xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/checkconf/tests.sh (revision 867d70fc718005c0918b8b8b2f9d7f2d52d0a0db) 
1# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2#
3# SPDX-License-Identifier: MPL-2.0
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0.  If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12SYSTEMTESTTOP=..
13. $SYSTEMTESTTOP/conf.sh
14
15status=0
16n=0
17
18mkdir keys
19
20n=`expr $n + 1`
21echo_i "checking that named-checkconf handles a known good config ($n)"
22ret=0
23$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1
24if [ $ret != 0 ]; then echo_i "failed"; fi
25status=`expr $status + $ret`
26
27n=`expr $n + 1`
28echo_i "checking that named-checkconf prints a known good config ($n)"
29ret=0
30awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
31[ -s good.conf.in ] || ret=1
32$CHECKCONF -p good.conf.in  > checkconf.out$n || ret=1
33grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
34cmp good.conf.in good.conf.out || ret=1
35if [ $ret != 0 ]; then echo_i "failed"; fi
36status=`expr $status + $ret`
37
38n=`expr $n + 1`
39echo_i "checking that named-checkconf -x removes secrets ($n)"
40ret=0
41# ensure there is a secret and that it is not the check string.
42grep 'secret "' good.conf.in > /dev/null || ret=1
43grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
44$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1
45grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
46grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
47if [ $ret != 0 ]; then echo_i "failed"; fi
48status=`expr $status + $ret`
49
50for bad in bad-*.conf
51do
52    n=`expr $n + 1`
53    echo_i "checking that named-checkconf detects error in $bad ($n)"
54    ret=0
55    $CHECKCONF $bad > checkconf.out$n 2>&1
56    if [ $? != 1 ]; then ret=1; fi
57    grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1
58    case $bad in
59    bad-update-policy[123].conf)
60	pat="identity and name fields are not the same"
61	grep "$pat" < checkconf.out$n > /dev/null || ret=1
62	;;
63    bad-update-policy[4589].conf|bad-update-policy1[01].conf)
64	pat="name field not set to placeholder value"
65	grep "$pat" < checkconf.out$n > /dev/null || ret=1
66	;;
67    bad-update-policy[67].conf|bad-update-policy1[2345].conf)
68	pat="missing name field type '.*' found"
69	grep "$pat" < checkconf.out$n > /dev/null || ret=1
70	;;
71    esac
72    if [ $ret != 0 ]; then echo_i "failed"; fi
73    status=`expr $status + $ret`
74done
75
76for good in good-*.conf
77do
78	n=`expr $n + 1`
79	echo_i "checking that named-checkconf detects no error in $good ($n)"
80	ret=0
81	$CHECKCONF $good > checkconf.out$n 2>&1
82	if [ $? != 0 ]; then echo_i "failed"; ret=1; fi
83	status=`expr $status + $ret`
84done
85
86n=`expr $n + 1`
87echo_i "checking that ancient options report a fatal error ($n)"
88ret=0
89$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1
90grep "no longer exists" ancient.out > /dev/null || ret=1
91if [ $ret != 0 ]; then echo_i "failed"; fi
92status=`expr $status + $ret`
93
94n=`expr $n + 1`
95echo_i "checking that named-checkconf -z catches missing hint file ($n)"
96ret=0
97$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1
98grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1
99if [ $ret != 0 ]; then echo_i "failed"; fi
100status=`expr $status + $ret`
101
102n=`expr $n + 1`
103echo_i "checking that named-checkconf catches range errors ($n)"
104ret=0
105$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1
106if [ $ret != 0 ]; then echo_i "failed"; fi
107status=`expr $status + $ret`
108
109n=`expr $n + 1`
110echo_i "checking that named-checkconf warns of notify inconsistencies ($n)"
111ret=0
112$CHECKCONF notify.conf > checkconf.out$n 2>&1
113warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l`
114[ $warnings -eq 3 ] || ret=1
115if [ $ret != 0 ]; then echo_i "failed"; fi
116status=`expr $status + $ret`
117
118n=`expr $n + 1`
119echo_i "checking named-checkconf dnssec warnings ($n)"
120ret=0
121# dnssec.1: dnssec-enable is obsolete
122$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1
123grep "'dnssec-enable' is obsolete and should be removed" < checkconf.out$n.1 > /dev/null || ret=1
124# dnssec.2: auto-dnssec warning
125$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1
126grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1
127# dnssec.3: should have no warnings
128$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1
129grep '.*' < checkconf.out$n.3 > /dev/null && ret=1
130if [ $ret != 0 ]; then echo_i "failed"; fi
131status=`expr $status + $ret`
132
133n=`expr $n + 1`
134echo_i "checking named-checkconf deprecate warnings ($n)"
135ret=0
136$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
137grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
138grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
139if [ $ret != 0 ]; then echo_i "failed"; fi
140status=`expr $status + $ret`
141# set -i to ignore deprecate warnings
142$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1
143grep '.*' < checkconf.out$n.2 > /dev/null && ret=1
144if [ $ret != 0 ]; then echo_i "failed"; fi
145status=`expr $status + $ret`
146
147n=`expr $n + 1`
148echo_i "checking named-checkconf servestale warnings ($n)"
149ret=0
150$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1
151grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1
152if [ $ret != 0 ]; then echo_i "failed"; fi
153status=`expr $status + $ret`
154ret=0
155$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1
156grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1
157if [ $ret != 0 ]; then echo_i "failed"; fi
158status=`expr $status + $ret`
159
160n=`expr $n + 1`
161echo_i "range checking fields that do not allow zero ($n)"
162ret=0
