1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14SYSTEMTESTTOP=.. 15. $SYSTEMTESTTOP/conf.sh 16 17status=0 18n=0 19 20mkdir keys 21 22n=`expr $n + 1` 23echo_i "checking that named-checkconf handles a known good config ($n)" 24ret=0 25$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 26if [ $ret -ne 0 ]; then echo_i "failed"; fi 27status=`expr $status + $ret` 28 29n=`expr $n + 1` 30echo_i "checking that named-checkconf prints a known good config ($n)" 31ret=0 32awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in 33[ -s good.conf.in ] || ret=1 34$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 35grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 36cmp good.conf.in good.conf.out || ret=1 37if [ $ret -ne 0 ]; then echo_i "failed"; fi 38status=`expr $status + $ret` 39 40n=`expr $n + 1` 41echo_i "checking that named-checkconf -x removes secrets ($n)" 42ret=0 43# ensure there is a secret and that it is not the check string. 44grep 'secret "' good.conf.in > /dev/null || ret=1 45grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 46$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 47grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 48grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 49if [ $ret -ne 0 ]; then echo_i "failed"; fi 50status=`expr $status + $ret` 51 52for bad in bad-*.conf 53do 54 n=`expr $n + 1` 55 echo_i "checking that named-checkconf detects error in $bad ($n)" 56 ret=0 57 $CHECKCONF $bad > checkconf.out$n 2>&1 58 if [ $? -ne 1 ]; then ret=1; fi 59 grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 60 case $bad in 61 bad-update-policy[123].conf) 62 pat="identity and name fields are not the same" 63 grep "$pat" < checkconf.out$n > /dev/null || ret=1 64 ;; 65 bad-update-policy[4589].conf|bad-update-policy1[01].conf) 66 pat="name field not set to placeholder value" 67 grep "$pat" < checkconf.out$n > /dev/null || ret=1 68 ;; 69 bad-update-policy[67].conf|bad-update-policy1[2345].conf) 70 pat="missing name field type '.*' found" 71 grep "$pat" < checkconf.out$n > /dev/null || ret=1 72 ;; 73 esac 74 if [ $ret -ne 0 ]; then echo_i "failed"; fi 75 status=`expr $status + $ret` 76done 77 78for good in good-*.conf 79do 80 n=`expr $n + 1` 81 echo_i "checking that named-checkconf detects no error in $good ($n)" 82 ret=0 83 $CHECKCONF $good > checkconf.out$n 2>&1 84 if [ $? -ne 0 ]; then echo_i "failed"; ret=1; fi 85 status=`expr $status + $ret` 86done 87 88n=`expr $n + 1` 89echo_i "checking that ancient options report a fatal error ($n)" 90ret=0 91$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 92grep "no longer exists" ancient.out > /dev/null || ret=1 93if [ $ret -ne 0 ]; then echo_i "failed"; fi 94status=`expr $status + $ret` 95 96n=`expr $n + 1` 97echo_i "checking that named-checkconf -z catches missing hint file ($n)" 98ret=0 99$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 100grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 101if [ $ret -ne 0 ]; then echo_i "failed"; fi 102status=`expr $status + $ret` 103 104n=`expr $n + 1` 105echo_i "checking that named-checkconf catches range errors ($n)" 106ret=0 107$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 108if [ $ret -ne 0 ]; then echo_i "failed"; fi 109status=`expr $status + $ret` 110 111n=`expr $n + 1` 112echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" 113ret=0 114$CHECKCONF notify.conf > checkconf.out$n 2>&1 115warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l` 116[ $warnings -eq 3 ] || ret=1 117if [ $ret -ne 0 ]; then echo_i "failed"; fi 118status=`expr $status + $ret` 119 120n=`expr $n + 1` 121echo_i "checking named-checkconf dnssec warnings ($n)" 122ret=0 123# dnssec.1: dnssec-enable is obsolete 124$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 125grep "'dnssec-enable' is obsolete and should be removed" < checkconf.out$n.1 > /dev/null || ret=1 126# dnssec.2: auto-dnssec warning 127$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 128grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 129# dnssec.3: should have no warnings (other than deprecation warning) 130$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 131grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.3 > /dev/null || ret=1 132lines=$(wc -l < "checkconf.out$n.3") 133if [ $lines != 1 ]; then ret=1; fi 134# dnssec.4: should have specific deprecation warning 135$CHECKCONF dnssec.4 > checkconf.out$n.4 2>&1 136grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.4 > /dev/null || ret=1 137if [ $ret != 0 ]; then echo_i "failed"; fi 138status=`expr $status + $ret` 139 140n=`expr $n + 1` 141echo_i "checking named-checkconf deprecate warnings ($n)" 142ret=0 143$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 144grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 145grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 146grep "option 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 147grep "token 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 148if [ $ret -ne 0 ]; then echo_i "failed"; fi 149status=`expr $status + $ret` 150# set -i to ignore deprecate warnings 151$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1 152grep '.