fccc836ebfeb8e278b528b59304f451c369baf37Tinderbox User# Copyright (C) 2005, 2007, 2010-2018 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# file, You can obtain one at http://mozilla.org/MPL/2.0/.
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf handles a known good config ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf prints a known good config ($n)"
de7df3e56fe99c33a415674b018aae93eee94750Evan Huntawk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
de7df3e56fe99c33a415674b018aae93eee94750Evan Hunt$CHECKCONF -p good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -x removes secrets ($n)"
ff6de396a93b9b73a37173059a595f3d295b57cbMark Andrews# ensure there is a secret and that it is not the check string.
ff6de396a93b9b73a37173059a595f3d295b57cbMark Andrewsgrep 'secret "' good.conf.in > /dev/null || ret=1
ff6de396a93b9b73a37173059a595f3d295b57cbMark Andrewsgrep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
ff6de396a93b9b73a37173059a595f3d295b57cbMark Andrews$CHECKCONF -p -x good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
ff6de396a93b9b73a37173059a595f3d295b57cbMark Andrewsgrep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews echo "I: checking that named-checkconf detects error in $bad ($n)"
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews grep "^$bad:[0-9]*: " checkconf.out > /dev/null || ret=1
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews pat="identity and name fields are not the same"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrews echo "I: checking that named-checkconf detects no error in $good ($n)"
8f25faf9720a0c2730c4ac80ea4c12ca1f25599fMukund Sivaraman if [ $? != 0 ]; then echo "I:failed"; ret=1; fi
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z catches missing hint file ($n)"
d1f1f13c7fc1f1515930053508f1645cfafaa478Mark Andrews$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1
d1f1f13c7fc1f1515930053508f1645cfafaa478Mark Andrewsgrep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf catches range errors ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf warns of notify inconsistencies ($n)"
e45d0508c3460db87afb1f743bc5210522721bb3Evan Huntwarnings=`$CHECKCONF notify.conf 2>&1 | grep "'notify' is disabled" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking named-checkconf dnssec warnings ($n)"
de7df3e56fe99c33a415674b018aae93eee94750Evan Hunt$CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
ac436908582fe08c85c886b200664816b11fded6Mark Andrews$CHECKCONF dnssec.2 2>&1 | grep 'auto-dnssec may only be ' > /dev/null || ret=1
de7df3e56fe99c33a415674b018aae93eee94750Evan Hunt$CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1
de7df3e56fe99c33a415674b018aae93eee94750Evan Hunt$CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
de7df3e56fe99c33a415674b018aae93eee94750Evan Hunt# this one should have no warnings
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: range checking fields that do not allow zero ($n)"
820fdd61dd35e359a8e616031209d074a7140d97Evan Huntfor field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
820fdd61dd35e359a8e616031209d074a7140d97Evan Hunt [ $? -eq 1 ] || { echo "I: options $field failed" ; ret=1; }
820fdd61dd35e359a8e616031209d074a7140d97Evan Hunt [ $? -eq 1 ] || { echo "I: view $field failed" ; ret=1; }
076bda8c2e2b2f41775bd7b1694dd2cab287aeebMark Andrews [ $? -eq 1 ] || { echo "I: options + view $field failed" ; ret=1; }
820fdd61dd35e359a8e616031209d074a7140d97Evan Hunt masters { 0.0.0.0; };
820fdd61dd35e359a8e616031209d074a7140d97Evan Hunt [ $? -eq 1 ] || { echo "I: zone $field failed" ; ret=1; }
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking options allowed in inline-signing slaves ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-dnskey-kskonly.*requires inline" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-loadkeys-interval.*requires inline" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "update-check-ksk.*requires inline" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check file + inline-signing for slave zones ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF inline-no.conf 2>&1 | grep "missing 'file' entry" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF inline-good.conf 2>&1 | grep "missing 'file' entry" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF inline-bad.conf 2>&1 | grep "missing 'file' entry" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking named-checkconf DLZ warnings ($n)"
2b8bed6681d1541474f022586cbe728dfce36880Evan Hunt$CHECKCONF dlz-bad.conf 2>&1 | grep "'dlz' and 'database'" > /dev/null || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking for missing key directory warning ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF warn-keydir.conf 2>&1 | grep "'test.keydir' does not exist" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF warn-keydir.conf 2>&1 | grep "'test.keydir' is not a directory" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsl=`$CHECKCONF warn-keydir.conf 2>&1 | grep "key-directory" | wc -l`
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Huntgrep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Huntgrep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Huntgrep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z catches invalid max-ttl ($n)"
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt$CHECKCONF -z max-ttl-bad.conf > /dev/null 2>&1 && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z skips zone check with alternate databases ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z skips zone check with DLZ ($n)"
baad8d9fd8dd054ce1edf350ff0c0f2038a1519eEvan Hunt$CHECKCONF -z altdlz.conf > /dev/null 2>&1 || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z fails on view with ANY class ($n)"
0c29904b27c9ab3b85ecbde159b22ae1323bdbcdMukund Sivaraman$CHECKCONF -z view-class-any1.conf > /dev/null 2>&1 && ret=1
0c29904b27c9ab3b85ecbde159b22ae1323bdbcdMukund Sivaramanif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z fails on view with CLASS255 class ($n)"