163for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
164    cat > badzero.conf << EOF
165options {
166    $field 0;
167};
168EOF
169    $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1
170    [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; }
171    cat > badzero.conf << EOF
172view dummy {
173    $field 0;
174};
175EOF
176    $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1
177    [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; }
178    cat > badzero.conf << EOF
179options {
180    $field 0;
181};
182view dummy {
183};
184EOF
185    $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1
186    [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; }
187    cat > badzero.conf << EOF
188zone dummy {
189    type secondary;
190    primaries { 0.0.0.0; };
191    $field 0;
192};
193EOF
194    $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1
195    [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; }
196done
197if [ $ret != 0 ]; then echo_i "failed"; fi
198status=`expr $status + $ret`
199
200n=`expr $n + 1`
201echo_i "checking options allowed in inline-signing secondaries ($n)"
202ret=0
203$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1
204l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l`
205[ $l -eq 1 ] || ret=1
206$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1
207l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l`
208[ $l -eq 1 ] || ret=1
209$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1
210l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l`
211[ $l -eq 1 ] || ret=1
212if [ $ret != 0 ]; then echo_i "failed"; fi
213status=`expr $status + $ret`
214
215n=`expr $n + 1`
216echo_i "check file + inline-signing for secondary zones ($n)"
217$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1
218l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l`
219[ $l -eq 0 ] || ret=1
220$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1
221l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l`
222[ $l -eq 0 ] || ret=1
223$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1
224l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l`
225[ $l -eq 1 ] || ret=1
226if [ $ret != 0 ]; then echo_i "failed"; fi
227status=`expr $status + $ret`
228
229n=`expr $n + 1`
230echo_i "checking named-checkconf DLZ warnings ($n)"
231ret=0
232$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1
233grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1
234if [ $ret != 0 ]; then echo_i "failed"; fi
235status=`expr $status + $ret`
236
237n=`expr $n + 1`
238echo_i "checking for missing key directory warning ($n)"
239ret=0
240rm -rf test.keydir
241$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1
242l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l`
243[ $l -eq 1 ] || ret=1
244touch test.keydir
245$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1
246l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l`
247[ $l -eq 1 ] || ret=1
248rm -f test.keydir
249mkdir test.keydir
250$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1
251l=`grep "key-directory" < checkconf.out$n.3 | wc -l`
252[ $l -eq 0 ] || ret=1
253rm -rf test.keydir
254if [ $ret != 0 ]; then echo_i "failed"; fi
255
256n=`expr $n + 1`
257echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
258ret=0
259$CHECKCONF -z max-ttl.conf > check.out 2>&1
260grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
261grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
262grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
263if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
264status=`expr $status + $ret`
265
266n=`expr $n + 1`
267echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)"
268ret=0
269$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1
270if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
271status=`expr $status + $ret`
272
273n=`expr $n + 1`
274echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)"
275ret=0
276$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1
277if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
278status=`expr $status + $ret`
279
280n=`expr $n + 1`
281echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)"
282ret=0
283$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1
284if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
285status=`expr $status + $ret`
286
287n=`expr $n + 1`
288echo_i "checking that named-checkconf -z fails on view with ANY class ($n)"
289ret=0
290$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1
291if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
292status=`expr $status + $ret`
293
294n=`expr $n + 1`
295echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)"
296ret=0
297$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1
298if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
299status=`expr $status + $ret`
300
301n=`expr $n + 1`
302echo_i "checking that named-checkconf -z passes on view with IN class ($n)"
303ret=0
304$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1
305if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
306status=`expr $status + $ret`
307
308n=`expr $n + 1`
309echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)"
310ret=0
311$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1
312if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
313status=`expr $status + $ret`
314
315n=`expr $n + 1`
316echo_i "check that check-names fails as configured ($n)"
317ret=0
318$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1
319grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1
320grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
321if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
322status=`expr $status + $ret`
323
324n=`expr $n + 1`