*' < checkconf.out$n.2 > /dev/null && ret=1 153if [ $ret -ne 0 ]; then echo_i "failed"; fi 154status=`expr $status + $ret` 155 156n=`expr $n + 1` 157echo_i "checking named-checkconf servestale warnings ($n)" 158ret=0 159$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1 160grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1 161if [ $ret -ne 0 ]; then echo_i "failed"; fi 162status=`expr $status + $ret` 163ret=0 164$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1 165grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1 166if [ $ret -ne 0 ]; then echo_i "failed"; fi 167status=`expr $status + $ret` 168 169n=`expr $n + 1` 170echo_i "range checking fields that do not allow zero ($n)" 171ret=0 172for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do 173 cat > badzero.conf << EOF 174options { 175 $field 0; 176}; 177EOF 178 $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1 179 [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; } 180 cat > badzero.conf << EOF 181view dummy { 182 $field 0; 183}; 184EOF 185 $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1 186 [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; } 187 cat > badzero.conf << EOF 188options { 189 $field 0; 190}; 191view dummy { 192}; 193EOF 194 $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1 195 [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } 196 cat > badzero.conf << EOF 197zone dummy { 198 type secondary; 199 primaries { 0.0.0.0; }; 200 $field 0; 201}; 202EOF 203 $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1 204 [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } 205done 206if [ $ret -ne 0 ]; then echo_i "failed"; fi 207status=`expr $status + $ret` 208 209n=`expr $n + 1` 210echo_i "checking options allowed in inline-signing secondaries ($n)" 211ret=0 212$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 213l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l` 214[ $l -eq 1 ] || ret=1 215$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 216l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l` 217[ $l -eq 1 ] || ret=1 218$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 219l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l` 220[ $l -eq 1 ] || ret=1 221if [ $ret -ne 0 ]; then echo_i "failed"; fi 222status=`expr $status + $ret` 223 224n=`expr $n + 1` 225echo_i "check file + inline-signing for secondary zones ($n)" 226$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 227l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l` 228[ $l -eq 0 ] || ret=1 229$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 230l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l` 231[ $l -eq 0 ] || ret=1 232$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 233l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l` 234[ $l -eq 1 ] || ret=1 235if [ $ret -ne 0 ]; then echo_i "failed"; fi 236status=`expr $status + $ret` 237 238n=`expr $n + 1` 239echo_i "checking named-checkconf DLZ warnings ($n)" 240ret=0 241$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 242grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 243if [ $ret -ne 0 ]; then echo_i "failed"; fi 244status=`expr $status + $ret` 245 246n=`expr $n + 1` 247echo_i "checking for missing key directory warning ($n)" 248ret=0 249rm -rf test.keydir 250$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 251l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l` 252[ $l -eq 1 ] || ret=1 253touch test.keydir 254$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1 255l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l` 256[ $l -eq 1 ] || ret=1 257rm -f test.keydir 258mkdir test.keydir 259$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1 260l=`grep "key-directory" < checkconf.out$n.3 | wc -l` 261[ $l -eq 0 ] || ret=1 262rm -rf test.keydir 263if [ $ret -ne 0 ]; then echo_i "failed"; fi 264 265n=`expr $n + 1` 266echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" 267ret=0 268$CHECKCONF -z max-ttl.conf > check.out 2>&1 269grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 270grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 271grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 272if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 273status=`expr $status + $ret` 274 275n=`expr $n + 1` 276echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" 277ret=0 278$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 279if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 280status=`expr $status + $ret` 281 282n=`expr $n + 1` 283echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" 284ret=0 285$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 286if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 287status=`expr $status + $ret` 288 289n=`expr $n + 1` 290echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" 291ret=0 292$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 293if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 294status=`expr $status + $ret` 295 296n=`expr $n + 1` 297echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" 298ret=0 299$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 300if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 301status=`expr $status + $ret` 302 303n=`expr $n + 1` 304echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" 305ret=0 306$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 307if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 308status=`expr $status + $ret` 309 310n=`expr $n + 1` 311echo_i "checking that named-checkconf -z passes on view with IN class ($n)" 312ret=0 313$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 314if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 315status=`expr $status + $ret` 316 317n=`expr $n + 1` 318echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" 319ret=0 320$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 321if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 322status=`expr $status + $ret` 323 324n=`expr $n + 1` 325echo_i "check that check-names fails as configured ($n)" 326ret=0 327$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 328grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 329grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 330if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 331status=`expr $status + $ret` 332 333n=`expr $n + 1` 334echo_i "check that check-mx fails as configured ($n)" 335ret=0 336$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 337grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 338grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 339if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 