=$((status + ret)) 279 280n=$((n + 1)) 281echo_i "checking options allowed in inline-signing secondaries ($n)" 282ret=0 283$CHECKCONF bad-dnssec.conf >checkconf.out$n.2 2>&1 && ret=1 284l=$(grep "dnssec-loadkeys-interval.*requires inline" <checkconf.out$n.2 | wc -l) 285[ $l -eq 1 ] || ret=1 286if [ $ret -ne 0 ]; then echo_i "failed"; fi 287status=$((status + ret)) 288 289n=$((n + 1)) 290echo_i "check file + inline-signing for secondary zones ($n)" 291$CHECKCONF inline-no.conf >checkconf.out$n.1 2>&1 && ret=1 292l=$(grep "missing 'file' entry" <checkconf.out$n.1 | wc -l) 293[ $l -eq 0 ] || ret=1 294$CHECKCONF inline-good.conf >checkconf.out$n.2 2>&1 || ret=1 295l=$(grep "missing 'file' entry" <checkconf.out$n.2 | wc -l) 296[ $l -eq 0 ] || ret=1 297$CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 && ret=1 298l=$(grep "missing 'file' entry" <checkconf.out$n.3 | wc -l) 299[ $l -eq 1 ] || ret=1 300if [ $ret -ne 0 ]; then echo_i "failed"; fi 301status=$((status + ret)) 302 303n=$((n + 1)) 304echo_i "checking named-checkconf DLZ warnings ($n)" 305ret=0 306$CHECKCONF dlz-bad.conf >checkconf.out$n 2>&1 && ret=1 307grep "'dlz' and 'database'" <checkconf.out$n >/dev/null || ret=1 308if [ $ret -ne 0 ]; then echo_i "failed"; fi 309status=$((status + ret)) 310 311n=$((n + 1)) 312echo_i "checking for missing key directory warning ($n)" 313ret=0 314rm -rf test.keydir 315rm -rf test.keystoredir 316$CHECKCONF warn-keydir.conf >checkconf.out$n.1 2>&1 317l=$(grep "'test.keydir' does not exist" <checkconf.out$n.1 | wc -l) 318[ $l -eq 1 ] || ret=1 319l=$(grep "'test.keystoredir' does not exist" <checkconf.out$n.1 | wc -l) 320[ $l -eq 1 ] || ret=1 321touch test.keydir 322touch test.keystoredir 323$CHECKCONF warn-keydir.conf >checkconf.out$n.2 2>&1 324l=$(grep "'test.keydir' is not a directory" <checkconf.out$n.2 | wc -l) 325[ $l -eq 1 ] || ret=1 326l=$(grep "'test.keystoredir' is not a directory" <checkconf.out$n.2 | wc -l) 327[ $l -eq 1 ] || ret=1 328rm -f test.keydir 329rm -f test.keystoredir 330mkdir test.keydir 331mkdir test.keystoredir 332$CHECKCONF warn-keydir.conf >checkconf.out$n.3 2>&1 333l=$(grep "key-directory" <checkconf.out$n.3 | wc -l) 334[ $l -eq 0 ] || ret=1 335l=$(grep "key-store directory" <checkconf.out$n.3 | wc -l) 336[ $l -eq 0 ] || ret=1 337rm -rf test.keydir 338rm -rf test.keystoredir 339if [ $ret -ne 0 ]; then echo_i "failed"; fi 340status=$((status + ret)) 341 342n=$((n + 1)) 343echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" 344ret=0 345$CHECKCONF -z max-ttl.conf >check.out 2>&1 && ret=1 346grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 347grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 348grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 349if [ $ret -ne 0 ]; then 350 echo_i "failed" 351 ret=1 352fi 353status=$((status + ret)) 354 355n=$((n + 1)) 356echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" 357ret=0 358$CHECKCONF -z max-ttl-bad.conf >checkconf.out$n 2>&1 && ret=1 359if [ $ret -ne 0 ]; then 360 echo_i "failed" 361 ret=1 362fi 363status=$((status + ret)) 364 365n=$((n + 1)) 366echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" 367ret=0 368$CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1 369if [ $ret -ne 0 ]; then 370 echo_i "failed" 371 ret=1 372fi 373status=$((status + ret)) 374 375n=$((n + 1)) 376echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" 377ret=0 378$CHECKCONF -z altdlz.conf >checkconf.out$n 2>&1 || ret=1 379if [ $ret -ne 0 ]; then 380 echo_i "failed" 381 ret=1 382fi 383status=$((status + ret)) 384 385n=$((n + 1)) 386echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" 387ret=0 388$CHECKCONF -z view-class-any1.conf >checkconf.out$n 2>&1 && ret=1 389if [ $ret -ne 0 ]; then 390 echo_i "failed" 391 ret=1 392fi 393status=$((status + ret)) 394 395n=$((n + 1)) 396echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" 397ret=0 398$CHECKCONF -z view-class-any2.conf >checkconf.out$n 2>&1 && ret=1 399if [ $ret -ne 0 ]; then 400 echo_i "failed" 401 ret=1 402fi 403status=$((status + ret)) 404 405n=$((n + 1)) 406echo_i "checking that named-checkconf -z passes on view with IN class ($n)" 407ret=0 408$CHECKCONF -z view-class-in1.conf >checkconf.out$n 2>&1 || ret=1 409if [ $ret -ne 0 ]; then 410 echo_i "failed" 411 ret=1 412fi 413status=$((status + ret)) 414 415n=$((n + 1)) 416echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" 417ret=0 418$CHECKCONF -z view-class-in2.conf >checkconf.out$n 2>&1 || ret=1 419if [ $ret -ne 0 ]; then 420 echo_i "failed" 421 ret=1 422fi 423status=$((status + ret)) 424 425n=$((n + 1)) 426echo_i "check that check-names fails as configured ($n)" 427ret=0 428$CHECKCONF -z check-names-fail.conf >checkconf.out$n 2>&1 && ret=1 429grep "near '_underscore': bad name (check-names)" <checkconf.out$n >/dev/null || ret=1 430grep "zone check-names/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 431if [ $ret -ne 0 ]; then 432 echo_i "failed" 433 ret=1 434fi 435status=$((status + ret)) 436 437n=$((n + 1)) 438echo_i "check that check-mx fails as configured ($n)" 439ret=0 440$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 441grep "near '10.0.0.1': MX is an address" <checkconf.out$n >/dev/null || ret=1 442grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 443if [ $ret -ne 0 ]; then 444 echo_i "failed" 445 ret=1 446fi 447status=$((status + ret)) 448 449n=$((n + 1)) 450echo_i "check that check-dup-records fails as configured ($n)" 451ret=0 452$CHECKCONF -z check-dup-records-fail.conf >checkconf.out$n 2>&1 && ret=1 453grep "has semantically identical records" <checkconf.out$n >/dev/null || ret=1 454grep "zone check-dup-records/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 455if [ $ret -ne 0 ]; then 456 echo_i "failed" 457 ret=1 458fi 459status=$((status + ret)) 460 461n=$((n + 1)) 462echo_i "check that check-mx fails as configured ($n)" 463ret=0 464$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 465grep "failed: MX is an address" <checkconf.out$n >/dev/null || ret=1 466grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 467if [ $ret -ne 0 ]; then 468 echo_i "failed" 469 ret=1 470fi 471status=$((status + ret)) 472 473n=$((n + 1)) 474echo_i "check that check-mx-cname fails as configured ($n)" 475ret=0 476$CHECKCONF -z check-mx-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 477grep "MX.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1 478grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 479if [ $ret -ne 0 ]; then 480 echo_i "failed" 481 ret=1 482fi 483status=$((status + ret)) 484 485n=$((n + 1)) 486echo_i "check that check-srv-cname fails as configured ($n)" 487ret=0 488$CHECKCONF -z check-srv-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 489grep "SRV.