325echo_i "check that check-mx fails as configured ($n)"
326ret=0
327$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
328grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1
329grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
330if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
331status=`expr $status + $ret`
332
333n=`expr $n + 1`
334echo_i "check that check-dup-records fails as configured ($n)"
335ret=0
336$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1
337grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1
338grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
339if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
340status=`expr $status + $ret`
341
342n=`expr $n + 1`
343echo_i "check that check-mx fails as configured ($n)"
344ret=0
345$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
346grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1
347grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
348if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
349status=`expr $status + $ret`
350
351n=`expr $n + 1`
352echo_i "check that check-mx-cname fails as configured ($n)"
353ret=0
354$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
355grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
356grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
357if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
358status=`expr $status + $ret`
359
360n=`expr $n + 1`
361echo_i "check that check-srv-cname fails as configured ($n)"
362ret=0
363$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
364grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
365grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
366if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
367status=`expr $status + $ret`
368
369n=`expr $n + 1`
370echo_i "check that named-checkconf -p properly print a port range ($n)"
371ret=0
372$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1
373grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1
374if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
375status=`expr $status + $ret`
376
377n=`expr $n + 1`
378echo_i "check that named-checkconf -z handles in-view ($n)"
379ret=0
380$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1
381grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1
382if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
383status=`expr $status + $ret`
384
385n=`expr $n + 1`
386echo_i "check that named-checkconf -z returns error when a later view is okay ($n)"
387ret=0
388$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1
389if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
390status=`expr $status + $ret`
391
392n=`expr $n + 1`
393echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
394ret=0
395$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1
396grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1
397if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
398status=`expr $status + $ret`
399
400n=`expr $n + 1`
401echo_i "check that named-checkconf -l prints out the zone list ($n)"
402ret=0
403$CHECKCONF -l good.conf |
404grep -v "is not implemented" |
405grep -v "is not recommended" |
406grep -v "no longer exists" |
407grep -v "is obsolete" > checkconf.out$n || ret=1
408diff good.zonelist checkconf.out$n > diff.out$n || ret=1
409if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
410status=`expr $status + $ret`
411
412n=`expr $n + 1`
413echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)"
414ret=0
415$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
416grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
417if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
418status=`expr $status + $ret`
419
420n=`expr $n + 1`
421echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)"
422ret=0
423$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
424grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
425if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
426status=`expr $status + $ret`
427
428n=`expr $n + 1`
429echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)"
430ret=0
431$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
432grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
433if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
434status=`expr $status + $ret`
435
436n=`expr $n + 1`
437echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
438ret=0
439$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
440[ -s checkconf.out$n ] || ret=1
441grep "key without the updated" < checkconf.out$n > /dev/null || ret=1
442if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
443status=`expr $status + $ret`
444
445n=`expr $n + 1`
446echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
447ret=0
448$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
449[ -s checkconf.out$n ] && ret=1
450if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
451status=`expr $status + $ret`
452
453n=`expr $n + 1`
454echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)"
455ret=0
456$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
457[ -s checkconf.out$n ] && ret=1
458if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
459status=`expr $status + $ret`
460
461n=`expr $n + 1`
462echo_i "check that a static root key generates a warning ($n)"
463ret=0
464$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1
465grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
466if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
467status=`expr $status + $ret`
468
469n=`expr $n + 1`
470echo_i "check that a static root DS trust anchor generates a warning ($n)"
471ret=0
472$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1
473grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