0c29904b27c9ab3b85ecbde159b22ae1323bdbcdMukund Sivaraman$CHECKCONF -z view-class-any2.conf > /dev/null 2>&1 && ret=1
0c29904b27c9ab3b85ecbde159b22ae1323bdbcdMukund Sivaramanif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z passes on view with IN class ($n)"
0c29904b27c9ab3b85ecbde159b22ae1323bdbcdMukund Sivaraman$CHECKCONF -z view-class-in1.conf > /dev/null 2>&1 || ret=1
0c29904b27c9ab3b85ecbde159b22ae1323bdbcdMukund Sivaramanif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: checking that named-checkconf -z passes on view with CLASS1 class ($n)"
0c29904b27c9ab3b85ecbde159b22ae1323bdbcdMukund Sivaraman$CHECKCONF -z view-class-in2.conf > /dev/null 2>&1 || ret=1
0c29904b27c9ab3b85ecbde159b22ae1323bdbcdMukund Sivaramanif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check that check-names fails as configured ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrews$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "near '_underscore': bad name (check-names)" checkconf.out$n > /dev/null || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check that check-mx fails as configured ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrews$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "near '10.0.0.1': MX is an address" checkconf.out$n > /dev/null || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check that check-dup-records fails as configured ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrews$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "has semantically identical records" checkconf.out$n > /dev/null || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check that check-mx fails as configured ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrews$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "failed: MX is an address" checkconf.out$n > /dev/null || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check that check-mx-cname fails as configured ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrews$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "MX.* is a CNAME (illegal)" checkconf.out$n > /dev/null || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check that check-srv-cname fails as configured ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrews$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "SRV.* is a CNAME (illegal)" checkconf.out$n > /dev/null || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check that named-checkconf -p properly print a port range ($n)"
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrews$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsgrep "range 8610 8614;" checkconf.out$n > /dev/null || ret=1
fbd9aaa58c32abaeab1bd3ca6943b18ce19ea023Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
43e2c588ba773f471a7a2459b10a67a800c576c6Mark Andrewsecho "I: check that named-checkconf -z handles in-view ($n)"
075a3d60c23140f05db10d70126ff271ef6469c9Mark Andrews$CHECKCONF -z in-view-good.conf > checkconf.out7 2>&1 || ret=1
075a3d60c23140f05db10d70126ff271ef6469c9Mark Andrewsgrep "zone shared.example/IN: loaded serial" < checkconf.out7 > /dev/null || ret=1
075a3d60c23140f05db10d70126ff271ef6469c9Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
9052766cc5ae39b9341253f863360ae679133a35Mark Andrewsecho "I: check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
e6d0a391f5f9b18f5bd497aefff269e474ee560cWitold Krecicki$CHECKCONF -p max-cache-size-good.conf > checkconf.out8 2>&1 || ret=1
e6d0a391f5f9b18f5bd497aefff269e474ee560cWitold Krecickigrep "max-cache-size 60%;" checkconf.out8 > /dev/null || ret=1
e6d0a391f5f9b18f5bd497aefff269e474ee560cWitold Krecickiif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
7382f5160274938d143d82bda1941b32822dac53Mark Andrewsecho "I: check that 'dnssec-lookaside auto;' generates a warning ($n)"
7382f5160274938d143d82bda1941b32822dac53Mark Andrews$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
7382f5160274938d143d82bda1941b32822dac53Mark Andrewsgrep "dnssec-lookaside 'auto' is no longer supported" checkconf.out$n > /dev/null || ret=1
7382f5160274938d143d82bda1941b32822dac53Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
7382f5160274938d143d82bda1941b32822dac53Mark Andrewsecho "I: check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)"
7382f5160274938d143d82bda1941b32822dac53Mark Andrews$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
7382f5160274938d143d82bda1941b32822dac53Mark Andrewsgrep "dlv.isc.org has been shut down" checkconf.out$n > /dev/null || ret=1
7382f5160274938d143d82bda1941b32822dac53Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
7382f5160274938d143d82bda1941b32822dac53Mark Andrewsecho "I: check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
7382f5160274938d143d82bda1941b32822dac53Mark Andrews$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
7382f5160274938d143d82bda1941b32822dac53Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrewsecho "I: check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
c8b2cbe1e004a8c0d8fdfa1bc70c3eb952b79d21Mark Andrewsgrep "trusted-key for root from 2010 without updated" checkconf.out$n > /dev/null || ret=1
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrewsecho "I: check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)"
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrewsecho "I: check that the 2017 ICANN ROOT KSK alone does not warning ($n)"
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrewsecho "I: check that the dlv.isc.org KSK generates a warning ($n)"
b071744673b81b67bc8941149629733c4bf2b022Mark Andrews$CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
c8b2cbe1e004a8c0d8fdfa1bc70c3eb952b79d21Mark Andrewsgrep "trusted-key for dlv.isc.org still present" checkconf.out$n > /dev/null || ret=1
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrewsif [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
2bef3713093349af52ba61eaab07adf3207da873Mark Andrewsecho "I:exit status: $status"