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1 490grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 491if [ $ret -ne 0 ]; then 492 echo_i "failed" 493 ret=1 494fi 495status=$((status + ret)) 496 497n=$((n + 1)) 498echo_i "check that named-checkconf -p properly print a port range ($n)" 499ret=0 500$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1 501grep "range 8610 8614;" <checkconf.out$n >/dev/null || ret=1 502if [ $ret -ne 0 ]; then 503 echo_i "failed" 504 ret=1 505fi 506status=$((status + ret)) 507 508n=$((n + 1)) 509echo_i "check that named-checkconf -z handles in-view ($n)" 510ret=0 511$CHECKCONF -z in-view-good.conf >checkconf.out$n 2>&1 || ret=1 512grep "zone shared.example/IN: loaded serial" <checkconf.out$n >/dev/null || ret=1 513if [ $ret -ne 0 ]; then 514 echo_i "failed" 515 ret=1 516fi 517status=$((status + ret)) 518 519n=$((n + 1)) 520echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" 521ret=0 522$CHECKCONF -z check-missing-zone.conf >checkconf.out$n 2>&1 && ret=1 523if [ $ret -ne 0 ]; then 524 echo_i "failed" 525 ret=1 526fi 527status=$((status + ret)) 528 529n=$((n + 1)) 530echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)" 531ret=0 532$CHECKCONF -p max-cache-size-good.conf >checkconf.out$n 2>&1 || ret=1 533grep "max-cache-size 60%;" <checkconf.out$n >/dev/null || ret=1 534if [ $ret -ne 0 ]; then 535 echo_i "failed" 536 ret=1 537fi 538status=$((status + ret)) 539 540n=$((n + 1)) 541echo_i "check that named-checkconf -l prints out the zone list ($n)" 542ret=0 543$CHECKCONF -l good.conf \ 544 | grep -v "is deprecated" \ 545 | grep -v "is not implemented" \ 546 | grep -v "is not recommended" \ 547 | grep -v "no longer exists" \ 548 | grep -v "is obsolete" >checkconf.out$n || ret=1 549diff good.zonelist checkconf.out$n >diff.out$n || ret=1 550if [ $ret -ne 0 ]; then 551 echo_i "failed" 552 ret=1 553fi 554status=$((status + ret)) 555 556n=$((n + 1)) 557echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" 558ret=0 559$CHECKCONF check-root-ksk-2010.conf >checkconf.out$n 2>/dev/null || ret=1 560[ -s checkconf.out$n ] || ret=1 561grep "key without the updated" <checkconf.out$n >/dev/null || ret=1 562if [ $ret -ne 0 ]; then 563 echo_i "failed" 564 ret=1 565fi 566status=$((status + ret)) 567 568n=$((n + 1)) 569echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" 570ret=0 571$CHECKCONF check-root-ksk-both.conf >checkconf.out$n 2>/dev/null || ret=1 572[ -s checkconf.out$n ] && ret=1 573if [ $ret -ne 0 ]; then 574 echo_i "failed" 575 ret=1 576fi 577status=$((status + ret)) 578 579n=$((n + 1)) 580echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" 581ret=0 582$CHECKCONF check-root-ksk-2017.conf >checkconf.out$n 2>/dev/null || ret=1 583[ -s checkconf.out$n ] && ret=1 584if [ $ret -ne 0 ]; then 585 echo_i "failed" 586 ret=1 587fi 588status=$((status + ret)) 589 590n=$((n + 1)) 591echo_i "check that a static root key generates a warning ($n)" 592ret=0 593$CHECKCONF check-root-static-key.conf >checkconf.out$n 2>/dev/null || ret=1 594grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 595if [ $ret -ne 0 ]; then 596 echo_i "failed" 597 ret=1 598fi 599status=$((status + ret)) 600 601n=$((n + 1)) 602echo_i "check that a static root DS trust anchor generates a warning ($n)" 603ret=0 604$CHECKCONF check-root-static-ds.conf >checkconf.out$n 2>/dev/null || ret=1 605grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 606if [ $ret -ne 0 ]; then 607 echo_i "failed" 608 ret=1 609fi 610status=$((status + ret)) 611 612n=$((n + 1)) 613echo_i "check that a