340status=`expr $status + $ret` 341 342n=`expr $n + 1` 343echo_i "check that check-dup-records fails as configured ($n)" 344ret=0 345$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 346grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 347grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 348if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 349status=`expr $status + $ret` 350 351n=`expr $n + 1` 352echo_i "check that check-mx fails as configured ($n)" 353ret=0 354$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 355grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 356grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 357if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 358status=`expr $status + $ret` 359 360n=`expr $n + 1` 361echo_i "check that check-mx-cname fails as configured ($n)" 362ret=0 363$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 364grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 365grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 366if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 367status=`expr $status + $ret` 368 369n=`expr $n + 1` 370echo_i "check that check-srv-cname fails as configured ($n)" 371ret=0 372$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 373grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 374grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 375if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 376status=`expr $status + $ret` 377 378n=`expr $n + 1` 379echo_i "check that named-checkconf -p properly print a port range ($n)" 380ret=0 381$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 382grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 383if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 384status=`expr $status + $ret` 385 386n=`expr $n + 1` 387echo_i "check that named-checkconf -z handles in-view ($n)" 388ret=0 389$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 390grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 391if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 392status=`expr $status + $ret` 393 394n=`expr $n + 1` 395echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" 396ret=0 397$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1 398if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 399status=`expr $status + $ret` 400 401n=`expr $n + 1` 402echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)" 403ret=0 404$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 405grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 406if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 407status=`expr $status + $ret` 408 409n=`expr $n + 1` 410echo_i "check that named-checkconf -l prints out the zone list ($n)" 411ret=0 412$CHECKCONF -l good.conf | 413grep -v "is deprecated" | 414grep -v "is not implemented" | 415grep -v "is not recommended" | 416grep -v "no longer exists" | 417grep -v "is obsolete" > checkconf.out$n || ret=1 418diff good.zonelist checkconf.out$n > diff.out$n || ret=1 419if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 420status=`expr $status + $ret` 421 422n=`expr $n + 1` 423echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)" 424ret=0 425$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 426grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 427if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 428status=`expr $status + $ret` 429 430n=`expr $n + 1` 431echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)" 432ret=0 433$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 434grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 435if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 436status=`expr $status + $ret` 437 438n=`expr $n + 1` 439echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)" 440ret=0 441$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 442grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 443if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 444status=`expr $status + $ret` 445 446n=`expr $n + 1` 447echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" 448ret=0 449$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 450[ -s checkconf.out$n ] || ret=1 451grep "key without the updated" < checkconf.out$n > /dev/null || ret=1 452if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 453status=`expr $status + $ret` 454 455n=`expr $n + 1` 456echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" 457ret=0 458$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 459[ -s checkconf.out$n ] && ret=1 460if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 461status=`expr $status + $ret` 462 463n=`expr $n + 1` 464echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" 465ret=0 466$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 467[ -s checkconf.out$n ] && ret=1 468if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 469status=`expr $status + $ret` 470 471n=`expr $n + 1` 472echo_i "check that a static root key generates a warning ($n)" 473ret=0 474$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1 475grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 476if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 477status=`expr $status + $ret` 478 479n=`expr $n + 1` 480echo_i "check that a static root DS trust anchor generates a warning ($n)" 481ret=0 482$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1 483grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 484if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 485status=`expr $status + $ret` 486 487n=`expr $n + 1` 488echo_i "check that a trusted-keys entry for root generates a warning ($n)" 489ret=0 490$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1 491grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 492if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 493status=`expr $status + $ret` 494 495n=`expr $n + 1` 496echo_i "check