474if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
475status=`expr $status + $ret`
476
477n=`expr $n + 1`
478echo_i "check that a trusted-keys entry for root generates a warning ($n)"
479ret=0
480$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1
481grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
482if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
483status=`expr $status + $ret`
484
485n=`expr $n + 1`
486echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
487ret=0
488$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
489grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
490if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
491status=`expr $status + $ret`
492
493n=`expr $n + 1`
494echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
495ret=0
496$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1
497[ -s checkconf.out$n ] || ret=1
498grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1
499if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
500status=`expr $status + $ret`
501
502n=`expr $n + 1`
503echo_i "checking named-checkconf kasp errors ($n)"
504ret=0
505$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
506grep "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone" < checkconf.out$n > /dev/null || ret=1
507grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
508grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
509grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
510grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
511grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
512grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
513grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
514if [ $ret != 0 ]; then echo_i "failed"; fi
515status=`expr $status + $ret`
516
517n=`expr $n + 1`
518echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
519ret=0
520$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
521grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
522lines=$(wc -l < "checkconf.out$n")
523if [ $lines != 3 ]; then ret=1; fi
524if [ $ret != 0 ]; then echo_i "failed"; fi
525status=`expr $status + $ret`
526
527n=`expr $n + 1`
528echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
529ret=0
530$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
531grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
532if [ $ret != 0 ]; then echo_i "failed"; fi
533status=`expr $status + $ret`
534
535n=`expr $n + 1`
536echo_i "checking named-checkconf kasp key errors ($n)"
537ret=0
538$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1
539grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
540if [ $ret != 0 ]; then echo_i "failed"; fi
541status=`expr $status + $ret`
542
543n=`expr $n + 1`
544echo_i "checking named-checkconf kasp predefined key length ($n)"
545ret=0
546$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
547grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
548if [ $ret != 0 ]; then echo_i "failed"; fi
549status=`expr $status + $ret`
550
551n=`expr $n + 1`
552echo_i "check that a good 'kasp' configuration is accepted ($n)"
553ret=0
554$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
555if [ $ret != 0 ]; then echo_i "failed"; fi
556status=`expr $status + $ret`
557
558n=`expr $n + 1`
559echo_i "checking that named-checkconf prints a known good kasp config ($n)"
560ret=0
561awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
562[ -s good-kasp.conf.in ] || ret=1
563$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
564cmp good-kasp.conf.in good-kasp.conf.out || ret=1
565if [ $ret != 0 ]; then echo_i "failed"; fi
566status=`expr $status + $ret`
567
568n=`expr $n + 1`
569echo_i "check that max-ixfr-ratio 100% generates a warning ($n)"
570ret=0
571$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1
572grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1
573if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
574status=`expr $status + $ret`
575
576n=`expr $n + 1`
577echo_i "check that *-source options with specified port generate warnings ($n)"
578ret=0
579$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1
580grep "not recommended" < checkconf.out$n > /dev/null || ret=1
581$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1
582grep "not recommended" < checkconf.out$n > /dev/null || ret=1
583$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1
584grep "not recommended" < checkconf.out$n > /dev/null || ret=1
585if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
586status=`expr $status + $ret`
587
588n=`expr $n + 1`
589echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)"
590ret=0
591$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1
592grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1
593if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
594status=`expr $status + $ret`
595
596n=$((n+1))
597echo_i "check that masterfile-format map generates deprecation warning ($n)"
598ret=0
599$CHECKCONF deprecated-masterfile-format-map.conf > checkconf.out$n 2>/dev/null || ret=1
600grep "is deprecated" < checkconf.out$n >/dev/null || ret=1
601if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
602status=$((status+ret))
603
604n=$((n+1))
605echo_i "check that masterfile-format text and raw don't generate deprecation warning ($n)"
606ret=0
607$CHECKCONF good-masterfile-format-text.conf > checkconf.out$n 2>/dev/null || ret=1
608grep "is deprecated" < checkconf.out$n >/dev/null && ret=1
609$CHECKCONF good-masterfile-format-raw.conf > checkconf.out$n 2>/dev/null || ret=1
610grep "is deprecated" < checkconf.out$n >/dev/null && ret=1
611if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
612status=$((status+ret))
613
614rmdir keys
615
616echo_i "exit status: $status"
617[ $status -eq 0 ] || exit 1
618