trusted-keys entry for root generates a warning ($n)" 614ret=0 615$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1 616grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 617if [ $ret -ne 0 ]; then 618 echo_i "failed" 619 ret=1 620fi 621status=$((status + ret)) 622 623n=$((n + 1)) 624echo_i "check that using trust-anchors and managed-keys generates an error ($n)" 625ret=0 626$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1 627grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1 628if [ $ret -ne 0 ]; then 629 echo_i "failed" 630 ret=1 631fi 632status=$((status + ret)) 633 634n=$((n + 1)) 635echo_i "checking named-checkconf kasp errors ($n)" 636ret=0 637$CHECKCONF kasp-and-other-dnssec-options.conf >checkconf.out$n 2>&1 && ret=1 638grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" <checkconf.out$n >/dev/null || ret=1 639if [ $ret -ne 0 ]; then echo_i "failed"; fi 640status=$((status + ret)) 641 642n=$((n + 1)) 643echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" 644ret=0 645if [ $RSASHA1_SUPPORTED = 0 ]; then 646 conf=kasp-bad-nsec3-iter-fips.conf 647 expect=2 648else 649 conf=kasp-bad-nsec3-iter.conf 650 expect=3 651fi 652$CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1 653grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" <checkconf.out$n >/dev/null || ret=1 654lines=$(wc -l <"checkconf.out$n") 655if [ $lines -ne $expect ]; then ret=1; fi 656if [ $ret -ne 0 ]; then echo_i "failed"; fi 657status=$((status + ret)) 658 659n=$((n + 1)) 660echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" 661ret=0 662$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1 663if [ $RSASHA1_SUPPORTED = 0 ]; then 664 grep "dnssec-policy: algorithm rsasha1 not supported" <checkconf.out$n >/dev/null || ret=1 665else 666 grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" <checkconf.out$n >/dev/null || ret=1 667fi 668if [ $ret -ne 0 ]; then echo_i "failed"; fi 669status=$((status + ret)) 670 671n=$((n + 1)) 672echo_i "checking named-checkconf kasp key errors ($n)" 673ret=0 674$CHECKCONF kasp-bad-keylen.conf >checkconf.out$n 2>&1 && ret=1 675grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" <checkconf.out$n >/dev/null || ret=1 676if [ $ret -ne 0 ]; then echo_i "failed"; fi 677status=$((status + ret)) 678 679n=$((n + 1)) 680echo_i "checking named-checkconf kasp offline-ksk with csk errors ($n)" 681ret=0 682$CHECKCONF kasp-bad-offline-ksk.conf >checkconf.out$n 2>&1 && ret=1 683grep "dnssec-policy: csk keys are not allowed when offline-ksk is enabled" <checkconf.out$n >/dev/null || ret=1 684if [ $ret -ne 0 ]; then echo_i "failed"; fi 685status=$((status + ret)) 686 687n=$((n + 1)) 688echo_i "checking named-checkconf kasp signatures refresh errors ($n)" 689ret=0 690$CHECKCONF kasp-bad-signatures-refresh.conf >checkconf.out$n 2>&1 && ret=1 691grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" <checkconf.out$n >/dev/null || ret=1 692grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" <checkconf.out$n >/dev/null || ret=1 693lines=$(wc -l <"checkconf.out$n") 694if [ $lines -ne 2 ]; then ret=1; fi 695if [ $ret -ne 0 ]; then echo_i "failed"; fi 696status=$((status + ret)) 697 698n=$((n + 1)) 699echo_i "checking named-checkconf kasp key lifetime errors ($n)" 700ret=0 701$CHECKCONF kasp-bad-lifetime.conf >checkconf.out$n 2>&1 && ret=1 702lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" <checkconf.out$n | wc -l) || ret=1 