that using trust-anchors and managed-keys generates an error ($n)" 497ret=0 498$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 499grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 500if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 501status=`expr $status + $ret` 502 503n=`expr $n + 1` 504echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" 505ret=0 506$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 507[ -s checkconf.out$n ] || ret=1 508grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1 509if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 510status=`expr $status + $ret` 511 512n=`expr $n + 1` 513echo_i "checking named-checkconf kasp errors ($n)" 514ret=0 515$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 516grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 517grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 518grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 519grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 520grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 521grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 522grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 523grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 524if [ $ret -ne 0 ]; then echo_i "failed"; fi 525status=`expr $status + $ret` 526 527n=`expr $n + 1` 528echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" 529ret=0 530$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 531grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 532lines=$(wc -l < "checkconf.out$n") 533if [ $lines -ne 3 ]; then ret=1; fi 534if [ $ret -ne 0 ]; then echo_i "failed"; fi 535status=`expr $status + $ret` 536 537n=`expr $n + 1` 538echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" 539ret=0 540$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1 541grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 542if [ $ret -ne 0 ]; then echo_i "failed"; fi 543status=`expr $status + $ret` 544 545n=`expr $n + 1` 546echo_i "checking named-checkconf kasp key errors ($n)" 547ret=0 548$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1 549grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 550if [ $ret -ne 0 ]; then echo_i "failed"; fi 551status=`expr $status + $ret` 552 553n=`expr $n + 1` 554echo_i "checking named-checkconf kasp predefined key length ($n)" 555ret=0 556$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1 557grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1 558if [ $ret -ne 0 ]; then echo_i "failed"; fi 559status=`expr $status + $ret` 560 561n=`expr $n + 1` 562echo_i "check that a good 'kasp' configuration is accepted ($n)" 563ret=0 564$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1 565if [ $ret -ne 0 ]; then echo_i "failed"; fi 566status=`expr $status + $ret` 567 568n=`expr $n + 1` 569echo_i "checking that named-checkconf prints a known good kasp config ($n)" 570ret=0 571awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in 572[ -s good-kasp.conf.in ] || ret=1 573$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1 574cmp good-kasp.conf.in good-kasp.conf.out || ret=1 575if [ $ret -ne 0 ]; then echo_i "failed"; fi 576status=`expr $status + $ret` 577 578n=`expr $n + 1` 579echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" 580ret=0 581$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1 582grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 583if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 584status=`expr $status + $ret` 585 586n=`expr $n + 1` 587echo_i "check that *-source options with specified port generate warnings ($n)" 588ret=0 589$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1 590grep "not recommended" < checkconf.out$n > /dev/null || ret=1 591$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1 592grep "not recommended" < checkconf.out$n > /dev/null || ret=1 593$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1 594grep "not recommended" < checkconf.out$n > /dev/null || ret=1 595if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi 596status=`expr $status + $ret` 597 598n=`expr $n + 1` 599echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" 600ret=0 601$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 602grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 603if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 604status=`expr $status + $ret` 605 606n=$((n+1)) 607echo_i "check that masterfile-format map generates deprecation warning ($n)" 608ret=0 609$CHECKCONF deprecated-masterfile-format-map.conf > checkconf.out$n 2>/dev/null || ret=1 610grep "is deprecated" < checkconf.out$n >/dev/null || ret=1 611if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 612status=$((status+ret)) 613 614n=$((n+1)) 615echo_i "check that masterfile-format text and raw don't generate deprecation warning ($n)" 616ret=0 617$CHECKCONF good-masterfile-format-text.conf > checkconf.out$n 2>/dev/null || ret=1 618grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 619$CHECKCONF good-masterfile-format-raw.conf > checkconf.out$n 2>/dev/null || ret=1 620grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 621if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 622status=$((status+ret)) 623 624n=$((n+1)) 625echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" 626ret=0 627$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1 628grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1 629if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 630status=`expr $status + $ret` 631 632n=`expr $n + 1` 633echo_i "check that 'check-wildcard yes;' warns as configured ($n)" 634ret=0 635$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1 636grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1 637if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi 638status=`expr $status + $ret` 639 640rmdir keys 641 642echo_i "exit status: $status" 643[ $status -eq 0 ] || exit 1 644