703if [ $lines -ne 3 ]; then ret=1; fi 704if [ $ret -ne 0 ]; then echo_i "failed"; fi 705status=$((status + ret)) 706 707n=$((n + 1)) 708echo_i "checking named-checkconf kasp predefined key length ($n)" 709ret=0 710$CHECKCONF kasp-ignore-keylen.conf >checkconf.out$n 2>&1 || ret=1 711grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" <checkconf.out$n >/dev/null || ret=1 712if [ $ret -ne 0 ]; then echo_i "failed"; fi 713status=$((status + ret)) 714 715n=$((n + 1)) 716echo_i "checking named-checkconf kasp warns about weird policies ($n)" 717ret=0 718$CHECKCONF kasp-warning.conf >checkconf.out$n 2>&1 || ret=1 719grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 720grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 721grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" <checkconf.out$n >/dev/null || ret=1 722grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 723grep "dnssec-policy: key lifetime is shorter than 30 days" <checkconf.out$n >/dev/null || ret=1 724lines=$(wc -l <"checkconf.out$n") 725if [ $lines -ne 5 ]; then ret=1; fi 726if [ $ret -ne 0 ]; then echo_i "failed"; fi 727status=$((status + ret)) 728 729n=$((n + 1)) 730echo_i "check that a good 'kasp' configuration is accepted ($n)" 731ret=0 732$CHECKCONF good-kasp.conf >checkconf.out$n 2>/dev/null || ret=1 733if [ $ret -ne 0 ]; then echo_i "failed"; fi 734status=$((status + ret)) 735 736n=$((n + 1)) 737echo_i "checking that named-checkconf prints a known good kasp config ($n)" 738ret=0 739awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf >good-kasp.conf.in 740[ -s good-kasp.conf.in ] || ret=1 741$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' >good-kasp.conf.out 2>&1 || ret=1 742cmp good-kasp.conf.in good-kasp.conf.out || ret=1 743if [ $ret -ne 0 ]; then echo_i "failed"; fi 744status=$((status + ret)) 745 746n=$((n + 1)) 747echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" 748ret=0 749$CHECKCONF warn-maxratio1.conf >checkconf.out$n 2>/dev/null || ret=1 750grep "exceeds 100%" <checkconf.out$n >/dev/null || ret=1 751if [ $ret -ne 0 ]; then 752 echo_i "failed" 753 ret=1 754fi 755status=$((status + ret)) 756 757n=$((n + 1)) 758echo_i "check that *-source options with specified port generate warnings ($n)" 759ret=0 760$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1 761grep "not recommended" <checkconf.out$n >/dev/null || ret=1 762$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1 763grep "not recommended" <checkconf.out$n >/dev/null || ret=1 764$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1 765grep "not recommended" <checkconf.out$n >/dev/null || ret=1 766if [ $ret -ne 0 ]; then 767 echo_i "failed" 768 ret=1 769fi 770status=$((status + ret)) 771 772n=$((n + 1)) 773echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" 774ret=0 775$CHECKCONF -z check-wildcard-no.conf >checkconf.out$n 2>&1 || ret=1 776grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null && ret=1 777if [ $ret != 0 ]; then 778 echo_i "failed" 779 ret=1 780fi 781status=$((status + ret)) 782 783n=$((n + 1)) 784echo_i "check that 'check-wildcard yes;' warns as configured ($n)" 785ret=0 786$CHECKCONF -z check-wildcard.conf >checkconf.out$n 2>&1 || ret=1 787grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null || ret=1 788if [ $ret != 0 ]; then 789 echo_i "failed" 790 ret=1 791fi 792status=$((status + ret)) 793 794echo_i "exit status: $status" 795[ $status -eq 0 ] || exit 1 796